feat: extract MediaController, wire into Dispatcher, delete media.php

2026-05-06 11:09:18 +02:00 · 2026-04-17 11:44:08 +02:00
parent b03be51b92
commit 75f808bee4
157 changed files with 1713 additions and 452 deletions
--- a/app/tests/Security/SecurityTest.php
+++ b/app/tests/Security/SecurityTest.php
@@ -0,0 +1,74 @@
+<?php
+/**
+ * Security Test Suite
+ * Tests SQL injection protection and input sanitization
+ */
+
+putenv('DB_ENV=test');
+
+require_once __DIR__ . '/../../src/Database.php';
+
+echo "Security Test Suite\n";
+echo "===================\n\n";
+
+try {
+    $db = Database::getInstance();
+
+    // Test 1: SQL Injection in search
+    // searchTheses() takes an array of validated params; the 'query' key is the
+    // free-text search field that users control.  Each malicious string must
+    // be passed as ['query' => $string] to exercise the actual parameterised
+    // query path rather than triggering a PHP TypeError before any SQL runs.
+    echo "Test 1: SQL Injection Protection (Search)\n";
+    $maliciousQueries = [
+        "' OR '1'='1",
+        "'; DROP TABLE theses; --",
+        "1' UNION SELECT * FROM authors--",
+        "<script>alert('xss')</script>",
+    ];
+
+    foreach ($maliciousQueries as $query) {
+        try {
+            $results = $db->searchTheses(['query' => $query]);
+            // Should return a (possibly empty) result set without throwing
+            echo "  ✓ Handled safely: " . substr($query, 0, 40) . "\n";
+        } catch (Exception $e) {
+            // A thrown exception is also acceptable (query rejected upstream)
+            echo "  ✓ Exception (safe): " . substr($query, 0, 40) . "\n";
+        }
+    }
+    echo "✓ PASS: SQL injection attempts handled safely\n\n";
+
+    // Test 2: Invalid thesis ID
+    echo "Test 2: Invalid Thesis ID\n";
+    $invalidIds = ["abc", "'; DROP TABLE theses;", "-1", "999999"];
+    
+    foreach ($invalidIds as $id) {
+        $result = $db->getThesisById($id);
+        if ($result === null || $result === false) {
+            echo "  ✓ Rejected: " . $id . "\n";
+        } else {
+            throw new Exception("Invalid ID '$id' was not rejected");
+        }
+    }
+    echo "✓ PASS: Invalid IDs rejected\n\n";
+
+    // Test 3: XSS in output (checking data is escaped)
+    echo "Test 3: XSS Protection (Output Escaping)\n";
+    $theses = $db->getPublishedTheses(1, 0);
+    if (count($theses) > 0) {
+        $first = $theses[0];
+        // Check that HTML special chars would be handled
+        if (isset($first['title'])) {
+            echo "  ✓ Title data retrieved safely\n";
+        }
+    }
+    echo "✓ PASS: Output handling verified\n\n";
+
+    echo "✅ All security tests passed!\n";
+    return true;
+
+} catch (Exception $e) {
+    echo "❌ FAIL: " . $e->getMessage() . "\n";
+    return false;
+}