Summary of What Needs to be Done:
Add edge-case unit tests for _normalize_form in backend/secuscan/crawler.py. The existing test file (testing/backend/unit/test_crawler_surface_parsing.py) covers DELETE method and non-dict input items, but is missing tests for CSRF token detection, password/file/hidden field state-changing logic, and the password_fields count and input_count output fields.
The function enriches a form dict with:
state_changing: True if method is POST/PUT/PATCH/DELETE OR any input has type password/file/hidden
has_csrf_token: True if any input name matches CSRF token name patterns
password_fields: count of inputs with type="password"
input_count: total number of inputs
action: absolute URL resolved via urljoin(page_url, action_or_empty)
Changes that Need to be Made:
Create testing/backend/unit/test_crawler_normalize_form_edge_cases.py with:
test_has_csrf_token_true_for_known_csrf_names: inputs with names csrf, _csrf, csrfmiddlewaretoken, authenticity_token, __requestverificationtoken each set has_csrf_token=True
test_has_csrf_token_false_for_regular_input_names: a normal username input should not trigger has_csrf_token
test_state_changing_true_for_password_input_type: method=GET with a <input type="password"> should set state_changing=True
test_state_changing_true_for_file_input_type: method=GET with <input type="file"> should set state_changing=True
test_state_changing_true_for_hidden_input_type: method=GET with <input type="hidden"> should set state_changing=True
test_password_fields_count_matches_password_inputs: 2 password inputs should set password_fields=2
test_input_count_reflects_all_inputs: a form with 3 inputs sets input_count=3
test_action_urljoin_resolves_relative_action: page_url="https://example.com/page", form["action"]="/submit" produces action="https://example.com/submit"
test_action_urljoin_handles_absolute_action: absolute URL in action is returned unchanged
test_preserves_original_form_fields: output dict contains all original form keys plus the added fields
Import _normalize_form from backend.secuscan.crawler.
Impact that it would Provide:
- Reliability: form state classification is used by the crawler for security analysis — wrong
state_changing or has_csrf_token values could lead to incorrect security assessments
- Coverage: adds 10 targeted edge-case tests for a function with complex boolean logic
Note: This task is being handled by tmdeveloper007 — please assign to that account when picking it up.
Summary of What Needs to be Done:
Add edge-case unit tests for
_normalize_forminbackend/secuscan/crawler.py. The existing test file (testing/backend/unit/test_crawler_surface_parsing.py) covers DELETE method and non-dict input items, but is missing tests for CSRF token detection, password/file/hidden field state-changing logic, and thepassword_fieldscount andinput_countoutput fields.The function enriches a form dict with:
state_changing: True if method is POST/PUT/PATCH/DELETE OR any input has type password/file/hiddenhas_csrf_token: True if any input name matches CSRF token name patternspassword_fields: count of inputs with type="password"input_count: total number of inputsaction: absolute URL resolved viaurljoin(page_url, action_or_empty)Changes that Need to be Made:
Create
testing/backend/unit/test_crawler_normalize_form_edge_cases.pywith:test_has_csrf_token_true_for_known_csrf_names: inputs with namescsrf,_csrf,csrfmiddlewaretoken,authenticity_token,__requestverificationtokeneach sethas_csrf_token=Truetest_has_csrf_token_false_for_regular_input_names: a normalusernameinput should not triggerhas_csrf_tokentest_state_changing_true_for_password_input_type: method=GET with a<input type="password">should setstate_changing=Truetest_state_changing_true_for_file_input_type: method=GET with<input type="file">should setstate_changing=Truetest_state_changing_true_for_hidden_input_type: method=GET with<input type="hidden">should setstate_changing=Truetest_password_fields_count_matches_password_inputs: 2 password inputs should setpassword_fields=2test_input_count_reflects_all_inputs: a form with 3 inputs setsinput_count=3test_action_urljoin_resolves_relative_action:page_url="https://example.com/page",form["action"]="/submit"producesaction="https://example.com/submit"test_action_urljoin_handles_absolute_action: absolute URL in action is returned unchangedtest_preserves_original_form_fields: output dict contains all original form keys plus the added fieldsImport
_normalize_formfrombackend.secuscan.crawler.Impact that it would Provide:
state_changingorhas_csrf_tokenvalues could lead to incorrect security assessmentsNote: This task is being handled by tmdeveloper007 — please assign to that account when picking it up.