docs(6.1): add code review report — 3 warnings, 2 info
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
@@ -0,0 +1,149 @@
|
||||
---
|
||||
phase: 06.1-close-v1-audit-gaps
|
||||
reviewed: 2026-05-30T00:00:00Z
|
||||
depth: standard
|
||||
files_reviewed: 3
|
||||
files_reviewed_list:
|
||||
- backend/tests/test_shares.py
|
||||
- backend/tests/conftest.py
|
||||
- backend/tests/test_audit.py
|
||||
findings:
|
||||
critical: 0
|
||||
warning: 3
|
||||
info: 2
|
||||
total: 5
|
||||
status: issues_found
|
||||
---
|
||||
|
||||
# Phase 06.1: Code Review Report
|
||||
|
||||
**Reviewed:** 2026-05-30
|
||||
**Depth:** standard
|
||||
**Files Reviewed:** 3
|
||||
**Status:** issues_found
|
||||
|
||||
## Summary
|
||||
|
||||
Reviewed the three test-only files promoted in Phase 6.1: `test_shares.py` (7 xfail stubs promoted to real tests covering SHARE-01 through SHARE-05), `conftest.py` (new `second_auth_user` fixture), and `test_audit.py` (4 xfail stubs promoted to real tests covering ADMIN-06).
|
||||
|
||||
The share tests are structurally sound. Fixture isolation is correct: `db_session` is function-scoped, so each test gets a fresh in-memory SQLite database; `expire_on_commit=False` ensures ORM objects remain accessible after the fixture's `commit()` calls; JSONB columns round-trip correctly through SQLite's TEXT storage because SQLAlchemy's JSONB `result_processor` fires regardless of dialect. The IDOR revocation test (`test_share_revoke_wrong_owner_404`) correctly exercises the 404-not-403 invariant.
|
||||
|
||||
Three defects were found, all in `test_audit.py`: one incomplete security invariant assertion and two coverage gaps that leave the CSV export untested for data leakage.
|
||||
|
||||
---
|
||||
|
||||
## Warnings
|
||||
|
||||
### WR-01: `test_audit_log_no_doc_content` — metadata_ nested check omits `password_hash` and `credentials_enc`
|
||||
|
||||
**File:** `backend/tests/test_audit.py:101`
|
||||
|
||||
**Issue:** The docstring for `test_audit_log_no_doc_content` explicitly states it checks "including nested inside `metadata_`" for all four forbidden keys (`filename`, `extracted_text`, `password_hash`, `credentials_enc`). However the inner loop at line 101 only iterates over `("filename", "extracted_text")`. A future audit entry that stored a `password_hash` or `credentials_enc` value inside `metadata_` would silently pass this test.
|
||||
|
||||
The four-key `forbidden_keys` set is defined at line 89 and used for the top-level check — but is not reused for the nested check, creating divergence that will not be caught by a reader who trusts the docstring.
|
||||
|
||||
**Fix:**
|
||||
```python
|
||||
# Replace the inner loop at line 101 with the full forbidden set:
|
||||
meta = item.get("metadata_")
|
||||
if isinstance(meta, dict):
|
||||
for key in forbidden_keys: # was: ("filename", "extracted_text")
|
||||
assert key not in meta, (
|
||||
f"forbidden key '{key}' found inside metadata_ of audit item"
|
||||
)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### WR-02: `test_audit_log_export_csv` — no assertion that forbidden fields are absent from the CSV body
|
||||
|
||||
**File:** `backend/tests/test_audit.py:116`
|
||||
|
||||
**Issue:** The CSV export test verifies the `Content-Type` header, `Content-Disposition` filename, and the presence of the correct CSV header row. It does not verify that the CSV body does not contain `filename`, `extracted_text`, `password_hash`, or `credentials_enc`. The test would pass even if the export endpoint switched from `_audit_to_dict()` to a direct `vars(entry)` serialisation that exposed all ORM columns.
|
||||
|
||||
This is a security-invariant test (ADMIN-06, D-15) and the gap is meaningful: the JSON viewer test (`test_audit_log_no_doc_content`) asserts the whitelist, but the CSV path has no equivalent assertion.
