more input checking

2026-05-05 16:48:31 -04:00 · 2025-06-26 10:35:46 -07:00
parent 3e93d6c9c6
commit 58a8b51f59
16 changed files with 214 additions and 86 deletions
--- a/tests/app/job/test_rest.py
+++ b/tests/app/job/test_rest.py
@@ -5,7 +5,6 @@ from unittest.mock import ANY
 from zoneinfo import ZoneInfo

 import pytest
-import werkzeug
 from freezegun import freeze_time

 import app.celery.tasks
@@ -17,7 +16,6 @@ from app.enums import (
    NotificationType,
    TemplateType,
 )
-from app.job.rest import check_suspicious_id, is_suspicious_input, is_valid_id
 from app.utils import utc_now
 from tests import create_admin_authorization_header
 from tests.app.db import (
@@ -588,31 +586,6 @@ def test_get_all_notifications_for_job_returns_correct_format(
    assert resp["notifications"][0]["status"] == sample_notification_with_job.status


-def test_is_valid_id(sample_job):
-    returnVal = is_valid_id(sample_job.service_id)
-    assert returnVal is True
-
-    returnVal = is_valid_id("abc pgsleep(1)")
-    assert returnVal is False
-
-
-def test_check_suspicious_id(sample_job):
-    # This should be good
-    check_suspicious_id(sample_job.id, sample_job.service_id)
-
-    # This should be bad
-    with pytest.raises(werkzeug.exceptions.Forbidden):
-        check_suspicious_id(sample_job.id, "what is this???")
-
-
-def test_is_suspicious_input(sample_job):
-    returnVal = is_suspicious_input(sample_job.id)
-    assert returnVal is False
-
-    returnVal = is_suspicious_input("1 OR pg_sleep(1)")
-    assert returnVal is True
-
-
 def test_get_notification_count_for_job_id(admin_request, mocker, sample_job):
    mock_dao = mocker.patch(
        "app.job.rest.dao_get_notification_count_for_job_id", return_value=3
--- a/tests/app/test_utils.py
+++ b/tests/app/test_utils.py
@@ -1,13 +1,17 @@
 from datetime import date, datetime

 import pytest
+import werkzeug
 from freezegun import freeze_time

 from app.enums import ServicePermissionType, TemplateType
 from app.utils import (
+    check_suspicious_id,
    get_midnight_in_utc,
    get_public_notify_type_text,
    get_template_instance,
+    is_suspicious_input,
+    is_valid_id,
    midnight_n_days_ago,
 )
 from notifications_utils.template import HTMLEmailTemplate, SMSMessageTemplate
@@ -141,3 +145,31 @@ def test_get_template_instance_comprehensive(template_type, values):
        assert isinstance(result, SMSMessageTemplate)
    else:
        assert isinstance(result, HTMLEmailTemplate)
+
+
+def test_is_valid_id(sample_job):
+    returnVal = is_valid_id(sample_job.service_id)
+    assert returnVal is True
+
+    returnVal = is_valid_id("abc pgsleep(1)")
+    assert returnVal is False
+
+
+def test_check_suspicious_id(sample_job):
+    # This should be good
+    check_suspicious_id(sample_job.id, sample_job.service_id)
+
+    # This should be bad
+    with pytest.raises(werkzeug.exceptions.Forbidden):
+        check_suspicious_id(sample_job.id, "what is this???")
+
+    # This should be good
+    check_suspicious_id(sample_job.id, None)
+
+
+def test_is_suspicious_input(sample_job):
+    returnVal = is_suspicious_input(sample_job.id)
+    assert returnVal is False
+
+    returnVal = is_suspicious_input("1 OR pg_sleep(1)")
+    assert returnVal is True