kimi/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Pull Requests Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
b8e0f4539f503a90ff53b6f2dcfb5d841cfa1e23
Timmy-time-dashboard/tests/dashboard/middleware/test_csrf_traversal.py
Alexander Whitestone b615595100 refactor: centralize config & harden security (#141) 
* feat: upgrade primary model from llama3.1:8b to qwen2.5:14b

- Swap OLLAMA_MODEL_PRIMARY to qwen2.5:14b for better reasoning
- llama3.1:8b-instruct becomes fallback
- Update .env default and README quick start
- Fix hardcoded model assertions in tests

qwen2.5:14b provides significantly better multi-step reasoning
and tool calling reliability while still running locally on
modest hardware. The 8B model remains as automatic fallback.

* security: centralize config, harden uploads, fix silent exceptions

- Add 9 pydantic Settings fields (skip_embeddings, disable_csrf,
  rqlite_url, brain_source, brain_db_path, csrf_cookie_secure,
  chat_api_max_body_bytes, timmy_test_mode) to centralize env-var access
- Migrate 8 os.environ.get() calls across 5 source files to use
  `from config import settings` per project convention
- Add path traversal defense-in-depth to file upload endpoint
- Add 1MB request body size limit to chat API
- Make CSRF cookie secure flag configurable via settings
- Replace 2 silent `except: pass` blocks with debug logging in session.py
- Remove unused `import os` from brain/memory.py and csrf.py
- Update 5 CSRF test fixtures to patch settings instead of os.environ

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Trip T <trip@local>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 18:49:37 -05:00

42 lines
1.5 KiB
Python
Raw Blame History

"""Tests for CSRF protection middleware traversal bypasses."""
import pytest
from fastapi import FastAPI
from fastapi.testclient import TestClient
from dashboard.middleware.csrf import CSRFMiddleware
class TestCSRFTraversal:
"""Test path traversal CSRF bypass."""
@pytest.fixture(autouse=True)
def enable_csrf(self):
"""Re-enable CSRF for these tests."""
from config import settings
original = settings.timmy_disable_csrf
settings.timmy_disable_csrf = False
yield
settings.timmy_disable_csrf = original
def test_csrf_middleware_path_traversal_bypass(self):
"""Test if path traversal can bypass CSRF exempt patterns."""
app = FastAPI()
app.add_middleware(CSRFMiddleware)
@app.post("/test")
def test_endpoint():
return {"message": "success"}
client = TestClient(app)
# We want to check if the middleware logic is flawed.
# Since TestClient might normalize, we can test the _is_likely_exempt method directly.
middleware = CSRFMiddleware(app)
# This path starts with /webhook, but resolves to /test
traversal_path = "/webhook/../test"
# If this returns True, it's a vulnerability because /test is not supposed to be exempt.
is_exempt = middleware._is_likely_exempt(traversal_path)
assert is_exempt is False, f"Path {traversal_path} should not be exempt"
View Git Blame Copy Permalink