Alan-Jowett / CoPilot-For-Consensus / 21616483541
78%

DEFAULT BRANCH: main
Ran
Jobs 0
Files 0
Run time
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
21616483541

push

github

web-flow 
test(security): Fuzz auth service OIDC callback flow (#1114)

* Initial plan

* Add comprehensive fuzzing tests for auth OIDC callback flow

- Created fuzzing/tests/test_auth_callback_fuzzing.py with Hypothesis and Schemathesis tests
- Tests cover callback parameter validation, CSRF protection, injection attacks, session management
- Includes property-based tests for never crashing, valid JSON responses, and security properties
- Includes Schemathesis tests for OpenAPI spec compliance and error handling
- Includes edge case tests for missing params, Unicode, special chars, and security scenarios

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* Update fuzzing workflow and documentation for auth callback tests

- Added copilot_auth and copilot_metrics to adapter installation in CI
- Added auth callback security test step to fuzzing workflow
- Updated fuzzing README with auth service coverage details
- Enhanced test file documentation with comprehensive security coverage info
- Fixed test_very_long_parameters to handle httpx URL length limits gracefully
- All 17 auth callback fuzzing tests pass successfully

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* fix: address PR review comments for auth callback fuzzing

- Remove unused imports (Any, AsyncMock)
- Add replay protection to mock (track used states)
- Fix status code assertions (400 not 500 for errors)
- Improve XSS check to verify JSON detail field
- Fix replay attack test to enforce first-succeeds/second-fails
- Remove copilot_auth import from mock to avoid runtime errors

Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>

* Address review comments: improve assertions, XSS checks, exception handling, add success test

Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>

* fix: remove unnecessary f-string prefixes

Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>

* feat(ci): add Azure emulator-based integration testing

- ... (continued)
Source Files on build 21616483541
Detailed source file information is not available for this build.