azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
89e5118306f92504b42658a47d7f09b9f5ba6d03
claudetools/test_sql_injection_simple.sh
Mike Swanson 89e5118306 Remove conversation context/recall system from ClaudeTools 
Completely removed the database context recall system while preserving
database tables for safety. This major cleanup removes 80+ files and
16,831 lines of code.

What was removed:
- API layer: 4 routers (conversation-contexts, context-snippets,
  project-states, decision-logs) with 35+ endpoints
- Database models: 5 models (ConversationContext, ContextSnippet,
  DecisionLog, ProjectState, ContextTag)
- Services: 4 service layers with business logic
- Schemas: 4 Pydantic schema files
- Claude Code hooks: 13 hook files (user-prompt-submit, task-complete,
  sync-contexts, periodic saves)
- Scripts: 15+ scripts (import, migration, testing, tombstone checking)
- Tests: 5 test files (context recall, compression, diagnostics)
- Documentation: 30+ markdown files (guides, architecture, quick starts)
- Utilities: context compression, conversation parsing

Files modified:
- api/main.py: Removed router registrations
- api/models/__init__.py: Removed model imports
- api/schemas/__init__.py: Removed schema imports
- api/services/__init__.py: Removed service imports
- .claude/claude.md: Completely rewritten without context references

Database tables preserved:
- conversation_contexts, context_snippets, context_tags,
  project_states, decision_logs (5 orphaned tables remain for safety)
- Migration created but NOT applied: 20260118_172743_remove_context_system.py
- Tables can be dropped later when confirmed not needed

New files added:
- CONTEXT_SYSTEM_REMOVAL_SUMMARY.md: Detailed removal report
- CONTEXT_SYSTEM_REMOVAL_COMPLETE.md: Final status
- CONTEXT_EXPORT_RESULTS.md: Export attempt results
- scripts/export-tombstoned-contexts.py: Export tool for future use
- migrations/versions/20260118_172743_remove_context_system.py

Impact:
- Reduced from 130 to 95 API endpoints
- Reduced from 43 to 38 active database tables
- Removed 16,831 lines of code
- System fully operational without context recall

Reason for removal:
- System was not actively used (no tombstoned contexts found)
- Reduces codebase complexity
- Focuses on core MSP work tracking functionality
- Database preserved for safety (can rollback if needed)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-18 19:10:41 -07:00

