Skip to content

test : add edge-case unit tests for crawler _normalize_form #1707

Description

@tmdeveloper007

Summary of What Needs to be Done:

Add edge-case unit tests for _normalize_form in backend/secuscan/crawler.py. The existing test file (testing/backend/unit/test_crawler_surface_parsing.py) covers DELETE method and non-dict input items, but is missing tests for CSRF token detection, password/file/hidden field state-changing logic, and the password_fields count and input_count output fields.

The function enriches a form dict with:

  • state_changing: True if method is POST/PUT/PATCH/DELETE OR any input has type password/file/hidden
  • has_csrf_token: True if any input name matches CSRF token name patterns
  • password_fields: count of inputs with type="password"
  • input_count: total number of inputs
  • action: absolute URL resolved via urljoin(page_url, action_or_empty)

Changes that Need to be Made:

Create testing/backend/unit/test_crawler_normalize_form_edge_cases.py with:

  • test_has_csrf_token_true_for_known_csrf_names: inputs with names csrf, _csrf, csrfmiddlewaretoken, authenticity_token, __requestverificationtoken each set has_csrf_token=True
  • test_has_csrf_token_false_for_regular_input_names: a normal username input should not trigger has_csrf_token
  • test_state_changing_true_for_password_input_type: method=GET with a <input type="password"> should set state_changing=True
  • test_state_changing_true_for_file_input_type: method=GET with <input type="file"> should set state_changing=True
  • test_state_changing_true_for_hidden_input_type: method=GET with <input type="hidden"> should set state_changing=True
  • test_password_fields_count_matches_password_inputs: 2 password inputs should set password_fields=2
  • test_input_count_reflects_all_inputs: a form with 3 inputs sets input_count=3
  • test_action_urljoin_resolves_relative_action: page_url="https://example.com/page", form["action"]="/submit" produces action="https://example.com/submit"
  • test_action_urljoin_handles_absolute_action: absolute URL in action is returned unchanged
  • test_preserves_original_form_fields: output dict contains all original form keys plus the added fields

Import _normalize_form from backend.secuscan.crawler.

Impact that it would Provide:

  • Reliability: form state classification is used by the crawler for security analysis — wrong state_changing or has_csrf_token values could lead to incorrect security assessments
  • Coverage: adds 10 targeted edge-case tests for a function with complex boolean logic

Note: This task is being handled by tmdeveloper007 — please assign to that account when picking it up.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions