phil/StarPunk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
927db4aea05990cb70793148326777ac7d412a73
StarPunk/tests/test_media_upload.py
Phil Skentelbery 27501f6381 feat: v1.2.0-rc.2 - Media display fixes and feed enhancements 
## Added
- Feed Media Enhancement with Media RSS namespace support
  - RSS enclosure, media:content, media:thumbnail elements
  - JSON Feed image field for first image
- ADR-059: Full feed media standardization roadmap

## Fixed
- Media display on homepage (was only showing on note pages)
- Responsive image sizing with CSS constraints
- Caption display (now alt text only, not visible)
- Logging correlation ID crash in non-request contexts

## Documentation
- Feed media design documents and implementation reports
- Media display fixes design and validation reports
- Updated ROADMAP with v1.3.0/v1.4.0 media plans

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-09 14:58:37 -07:00

436 lines
15 KiB
Python
Raw Blame History

"""
Tests for media upload functionality (v1.2.0 Phase 3)
Tests media upload, validation, optimization, and display per ADR-057 and ADR-058.
Uses generated test images (PIL Image.new()) per Q31.
"""
import pytest
from PIL import Image
import io
from pathlib import Path
from starpunk.media import (
validate_image,
optimize_image,
save_media,
attach_media_to_note,
get_note_media,
delete_media,
MAX_FILE_SIZE,
MAX_DIMENSION,
RESIZE_DIMENSION,
MAX_IMAGES_PER_NOTE,
)
def create_test_image(width=800, height=600, format='PNG'):
"""
Generate test image using PIL
Per Q31: Use generated test images, not real files
Args:
width: Image width in pixels
height: Image height in pixels
format: Image format (PNG, JPEG, GIF, WEBP)
Returns:
Bytes of image data
"""
img = Image.new('RGB', (width, height), color='red')
buffer = io.BytesIO()
img.save(buffer, format=format)
buffer.seek(0)
return buffer.getvalue()
class TestImageValidation:
"""Test validate_image function"""
def test_valid_jpeg(self):
"""Test validation of valid JPEG image"""
image_data = create_test_image(800, 600, 'JPEG')
mime_type, width, height = validate_image(image_data, 'test.jpg')
assert mime_type == 'image/jpeg'
assert width == 800
assert height == 600
def test_valid_png(self):
"""Test validation of valid PNG image"""
image_data = create_test_image(800, 600, 'PNG')
mime_type, width, height = validate_image(image_data, 'test.png')
assert mime_type == 'image/png'
assert width == 800
assert height == 600
def test_valid_gif(self):
"""Test validation of valid GIF image"""
image_data = create_test_image(800, 600, 'GIF')
mime_type, width, height = validate_image(image_data, 'test.gif')
assert mime_type == 'image/gif'
assert width == 800
assert height == 600
def test_valid_webp(self):
"""Test validation of valid WebP image"""
image_data = create_test_image(800, 600, 'WEBP')
mime_type, width, height = validate_image(image_data, 'test.webp')
assert mime_type == 'image/webp'
assert width == 800
assert height == 600
def test_file_too_large(self):
"""Test rejection of >10MB file (per Q6)"""
# Create data larger than MAX_FILE_SIZE
large_data = b'x' * (MAX_FILE_SIZE + 1)
with pytest.raises(ValueError) as exc_info:
validate_image(large_data, 'large.jpg')
assert "File too large" in str(exc_info.value)
def test_dimensions_too_large(self):
"""Test rejection of >4096px image (per ADR-058)"""
large_image = create_test_image(5000, 5000, 'PNG')
with pytest.raises(ValueError) as exc_info:
validate_image(large_image, 'huge.png')
assert "dimensions too large" in str(exc_info.value).lower()
def test_corrupted_image(self):
"""Test rejection of corrupted image data"""
corrupted_data = b'not an image'
with pytest.raises(ValueError) as exc_info:
validate_image(corrupted_data, 'corrupt.jpg')
assert "Invalid or corrupted" in str(exc_info.value)
class TestImageOptimization:
"""Test optimize_image function"""
def test_no_resize_needed(self):
"""Test image within limits is not resized"""
image_data = create_test_image(1024, 768, 'PNG')
optimized, width, height = optimize_image(image_data)
assert width == 1024
assert height == 768
def test_resize_large_image(self):
"""Test auto-resize of >2048px image (per ADR-058)"""
large_image = create_test_image(3000, 2000, 'PNG')
optimized, width, height = optimize_image(large_image)
# Should be resized to 2048px on longest edge
assert width == RESIZE_DIMENSION
# Height should be proportionally scaled
assert height == int(2000 * (RESIZE_DIMENSION / 3000))
def test_aspect_ratio_preserved(self):
"""Test aspect ratio is maintained during resize"""
image_data = create_test_image(3000, 1500, 'PNG')
optimized, width, height = optimize_image(image_data)
# Original aspect ratio: 2:1
# After resize: should still be 2:1
assert width / height == pytest.approx(2.0, rel=0.01)
def test_gif_animation_preserved(self):
"""Test GIF animation preservation (per Q12)"""
# For v1.2.0: Just verify GIF is handled without error
# Full animation preservation is complex
gif_data = create_test_image(800, 600, 'GIF')
optimized, width, height = optimize_image(gif_data)
assert width > 0
assert height > 0
class TestMediaSave:
"""Test save_media function"""
def test_save_valid_image(self, app):
"""Test saving valid image"""
image_data = create_test_image(800, 600, 'PNG')
with app.app_context():
media_info = save_media(image_data, 'test.png')
assert media_info['id'] > 0
assert media_info['filename'] == 'test.png'
assert media_info['mime_type'] == 'image/png'
assert media_info['width'] == 800
assert media_info['height'] == 600
assert media_info['size'] > 0
# Check file was created
media_path = Path(app.config['DATA_PATH']) / 'media' / media_info['path']
assert media_path.exists()
def test_uuid_filename(self, app):
"""Test UUID-based filename generation (per Q5)"""
image_data = create_test_image(800, 600, 'PNG')
with app.app_context():
media_info = save_media(image_data, 'original-name.png')
# Stored filename should be different from original
assert media_info['stored_filename'] != 'original-name.png'
# Should end with .png
assert media_info['stored_filename'].endswith('.png')
# Path should be YYYY/MM/uuid.ext (per Q2)
parts = media_info['path'].split('/')
assert len(parts) == 3 # year/month/filename
assert len(parts[0]) == 4 # Year
assert len(parts[1]) == 2 # Month
def test_auto_resize_on_save(self, app):
"""Test image >2048px is automatically resized"""
large_image = create_test_image(3000, 2000, 'PNG')
with app.app_context():
media_info = save_media(large_image, 'large.png')
# Should be resized
assert media_info['width'] == RESIZE_DIMENSION
assert media_info['height'] < 2000
class TestMediaAttachment:
"""Test attach_media_to_note function"""
def test_attach_single_image(self, app, sample_note):
"""Test attaching single image to note"""
image_data = create_test_image(800, 600, 'PNG')
with app.app_context():
# Save media
media_info = save_media(image_data, 'test.png')
# Attach to note
attach_media_to_note(sample_note.id, [media_info['id']], ['Test caption'])
# Verify attachment
media_list = get_note_media(sample_note.id)
assert len(media_list) == 1
assert media_list[0]['id'] == media_info['id']
assert media_list[0]['caption'] == 'Test caption'
assert media_list[0]['display_order'] == 0
def test_attach_multiple_images(self, app, sample_note):
"""Test attaching multiple images (up to 4)"""
with app.app_context():
media_ids = []
captions = []
for i in range(4):
image_data = create_test_image(800, 600, 'PNG')
media_info = save_media(image_data, f'test{i}.png')
media_ids.append(media_info['id'])
captions.append(f'Caption {i}')
attach_media_to_note(sample_note.id, media_ids, captions)
media_list = get_note_media(sample_note.id)
assert len(media_list) == 4
# Verify order
for i, media_item in enumerate(media_list):
assert media_item['display_order'] == i
assert media_item['caption'] == f'Caption {i}'
def test_reject_more_than_4_images(self, app, sample_note):
"""Test rejection of 5th image (per Q6)"""
with app.app_context():
media_ids = []
captions = []
for i in range(5):
image_data = create_test_image(800, 600, 'PNG')
media_info = save_media(image_data, f'test{i}.png')
media_ids.append(media_info['id'])
captions.append('')
with pytest.raises(ValueError) as exc_info:
attach_media_to_note(sample_note.id, media_ids, captions)
assert "Maximum 4 images" in str(exc_info.value)
def test_optional_captions(self, app, sample_note):
"""Test captions are optional (per Q7)"""
image_data = create_test_image(800, 600, 'PNG')
with app.app_context():
media_info = save_media(image_data, 'test.png')
# Attach without caption
attach_media_to_note(sample_note.id, [media_info['id']], [''])
media_list = get_note_media(sample_note.id)
assert media_list[0]['caption'] is None or media_list[0]['caption'] == ''
class TestMediaDeletion:
"""Test delete_media function"""
def test_delete_media_file(self, app):
"""Test deletion of media file and record"""
image_data = create_test_image(800, 600, 'PNG')
with app.app_context():
media_info = save_media(image_data, 'test.png')
