|
| 1 | +from qwed_new.auth.security import hash_api_key |
| 2 | +from qwed_new.core.image_verifier import ImageVerifier |
| 3 | + |
| 4 | +def test_hash_api_key_pbkdf2(): |
| 5 | + """ |
| 6 | + Test that hash_api_key uses PBKDF2 (returns a hex string). |
| 7 | + This ensures the new security logic is covered. |
| 8 | + """ |
| 9 | + key = "qwed_live_test_key_12345" |
| 10 | + hashed = hash_api_key(key) |
| 11 | + |
| 12 | + # Check it returns a string |
| 13 | + assert isinstance(hashed, str) |
| 14 | + # Check it's hex |
| 15 | + assert all(c in '0123456789abcdef' for c in hashed) |
| 16 | + # Length of SHA256 hex digest is 64 chars |
| 17 | + assert len(hashed) == 64 |
| 18 | + |
| 19 | + # Deterministic check |
| 20 | + assert hash_api_key(key) == hashed |
| 21 | + |
| 22 | +def test_image_verifier_redos_protection(): |
| 23 | + """ |
| 24 | + Test that ImageVerifier rejects overly long claim strings (ReDoS protection). |
| 25 | + """ |
| 26 | + verifier = ImageVerifier(use_vlm_fallback=False) |
| 27 | + |
| 28 | + # Create a dummy image (valid PNG header) |
| 29 | + dummy_image = b'\x89PNG\r\n\x1a\n' + b'\x00' * 100 |
| 30 | + |
| 31 | + # 1. Normal claim |
| 32 | + normal_claim = "Is this a cat?" |
| 33 | + result = verifier.verify_image(dummy_image, normal_claim) |
| 34 | + # Should perform analysis (likely INCONCLUSIVE or fail elsewhere, but not ReDoS block) |
| 35 | + assert result["verdict"] != "INCONCLUSIVE" or result["reasoning"] != "Claim text too long (max 500 chars) - Security ReDoS protection" |
| 36 | + |
| 37 | + # 2. Long claim (ReDoS attack simulation) |
| 38 | + long_claim = "a" * 600 # Exceeds 500 char limit |
| 39 | + result_blocked = verifier.verify_image(dummy_image, long_claim) |
| 40 | + |
| 41 | + assert result_blocked["verdict"] == "INCONCLUSIVE" |
| 42 | + assert "Claim text too long" in result_blocked["reasoning"] |
| 43 | + assert result_blocked["confidence"] == 0.0 |
0 commit comments