|
||||
|
||||
**Fix:**
|
||||
```python
|
||||
# After the existing header assertions, add:
|
||||
csv_body = response.text
|
||||
forbidden_in_csv = {"filename", "extracted_text", "password_hash", "credentials_enc"}
|
||||
for forbidden in forbidden_in_csv:
|
||||
assert forbidden not in csv_body, (
|
||||
f"forbidden field '{forbidden}' found in CSV export body"
|
||||
)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### WR-03: `async_client` fixture — `dependency_overrides` not guarded by `try/finally`
|
||||
|
||||
**File:** `backend/tests/conftest.py:150`
|
||||
|
||||
**Issue:** `app.dependency_overrides[get_db]` is set at line 150, before the `async with AsyncClient(...)` context manager at line 152. If `ASGITransport` or `AsyncClient.__aenter__` raises (e.g. app startup failure), the generator terminates without reaching the `yield`, so pytest never runs the teardown code at line 155 (`app.dependency_overrides.clear()`). The global `app` object would then have a stale override pointing at a closed session, potentially corrupting subsequent tests in the same process.
|
||||
|
||||
This is low probability in practice (app construction is deterministic), but it is a correctness gap in a shared-object fixture.
|
||||
|
||||
**Fix:**
|
||||
```python
|
||||
@pytest_asyncio.fixture
|
||||
async def async_client(db_session: AsyncSession):
|
||||
from deps.db import get_db
|
||||
from main import app
|
||||
|
||||
app.dependency_overrides[get_db] = lambda: db_session
|
||||
try:
|
||||
async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as c:
|
||||
yield c
|
||||
finally:
|
||||
app.dependency_overrides.clear()
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Info
|
||||
|
||||
### IN-01: Missing test for unauthenticated access to share endpoints
|
||||
|
||||
**File:** `backend/tests/test_shares.py` (no specific line — absent test)
|
||||
|
||||
**Issue:** None of the seven share tests verify that an unauthenticated request (no `Authorization` header) to `POST /api/shares`, `GET /api/shares/received`, or `DELETE /api/shares/{id}` returns 401/403. The `get_regular_user` dependency chain passes through `HTTPBearer(auto_error=True)` which raises 403 on a missing header — but this is not exercised in the test suite for the shares router, leaving an untested code path in the dependency chain for this specific router.
|
||||
|
||||
**Fix:** Add a parametrized negative test:
|
||||
```python
|
||||
async def test_shares_unauthenticated(async_client):
|
||||
"""All share endpoints reject requests with no auth token."""
|
||||
r1 = await async_client.post("/api/shares", json={"document_id": "x", "recipient_handle": "y"})
|
||||
assert r1.status_code in (401, 403)
|
||||
r2 = await async_client.get("/api/shares/received")
|
||||
assert r2.status_code in (401, 403)
|
||||
r3 = await async_client.delete(f"/api/shares/{uuid.uuid4()}")
|
||||
assert r3.status_code in (401, 403)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### IN-02: Missing test for self-share rejection (400)
|
||||
|
||||
**File:** `backend/tests/test_shares.py` (no specific line — absent test)
|
||||
|
||||
**Issue:** `api/shares.py` line 89–90 explicitly rejects a share where the recipient is the same as the owner with a `400 Bad Request`. This branch has no corresponding test. A refactor that removes the self-share guard would not be caught by the current suite.
|
||||
|
||||
**Fix:**
|
||||
```python
|
||||
async def test_share_self(async_client, auth_user, db_session):
|
||||
"""POST /api/shares where recipient is the owner returns 400."""
|
||||
doc_id = await _make_doc(db_session, auth_user)
|
||||
resp = await async_client.post(
|
||||
"/api/shares",
|
||||
json={"document_id": doc_id, "recipient_handle": auth_user["user"].handle},
|
||||
headers=auth_user["headers"],
|
||||
)
|
||||
assert resp.status_code == 400
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
_Reviewed: 2026-05-30_
|
||||
_Reviewer: Claude (gsd-code-reviewer)_
|
||||
_Depth: standard_
|
||||
Reference in New Issue
Block a user