# Security Tests for ads.txt Guru Connect

These test files are for validating the security patches in version 1.1.2.
They are NOT distributed with the WordPress plugin.

## Setup

1. Install Docker
2. Create Python virtual environment:
   ```bash
   python3 -m venv venv
   source venv/bin/activate
   pip install requests
   ```

## Running Tests

1. Start WordPress test environment:
   ```bash
   cd tests
   docker-compose up -d
   ```

2. Run security tests:
   ```bash
   source ../venv/bin/activate
   python3 test_security_full.py
   python3 test_happy_paths.py
   ```

3. Stop containers:
   ```bash
   docker-compose down
   ```

## Test Files

- `docker-compose.yml` - WordPress + MySQL test environment
- `test_security_full.py` - Comprehensive security test suite
- `test_happy_paths.py` - Verify legitimate functionality preserved
- `test_detailed.py` - Detailed error message verification
- `test_api_endpoint.py` - API endpoint security tests
- `test_original_poc.html` - Original vulnerability POC
- `test_wordpress.sh` - Basic shell script tests

## What These Tests Validate

### Security Fixes (v1.1.2):
- ✅ CSRF protection via WordPress nonces
- ✅ Directory traversal prevention
- ✅ File type restriction (only ads.txt)
- ✅ Path validation (within WordPress directory)

### Preserved Functionality:
- ✅ ads.txt Guru API synchronization
- ✅ Custom content management
- ✅ Connection data generation
- ✅ All legitimate admin operations