Add Phase 1 Security Tests - URI and File Handling#702
Draft
Conversation
Introduce PLAN.md documenting an 8-phase testing strategy covering 4-5 months: - Prioritizes security tests → core functionality → UI components - Target: 70-80% overall coverage, 90%+ for critical security files - Detailed file-by-file test specifications for all cropper module files - Phased approach allows incremental implementation and review Phases: 1. Security Foundation (URI/file handling) 2. Core Image Processing (bitmap operations, cropping) 3. Async Operations (coroutines, worker jobs) 4. Configuration & Options (CropImageOptions, contracts) 5. UI Components (CropImageView, overlay) 6. Integration Tests (end-to-end workflows) 7. Edge Cases & Performance (resource limits, large images) 8. Documentation & Maintenance (test docs, coverage monitoring) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace monolithic build.yml with three focused workflows: **gradle-wrapper-validation.yml** - Validates Gradle wrapper integrity **ci-build.yml** - build-library: Builds cropper library (debug + release AARs) - build-sample: Builds sample app APK - Uploads artifacts for verification **ci-tests.yml** - license-check: Runs licensee dependency validation - ktlint: Kotlin code style checks - lint: Android Lint checks (with report uploads) - unit-tests: Runs all unit tests (with report uploads) Benefits: - Parallel job execution → faster CI feedback - Better failure isolation and debugging - Separate artifact uploads for builds and test reports - Follows best practices from picker project structure Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implement comprehensive test coverage for critical security utilities where vulnerabilities could lead to path traversal, file injection, or other security issues. **New Test Files (69 tests total):** GetFilePathFromUriTest.kt (374 lines, 27 tests) - Path traversal attack prevention - Malicious URI handling (encoded paths, null schemes, special characters) - Temp file management (unique/non-unique modes) - Stream handling and error recovery - MIME type extension extraction - Edge cases: large files, empty streams - Includes @Suppress("Recycle") for MockK verify false positive GetUriForFileTest.kt (464 lines, 25 tests) - FileProvider URI generation with correct authority - Fallback mechanisms when FileProvider fails - SDK version-specific behavior (SDK 26, 29+) - Cache file copying and management - Error handling and recovery paths - Security validation against authority injection - Some tests marked @ignore for integration testing BitmapUtilsTest expansion (+165 lines, +17 tests) - Additional URI validation edge cases - Network URI rejection (http/https) - Double extension validation - Executable extension blocking - SharedPreferences XML protection - Encoded path traversal detection **Dependencies:** - Added kotlinx-coroutines-test:1.8.1 for async testing support This is Phase 1 of the 8-phase plan outlined in PLAN.md, focusing on security-critical URI/file operations with 90%+ target coverage. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Canato
force-pushed
the
cnt/claude-test-enhancements
branch
2 times, most recently
from
4afddd4 to
bf78c6d
Compare
Implement comprehensive test coverage for configuration validation, exception handling, and Parcelable utilities. This phase ensures configuration cannot be misconfigured and error handling is robust. **New Test Files (48 tests total):** CropImageOptionsTest.kt (33 tests) - All validation rules testing (15+ IllegalArgumentException cases) - Boundary value testing (maxZoom=0, padding=0.49, rotation=360, etc) - Default values verification - Parcelable round-trip serialization with all fields - Configuration scenarios (square crop, 16:9, oval, custom URI, PNG) CropExceptionTest.kt (11 tests) - All three exception types: Cancellation, FailedToLoadBitmap, FailedToDecodeImage - Message formatting with URI inclusion - Exception hierarchy verification - Sealed class exhaustiveness - Throwing and catching behavior ParcelableUtilsTest.kt (24 tests) - Bundle.parcelable<T>() extraction with type safety - Intent.parcelable<T>() extraction with type safety - Edge cases: null values, wrong types, missing keys - Reified generic type parameter testing - Complex nested Parcelable handling **PLAN.md Updates:** - Added Phase Status tracking table at top - Marked Phase 1 ✅ Complete (69 tests) - Marked Phase 2 ✅ Complete (48 tests) - Total: 117 tests across 6 test files This is Phase 2 of the 8-phase plan, focusing on bulletproof configuration validation and exception handling. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Canato
