From aecd610916b32d1120e6441d5533ccd00cb98489 Mon Sep 17 00:00:00 2001 From: fderuiter <127706008+fderuiter@users.noreply.github.com> Date: Wed, 25 Feb 2026 18:37:15 +0000 Subject: [PATCH 1/2] Shield: Add security test for RecordsEndpoint header injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a new test file `tests/unit/endpoints/test_records_endpoint_security.py` to verify that `RecordsEndpoint` correctly raises `ValueError` when `email_notify` parameter contains newline characters. This test ensures that the header injection protection in `RecordsEndpoint` is covered by regression testing. 🛡️ Defense: Added `test_create_email_notify_header_injection` 📊 Impact: Increases test coverage for security-critical logic. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> --- .../endpoints/test_records_endpoint_security.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 tests/unit/endpoints/test_records_endpoint_security.py diff --git a/tests/unit/endpoints/test_records_endpoint_security.py b/tests/unit/endpoints/test_records_endpoint_security.py new file mode 100644 index 00000000..97ba673f --- /dev/null +++ b/tests/unit/endpoints/test_records_endpoint_security.py @@ -0,0 +1,15 @@ +"""Security tests for RecordsEndpoint.""" +import pytest +from imednet.endpoints.records import RecordsEndpoint + +def test_create_email_notify_header_injection(dummy_client, context): + """Test that header injection via email_notify raises ValueError.""" + ep = RecordsEndpoint(dummy_client, context) + + # Test with newline + with pytest.raises(ValueError, match="email_notify must not contain newlines"): + ep.create("S1", [{"foo": "bar"}], email_notify="test@example.com\nBcc: evil@example.com") + + # Test with carriage return + with pytest.raises(ValueError, match="email_notify must not contain newlines"): + ep.create("S1", [{"foo": "bar"}], email_notify="test@example.com\rBcc: evil@example.com") From 7b74f4eca0a9f0ba303c406b8543ab5a87221aaf Mon Sep 17 00:00:00 2001 From: fderuiter <127706008+fderuiter@users.noreply.github.com> Date: Wed, 25 Feb 2026 18:42:44 +0000 Subject: [PATCH 2/2] Shield: Add formatted security test for RecordsEndpoint header injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a new test file `tests/unit/endpoints/test_records_endpoint_security.py` to verify that `RecordsEndpoint` correctly raises `ValueError` when `email_notify` parameter contains newline characters. This test ensures that the header injection protection in `RecordsEndpoint` is covered by regression testing. Formatted with `black`, `isort`, and `ruff` to comply with CI standards. 🛡️ Defense: Added `test_create_email_notify_header_injection` 📊 Impact: Increases test coverage for security-critical logic. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> --- tests/unit/endpoints/test_records_endpoint_security.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/unit/endpoints/test_records_endpoint_security.py b/tests/unit/endpoints/test_records_endpoint_security.py index 97ba673f..1e52302c 100644 --- a/tests/unit/endpoints/test_records_endpoint_security.py +++ b/tests/unit/endpoints/test_records_endpoint_security.py @@ -1,7 +1,10 @@ """Security tests for RecordsEndpoint.""" + import pytest + from imednet.endpoints.records import RecordsEndpoint + def test_create_email_notify_header_injection(dummy_client, context): """Test that header injection via email_notify raises ValueError.""" ep = RecordsEndpoint(dummy_client, context)