mostalive/firehose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
firehose/app/test/firehose_web/controllers/blog_test.exs
Willem van den Ende 6887ae4087 Security: Validate blog controller inputs (page param, blog ID) 
Ran a claude /security-review, fixed two vulnerabilities

  Use a plug to resolve blog_id, returning a clean 404 for unknown blogs
  instead of raising with inspect(). Parse page param with Integer.parse
  so invalid values (non-numeric, negative, zero) fall back to page 1
  instead of crashing. Add 5 tests covering these cases.a
2026-03-17 12:17:29 +00:00

117 lines
4.1 KiB
Elixir
Raw Blame History

defmodule FirehoseWeb.BlogTest do
use FirehoseWeb.ConnCase
describe "engineering blog (HTML)" do
test "GET /blog/engineering returns HTML index with layout", %{conn: conn} do
conn = get(conn, "/blog/engineering")
body = html_response(conn, 200)
assert body =~ "Engineering Blog"
assert body =~ "Hello World"
# Verify app layout is present (navbar)
assert body =~ "firehose"
end
test "GET /blog/engineering/:slug returns HTML post with layout", %{conn: conn} do
conn = get(conn, "/blog/engineering/hello-world")
body = html_response(conn, 200)
assert body =~ "Hello World"
assert body =~ "firehose"
end
test "GET /blog/engineering/tag/:tag returns HTML tag page", %{conn: conn} do
conn = get(conn, "/blog/engineering/tag/elixir")
body = html_response(conn, 200)
assert body =~ ~s(tagged "elixir")
assert body =~ "Hello World"
end
end
describe "input validation" do
test "GET /blog/nonexistent returns 404", %{conn: conn} do
conn = get(conn, "/blog/nonexistent")
assert html_response(conn, 404)
end
test "GET /blog/engineering?page=abc falls back to page 1", %{conn: conn} do
conn = get(conn, "/blog/engineering?page=abc")
assert html_response(conn, 200) =~ "Engineering Blog"
end
test "GET /blog/engineering?page=-1 falls back to page 1", %{conn: conn} do
conn = get(conn, "/blog/engineering?page=-1")
assert html_response(conn, 200) =~ "Engineering Blog"
end
test "GET /blog/engineering?page=0 falls back to page 1", %{conn: conn} do
conn = get(conn, "/blog/engineering?page=0")
assert html_response(conn, 200) =~ "Engineering Blog"
end
test "GET /blog/engineering/nonexistent-post returns 404", %{conn: conn} do
assert_raise Blogex.NotFoundError, fn ->
get(conn, "/blog/engineering/nonexistent-post")
end
end
end
describe "release notes blog (HTML)" do
test "GET /blog/releases returns HTML index", %{conn: conn} do
conn = get(conn, "/blog/releases")
body = html_response(conn, 200)
assert body =~ "Release Notes"
assert body =~ "v0.1.0 Released"
end
test "GET /blog/releases/:slug returns HTML post", %{conn: conn} do
conn = get(conn, "/blog/releases/v0-1-0")
body = html_response(conn, 200)
assert body =~ "v0.1.0 Released"
end
end
describe "engineering blog (JSON API)" do
test "GET /api/blog/engineering returns post index", %{conn: conn} do
conn = get(conn, "/api/blog/engineering")
assert %{"blog" => "engineering", "posts" => posts} = json_response(conn, 200)
assert is_list(posts)
assert length(posts) > 0
end
test "GET /api/blog/engineering/:slug returns a post", %{conn: conn} do
conn = get(conn, "/api/blog/engineering/hello-world")
assert %{"id" => "hello-world", "title" => "Hello World"} = json_response(conn, 200)
end
test "GET /api/blog/engineering/:slug returns 404 for missing post", %{conn: conn} do
conn = get(conn, "/api/blog/engineering/nonexistent")
assert response(conn, 404)
end
test "GET /api/blog/engineering/feed.xml returns RSS", %{conn: conn} do
conn = get(conn, "/api/blog/engineering/feed.xml")
assert response_content_type(conn, :xml)
assert response(conn, 200) =~ "<rss"
end
end
describe "release notes blog (JSON API)" do
test "GET /api/blog/releases returns post index", %{conn: conn} do
conn = get(conn, "/api/blog/releases")
assert %{"blog" => "release_notes", "posts" => posts} = json_response(conn, 200)
assert is_list(posts)
assert length(posts) > 0
end
test "GET /api/blog/releases/:slug returns a post", %{conn: conn} do
conn = get(conn, "/api/blog/releases/v0-1-0")
assert %{"id" => "v0-1-0", "title" => "v0.1.0 Released"} = json_response(conn, 200)
end
test "GET /api/blog/releases/feed.xml returns RSS", %{conn: conn} do
conn = get(conn, "/api/blog/releases/feed.xml")
assert response_content_type(conn, :xml)
assert response(conn, 200) =~ "<rss"
end
end
end
Reference in New Issue View Git Blame Copy Permalink