From 57784f9f808258c603a05b094b8bf2bf98b9d4d5 Mon Sep 17 00:00:00 2001 From: curo1305 Date: Sat, 30 May 2026 23:24:26 +0200 Subject: [PATCH] fix(6.1): close WR-01/WR-02 code review findings in test_audit.py WR-01: extend nested metadata_ forbidden-key check to all 4 keys WR-02: assert no forbidden fields in CSV export body (D-15) Co-Authored-By: Claude Sonnet 4.6 --- backend/tests/test_audit.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/backend/tests/test_audit.py b/backend/tests/test_audit.py index 9c6f0f2..87d02cc 100644 --- a/backend/tests/test_audit.py +++ b/backend/tests/test_audit.py @@ -95,10 +95,10 @@ async def test_audit_log_no_doc_content(async_client, admin_user, db_session): f"forbidden key '{key}' found at top level of audit item" ) - # Nested metadata_ check + # Nested metadata_ check — same forbidden set as top-level (WR-01) meta = item.get("metadata_") if isinstance(meta, dict): - for key in ("filename", "extracted_text"): + for key in forbidden_keys: assert key not in meta, ( f"forbidden key '{key}' found inside metadata_ of audit item" ) @@ -143,3 +143,10 @@ async def test_audit_log_export_csv(async_client, admin_user, db_session): f"CSV header line not found in response. " f"First 200 chars: {response.text[:200]!r}" ) + + # D-15: CSV export must not contain document content or sensitive fields (WR-02) + forbidden_csv = ("filename", "extracted_text", "password_hash", "credentials_enc") + for key in forbidden_csv: + assert key not in response.text, ( + f"forbidden field '{key}' found in CSV export body" + )