honeyDueAPI/internal/middleware/sanitize_test.go

package middleware

import (
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestSanitizeSortColumn_AllowedColumn_Passes(t *testing.T) {
	allowed := []string{"created_at", "updated_at", "name"}
	result := SanitizeSortColumn("created_at", allowed, "created_at")
	assert.Equal(t, "created_at", result)
}

func TestSanitizeSortColumn_CaseInsensitive(t *testing.T) {
	allowed := []string{"created_at", "updated_at", "name"}
	result := SanitizeSortColumn("Created_At", allowed, "created_at")
	assert.Equal(t, "created_at", result)
}

func TestSanitizeSortColumn_SQLInjection_ReturnsDefault(t *testing.T) {
	allowed := []string{"created_at", "updated_at", "name"}

	tests := []struct {
		name  string
		input string
	}{
		{"drop table", "created_at; DROP TABLE auth_user; --"},
		{"union select", "name UNION SELECT * FROM auth_user"},
		{"or 1=1", "name OR 1=1"},
		{"semicolon", "created_at;"},
		{"subquery", "(SELECT password FROM auth_user LIMIT 1)"},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			result := SanitizeSortColumn(tt.input, allowed, "created_at")
			assert.Equal(t, "created_at", result, "SQL injection attempt should return default")
		})
	}
}

func TestSanitizeSortColumn_Empty_ReturnsDefault(t *testing.T) {
	allowed := []string{"created_at", "updated_at", "name"}
	result := SanitizeSortColumn("", allowed, "created_at")
	assert.Equal(t, "created_at", result)
}

func TestSanitizeSortColumn_Whitespace_ReturnsDefault(t *testing.T) {
	allowed := []string{"created_at", "updated_at", "name"}
	result := SanitizeSortColumn("   ", allowed, "created_at")
	assert.Equal(t, "created_at", result)
}

func TestSanitizeSortColumn_UnknownColumn_ReturnsDefault(t *testing.T) {
	allowed := []string{"created_at", "updated_at", "name"}
	result := SanitizeSortColumn("nonexistent_column", allowed, "created_at")
	assert.Equal(t, "created_at", result)
}