feat: code quality audit + autoresearch integration + infra hardening (#150)

2026-03-08 12:50:44 -04:00
parent fd0ede0d51
commit ae3bb1cc21
186 changed files with 5129 additions and 3289 deletions
--- a/tests/dashboard/middleware/test_csrf_bypass.py
+++ b/tests/dashboard/middleware/test_csrf_bypass.py
@@ -3,8 +3,10 @@
 import pytest
 from fastapi import FastAPI
 from fastapi.testclient import TestClient
+
 from dashboard.middleware.csrf import CSRFMiddleware

+
 class TestCSRFBypass:
    """Test potential CSRF bypasses."""

@@ -12,6 +14,7 @@ class TestCSRFBypass:
    def enable_csrf(self):
        """Re-enable CSRF for these tests."""
        from config import settings
+
        original = settings.timmy_disable_csrf
        settings.timmy_disable_csrf = False
        yield
@@ -21,19 +24,16 @@ class TestCSRFBypass:
        """POST should require CSRF token even with AJAX headers (if not explicitly allowed)."""
        app = FastAPI()
        app.add_middleware(CSRFMiddleware)
-        
+
        @app.post("/test")
        def test_endpoint():
            return {"message": "success"}
-        
+
        client = TestClient(app)
-        
+
        # POST with X-Requested-With should STILL fail if it's not a valid CSRF token
        # Some older middlewares used to trust this header blindly.
-        response = client.post(
-            "/test",
-            headers={"X-Requested-With": "XMLHttpRequest"}
-        )
+        response = client.post("/test", headers={"X-Requested-With": "XMLHttpRequest"})
        # This should fail with 403 because no CSRF token is provided
        assert response.status_code == 403

@@ -41,32 +41,32 @@ class TestCSRFBypass:
        """Test if path traversal can bypass CSRF exempt patterns."""
        app = FastAPI()
        app.add_middleware(CSRFMiddleware)
-        
+
        @app.post("/test")
        def test_endpoint():
            return {"message": "success"}
-        
+
        client = TestClient(app)
-        
-        # If the middleware checks path starts with /webhook, 
+
+        # If the middleware checks path starts with /webhook,
        # can we use /webhook/../test to bypass?
        # Note: TestClient/FastAPI might normalize this, but we should check the logic.
        response = client.post("/webhook/../test")
-        
+
        # If it bypassed, it would return 200 (if normalized to /test) or 404 (if not).
        # But it should definitely not return 200 success without CSRF.
        if response.status_code == 200:
            assert response.json() != {"message": "success"}
-        
+
    def test_csrf_middleware_null_byte_bypass(self):
        """Test if null byte in path can bypass CSRF exempt patterns."""
        app = FastAPI()
        middleware = CSRFMiddleware(app)
-        
+
        # Test directly since TestClient blocks null bytes
        path = "/webhook\0/test"
        is_exempt = middleware._is_likely_exempt(path)
-        
+
        # It should either be not exempt or the null byte should be handled
        # In our current implementation, it might still be exempt if normalized to /webhook\0/test
        # But it's better than /webhook/../test