goyco/internal/handlers/fuzz_test.go

package handlers

import (
	"net/http/httptest"
	"strings"
	"testing"
	"unicode/utf8"

	"goyco/internal/fuzz"
)

func FuzzJSONParsing(f *testing.F) {
	helper := fuzz.NewFuzzTestHelper()
	testCases := []map[string]any{
		{
			"name": "auth_login",
			"body": `{"username":"FUZZED_INPUT","password":"test"}`,
		},
		{
			"name": "auth_register",
			"body": `{"username":"FUZZED_INPUT","email":"test@example.com","password":"test123"}`,
		},
		{
			"name": "post_create",
			"body": `{"title":"FUZZED_INPUT","url":"https://example.com","content":"test"}`,
		},
		{
			"name": "vote_cast",
			"body": `{"type":"FUZZED_INPUT"}`,
		},
	}
	helper.RunJSONFuzzTest(f, testCases)
}

func FuzzURLParsing(f *testing.F) {
	helper := fuzz.NewFuzzTestHelper()
	helper.RunBasicFuzzTest(f, func(t *testing.T, input string) {

		sanitized := ""
		for _, char := range input {

			if (char >= 'a' && char <= 'z') || (char >= 'A' && char <= 'Z') ||
				(char >= '0' && char <= '9') || char == '-' || char == '_' {
				sanitized += string(char)
			}
		}

		if len(sanitized) > 20 {
			sanitized = sanitized[:20]
		}

		if len(sanitized) == 0 {
			return
		}

		url := "/api/posts/" + sanitized
		req := httptest.NewRequest("GET", url, nil)

		pathParts := strings.Split(req.URL.Path, "/")
		if len(pathParts) >= 4 {
			idStr := pathParts[3]
			_ = idStr
		}
	})
}

func FuzzQueryParameters(f *testing.F) {
	helper := fuzz.NewFuzzTestHelper()
	helper.RunBasicFuzzTest(f, func(t *testing.T, input string) {

		if !utf8.ValidString(input) {
			return
		}

		sanitized := ""
		for _, char := range input {

			if char >= 32 && char <= 126 {
				switch char {
				case ' ', '\n', '\r', '\t':

					continue
				case '&':
					sanitized += "%26"
				case '=':
					sanitized += "%3D"
				case '?':
					sanitized += "%3F"
				case '#':
					sanitized += "%23"
				case '/':
					sanitized += "%2F"
				case '\\':
					sanitized += "%5C"
				default:
					sanitized += string(char)
				}
			}
		}

		if len(sanitized) > 100 {
			sanitized = sanitized[:100]
		}

		if len(sanitized) == 0 {
			return
		}

		query := "?q=" + sanitized + "&limit=10&offset=0"
		req := httptest.NewRequest("GET", "/api/posts/search"+query, nil)

		q := req.URL.Query().Get("q")
		limit := req.URL.Query().Get("limit")
		offset := req.URL.Query().Get("offset")

		if !utf8.ValidString(q) {

			return
		}
		_ = limit
		_ = offset
	})
}

func FuzzHTTPHeaders(f *testing.F) {
	helper := fuzz.NewFuzzTestHelper()
	helper.RunBasicFuzzTest(f, func(t *testing.T, input string) {
		req := httptest.NewRequest("GET", "/api/test", nil)

		req.Header.Set("Authorization", "Bearer "+input)
		req.Header.Set("Content-Type", "application/json; charset=utf-8")
		req.Header.Set("User-Agent", input)
		req.Header.Set("X-Forwarded-For", input)

		for name, values := range req.Header {
			if !utf8.ValidString(name) {
				t.Fatal("Header name contains invalid UTF-8")
			}
			for _, value := range values {
				if !utf8.ValidString(value) {
					t.Fatal("Header value contains invalid UTF-8")
				}
			}
		}
	})
}