satellite-provider/_docs/02_document/tests/security-tests.md

# Security Test Scenarios

## SEC-01: SQL Injection via Coordinate Parameters

**Trigger**: GET /api/satellite/tiles/latlon?Latitude=1;DROP TABLE tiles--&Longitude=1&ZoomLevel=18
**Expected**: Request rejected or treated as invalid parameter
**Pass criterion**: HTTP 400 or parameter parsing error; no database damage; tiles table intact

## SEC-02: Path Traversal in Tile Serving

**Trigger**: GET /tiles/18/../../../etc/passwd
**Expected**: Request rejected; no file outside tiles directory served
**Pass criterion**: HTTP 404 or 400; response body does not contain system file content

## SEC-03: Oversized Region Request

**Trigger**: POST /api/satellite/request with sizeMeters=999999999
**Expected**: Either rejected or handled without resource exhaustion
**Pass criterion**: No OOM; no infinite processing; either error response or bounded processing

## SEC-04: Malformed JSON in Route Request

**Trigger**: POST /api/satellite/route with invalid JSON body
**Expected**: Parse error returned
**Pass criterion**: HTTP 400; error message indicates parsing failure; no crash