163 lines
5.2 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Simplified SQL Injection Security Tests
# Tests the recall API endpoint against SQL injection attacks
#
API_URL="http://172.16.3.30:8001/api"
# Get JWT token from setup config if it exists
if [ -f ".claude/context-recall-config.env" ]; then
source .claude/context-recall-config.env
fi
# Test counter
TOTAL_TESTS=0
PASSED_TESTS=0
FAILED_TESTS=0
# Color codes
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Test function
run_test() {
local test_name="$1"
local search_term="$2"
local expected_status="$3"
local test_type="${4:-search_term}" # search_term or tag
TOTAL_TESTS=$((TOTAL_TESTS + 1))
# Build curl command based on test type
if [ "$test_type" = "tag" ]; then
response=$(curl -s -w "\n%{http_code}" -X GET "$API_URL/conversation-contexts/recall?tags[]=$search_term" \
-H "Authorization: Bearer $JWT_TOKEN" 2>&1)
else
response=$(curl -s -w "\n%{http_code}" -X GET "$API_URL/conversation-contexts/recall?search_term=$search_term" \
-H "Authorization: Bearer $JWT_TOKEN" 2>&1)
fi
http_code=$(echo "$response" | tail -1)
body=$(echo "$response" | sed '$d')
# Check if status code matches expected
if [ "$http_code" = "$expected_status" ]; then
echo -e "${GREEN}[PASS]${NC} $test_name (HTTP $http_code)"
PASSED_TESTS=$((PASSED_TESTS + 1))
return 0
else
echo -e "${RED}[FAIL]${NC} $test_name"
echo " Expected: HTTP $expected_status"
echo " Got: HTTP $http_code"
echo " Response: $body"
FAILED_TESTS=$((FAILED_TESTS + 1))
return 1
fi
}
# Print header
echo "======================================================================="
echo "SQL INJECTION SECURITY TEST SUITE - Simplified"
echo "======================================================================="
echo ""
echo "Target: $API_URL/conversation-contexts/recall"
echo ""
# Verify JWT token
if [ -z "$JWT_TOKEN" ]; then
echo -e "${RED}[ERROR]${NC} JWT_TOKEN not set. Run setup-context-recall.sh first."
exit 1
fi
echo "Testing SQL injection vulnerabilities..."
echo ""
# Test 1: Basic SQL injection with single quote (should be rejected - 422)
run_test "Basic SQL injection: ' OR '1'='1" "' OR '1'='1" "422"
# Test 2: UNION attack (should be rejected - 422)
run_test "UNION attack: ' UNION SELECT * FROM users--" "' UNION SELECT * FROM users--" "422"
# Test 3: Comment injection (should be rejected - 422)
run_test "Comment injection: test' --" "test' --" "422"
# Test 4: Semicolon attack (should be rejected - 422)
run_test "Semicolon attack: test'; DROP TABLE conversation_contexts;--" "test'; DROP TABLE conversation_contexts;--" "422"
# Test 5: Time-based blind SQLi (should be rejected - 422)
run_test "Time-based blind: ' AND SLEEP(5)--" "' AND SLEEP(5)--" "422"
# Test 6: Stacked queries (should be rejected - 422)
run_test "Stacked queries: test; DELETE FROM contexts" "test; DELETE FROM contexts" "422"
# Test 7: SQL injection via tags (should be rejected - 400)
run_test "Tag injection: ' OR '1'='1" "' OR '1'='1" "400" "tag"
# Test 8: Tag UNION attack (should be rejected - 400)
run_test "Tag UNION: tag' UNION SELECT--" "tag' UNION SELECT--" "400" "tag"
# Valid inputs (should succeed - 200)
echo ""
echo "Testing valid inputs (should work)..."
echo ""
# Test 9: Valid alphanumeric search (should succeed - 200)
run_test "Valid search: API development" "API development" "200"
# Test 10: Valid search with allowed punctuation (should succeed - 200)
run_test "Valid punctuation: database-migration (phase-1)!" "database-migration (phase-1)!" "200"
# Test 11: Valid tags (should succeed - 200)
run_test "Valid tags: api-test" "api-test" "200" "tag"
# Test 12: Verify database still works after attacks (should succeed - 200)
echo ""
echo "Verifying database integrity..."
echo ""
response=$(curl -s -w "\n%{http_code}" -X GET "$API_URL/conversation-contexts/recall?limit=5" \
-H "Authorization: Bearer $JWT_TOKEN" 2>&1)
http_code=$(echo "$response" | tail -1)
if [ "$http_code" = "200" ]; then
echo -e "${GREEN}[PASS]${NC} Database integrity check (HTTP $http_code)"
PASSED_TESTS=$((PASSED_TESTS + 1))
TOTAL_TESTS=$((TOTAL_TESTS + 1))
else
echo -e "${RED}[FAIL]${NC} Database integrity check"
echo " Expected: HTTP 200"
echo " Got: HTTP $http_code"
FAILED_TESTS=$((FAILED_TESTS + 1))
TOTAL_TESTS=$((TOTAL_TESTS + 1))
fi
# Print summary
echo ""
echo "======================================================================="
echo "TEST SUMMARY"
echo "======================================================================="
echo "Total Tests: $TOTAL_TESTS"
echo -e "${GREEN}Passed: $PASSED_TESTS${NC}"
if [ $FAILED_TESTS -gt 0 ]; then
echo -e "${RED}Failed: $FAILED_TESTS${NC}"
else
echo -e "${GREEN}Failed: $FAILED_TESTS${NC}"
fi
pass_rate=$(awk "BEGIN {printf \"%.1f\", ($PASSED_TESTS/$TOTAL_TESTS)*100}")
echo "Pass Rate: $pass_rate%"
echo ""
if [ $FAILED_TESTS -eq 0 ]; then
echo -e "${GREEN}[SUCCESS]${NC} All SQL injection tests passed!"
echo "The API is properly protected against SQL injection attacks."
exit 0
else
echo -e "${RED}[FAILURE]${NC} Some tests failed!"
echo "Review the failed tests above for security vulnerabilities."
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink