testing/adversarial_input.ts

Adversarial input validation testing for route specs.
Walks Zod schemas directly to generate payloads that must fail validation.
Fires requests against a test app and asserts 400 responses before handlers
are reached.
Tests are focused: one representative wrong-type value per field, one format
violation per constrained field, one null and one missing test per required
field, plus whole-body structural attacks (non-object body, extra unknown keys).

Declarations
#

4 declarations

view source

describe_adversarial_input
#

testing/adversarial_input.ts view source

(options: AdversarialTestOptions): void

Generate adversarial input validation test suites.
Tests input body validation and params validation for all routes.
Uses correct auth credentials so auth guards pass and validation
middleware is actually exercised.

`options`

the test configuration

type AdversarialTestOptions

returns

void

generate_input_test_cases
#

testing/adversarial_input.ts view source

(input_schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): InputTestCase[]

Generate adversarial test cases for a route's input schema.
Produces focused, non-redundant cases:
- Whole-body: send array instead of object, extra unknown key
- Missing required fields (without defaults)
- One wrong-type value per field
- Null for required non-nullable fields
- One format violation per constrained field

`input_schema`

type ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>

returns

InputTestCase[]

generate_params_test_cases
#

testing/adversarial_input.ts view source

(params_schema: ZodObject<$ZodLooseShape, $strip>): ParamsTestCase[]

Generate adversarial test cases for a route's params schema.
Params are always strings from URL segments. Only generates cases for
format-constrained fields (uuid, pattern) since unconstrained string
params accept any string value.

`params_schema`

type ZodObject<$ZodLooseShape, $strip>

returns

ParamsTestCase[]

generate_query_test_cases
#

testing/adversarial_input.ts view source

(query_schema: ZodObject<$ZodLooseShape, $strip>): QueryTestCase[]

Generate adversarial test cases for a route's query schema.
Query params are always strings from the URL. Generates cases for:
- Missing required fields
- Format violations on constrained fields (uuid, pattern)

`query_schema`

type ZodObject<$ZodLooseShape, $strip>

returns

QueryTestCase[]

Depends on
#

Imported by
#

testing/attack_surface.ts