media_id = media_info['id']
media_path = Path(app.config['DATA_PATH']) / 'media' / media_info['path']
# Verify file exists
assert media_path.exists()
# Delete media
delete_media(media_id)
# Verify file deleted
assert not media_path.exists()
def test_delete_orphaned_associations(self, app, sample_note):
"""Test cascade deletion of note_media associations"""
image_data = create_test_image(800, 600, 'PNG')
with app.app_context():
media_info = save_media(image_data, 'test.png')
attach_media_to_note(sample_note.id, [media_info['id']], ['Test'])
# Delete media
delete_media(media_info['id'])
# Verify association also deleted
media_list = get_note_media(sample_note.id)
assert len(media_list) == 0
class TestMediaSecurityEscaping:
"""Test HTML/JavaScript escaping in media display (per media-display-fixes.md)"""
def test_caption_html_escaped_in_alt_attribute(self, app, sample_note):
"""
Test that captions containing HTML are properly escaped in alt attributes
Per media-display-fixes.md Security Considerations:
"Alt text must be HTML-escaped in templates"
This prevents XSS attacks via malicious caption content.
"""
from starpunk.media import attach_media_to_note, save_media
image_data = create_test_image(800, 600, 'PNG')
# Create caption with HTML tags that should be escaped
malicious_caption = '<script>alert("XSS")</script><img src=x onerror=alert(1)>'
with app.app_context():
# Save media with malicious caption
media_info = save_media(image_data, 'test.png')
attach_media_to_note(sample_note.id, [media_info['id']], [malicious_caption])
# Get the rendered note page
client = app.test_client()
response = client.get(f'/note/{sample_note.slug}')
assert response.status_code == 200
# Verify the HTML is escaped in the alt attribute
# The caption should appear as escaped HTML entities, not raw HTML
html = response.data.decode('utf-8')
# Should NOT contain unescaped HTML tags
assert '<script>alert("XSS")</script>' not in html
assert '<img src=x onerror=alert(1)>' not in html
# Should NOT have onerror as an actual HTML attribute (i.e., outside quotes)
# Pattern: onerror= followed by something that isn't part of an alt value
assert 'onerror=' not in html or 'alt=' in html.split('onerror=')[0]
# Should contain escaped versions (Jinja2 auto-escapes by default)
# The HTML tags should be escaped
assert '&lt;script&gt;' in html
assert '&lt;img' in html
def test_caption_quotes_escaped_in_alt_attribute(self, app, sample_note):
"""
Test that captions containing quotes are properly escaped in alt attributes
This prevents breaking out of the alt attribute with malicious quotes.
"""
from starpunk.media import attach_media_to_note, save_media
image_data = create_test_image(800, 600, 'PNG')
# Create caption with quotes that could break alt attribute
caption_with_quotes = 'Image" onload="alert(\'XSS\')'
with app.app_context():
# Save media with caption containing quotes
media_info = save_media(image_data, 'test.png')
attach_media_to_note(sample_note.id, [media_info['id']], [caption_with_quotes])
# Get the rendered note page
client = app.test_client()
response = client.get(f'/note/{sample_note.slug}')
assert response.status_code == 200
html = response.data.decode('utf-8')
# Should NOT contain unescaped onload event
assert 'onload="alert' not in html
# The quote should be properly escaped
# Jinja2 should escape quotes in attributes
assert '&#34;' in html or '&quot;' in html or '&#39;' in html
def test_caption_displayed_on_homepage(self, app, sample_note):
"""
Test that media with captions are properly escaped on homepage too
Per media-display-fixes.md, homepage also displays media using the same macro.
"""
from starpunk.media import attach_media_to_note, save_media
image_data = create_test_image(800, 600, 'PNG')
malicious_caption = '<img src=x onerror=alert(1)>'
with app.app_context():
media_info = save_media(image_data, 'test.png')
attach_media_to_note(sample_note.id, [media_info['id']], [malicious_caption])
# Get the homepage
client = app.test_client()
response = client.get('/')
assert response.status_code == 200
html = response.data.decode('utf-8')
# Should NOT contain unescaped HTML tag
assert '<img src=x onerror=alert(1)>' not in html
# Should contain escaped version
assert '&lt;img' in html
@pytest.fixture
def sample_note(app):
"""Create a sample note for testing"""
from starpunk.notes import create_note
with app.app_context():
note = create_note("Test note content", published=True)
yield note
Reference in New Issue View Git Blame Copy Permalink