force-pushed
the
cnt/claude-test-enhancements
branch
3 times, most recently
from
0a15718 to
815374a
Compare
Implement comprehensive test coverage for async coroutine-based worker jobs that handle image loading and cropping. This phase ensures async operations handle errors gracefully, manage memory correctly, and respect lifecycle properly. **New Test Files (33 tests total):** TestCoroutineExtensions.kt (Test Helper) - CoroutineTestRule for managing test dispatchers - Automatic setup/teardown of Main dispatcher - TestScope and StandardTestDispatcher for deterministic testing BitmapLoadingWorkerJobTest.kt (19 tests) - Successful loading flow with EXIF orientation - Error handling (decode failures, EXIF read failures) - Density calculation (high DPI adjustment, low DPI passthrough) - Coroutine lifecycle (start, cancel, isActive checks) - WeakReference memory management - EXIF orientation support (0°, 90°, 180°, 270°) - EXIF flip support (horizontal, vertical, combined) - Sample size propagation BitmapCroppingWorkerJobTest.kt (14 tests) - URI-based cropping with all parameters - Bitmap-based cropping with OOM handling - Error handling (cropping failures, write failures) - Null input handling (empty results) - Coroutine lifecycle (cancellation prevents callback) - Memory management (bitmap recycling when callback not invoked) - Resize operations with RequestSizeOptions - Compression format support (JPEG, PNG) - Custom output URI handling - Sample size propagation **PLAN.md Updates:** - Marked Phase 3 ✅ Complete - Fixed Phase 2 test count (65 tests, not 45) - Updated total: 167 tests across 9 test files - Added completed test files list with Phase 3 entries **Key Testing Patterns:** - MockK for mocking BitmapUtils static methods - Robolectric for Android context - Coroutine test library for deterministic async testing - Slot capture for verifying callback parameters - Dispatcher verification (Default → IO → Main) This is Phase 3 of the 8-phase plan, focusing on bulletproof async operation testing with coroutines. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Prevent CI jobs from hanging indefinitely by adding timeout-minutes to each job based on typical execution times observed: **gradle-wrapper-validation.yml:** - Validate Gradle Wrapper: 2 minutes (very fast validation) **ci-build.yml:** - Build Library: 10 minutes (compile + package library) - Build Sample App: 10 minutes (compile + package sample) **ci-tests.yml:** - License Check: 5 minutes (dependency license validation) - Kotlin Lint (ktlint): 5 minutes (code style checks) - Android Lint: 10 minutes (static analysis with reports) - Unit Tests: 15 minutes (167 tests including async coroutine tests) These timeouts are generous (2-3x typical execution time) to account for: - GitHub Actions runner variability - First-time cache misses - Gradle daemon startup - macOS runner performance variations Benefits: - Faster failure detection for hanging jobs - Better resource utilization in CI - Clearer feedback when jobs exceed expected duration Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Canato
force-pushed
the
cnt/claude-test-enhancements
branch
from
1fedf7a to
85fc8c1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implement comprehensive test coverage plan (PLAN.md) and Phase 1 security tests for critical URI and file handling utilities. This addresses the most critical gap in test coverage where vulnerabilities could lead to path traversal, file injection, or other security issues.
Changes
Documentation
Phase 1: Security Foundation Tests (69 new tests)
GetFilePathFromUriTest.kt (374 lines, 27 tests)
GetUriForFileTest.kt (464 lines, 25 tests)
BitmapUtilsTest.kt expansion (+165 lines, +17 tests)
Dependencies
kotlinx-coroutines-test:1.8.1for async testing (required for Phase 3)Testing
To verify:
Notes
Wrote by Claude