feat: 31 new tests, metrics LLM counters, Dockerfile caching, Makefile targets, compose limits, code fixes

2026-05-11 23:08:09 +03:00
parent 20bf7e6745
commit 18efcf482e
26 changed files with 840 additions and 12 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -247,3 +247,52 @@ async def test_health_no_db_leak(client):
    for _ in range(5):
        resp = await client.get("/health")
        assert resp.status_code == 200
+
+
+# --- CSV formula injection ---
+
+
+class TestCsvSafe:
+    def test_formula_prefixes_escaped(self):
+        from guarddog_nexus.routes.api_scans import _csv_safe
+
+        assert _csv_safe("=cmd|'calc'!A0") == "'=cmd|'calc'!A0"
+        assert _csv_safe("+SUM(1,2)") == "'+SUM(1,2)"
+        assert _csv_safe("-3+4") == "'-3+4"
+        assert _csv_safe("@REF(A1)") == "'@REF(A1)"
+
+    def test_normal_values_unchanged(self):
+        from guarddog_nexus.routes.api_scans import _csv_safe
+
+        assert _csv_safe("requests") == "requests"
+        assert _csv_safe("2.0.0") == "2.0.0"
+
+    def test_empty_string(self):
+        from guarddog_nexus.routes.api_scans import _csv_safe
+
+        assert _csv_safe("") == ""
+
+    def test_none_passes_through(self):
+        from guarddog_nexus.routes.api_scans import _csv_safe
+
+        assert _csv_safe(None) is None
+
+
+@pytest.mark.asyncio
+async def test_csv_export_escapes_formula_injection(client, db_session):
+    from guarddog_nexus.db.models import Scan, ScanStatus
+
+    scan = Scan(
+        package_name="=cmd|'calc'!A0",
+        package_version="1.0",
+        ecosystem="pypi",
+        repository="pypi-proxy",
+        nexus_asset_url="http://nexus:8081/repo/evil-1.0.tar.gz",
+        status=ScanStatus.COMPLETED.value,
+    )
+    db_session.add(scan)
+    await db_session.commit()
+
+    resp = await client.get("/api/v1/scans/export")
+    assert resp.status_code == 200
+    assert "'=cmd" in resp.text