feat: Implement fuzz testing harness for upload route(parameter fuzzing)

[Pragnasri-363]

This PR introduces a simple fuzzing harness to stress test the upload/ route with random inputs to test the robustness.The goal is to evaluate how program handles malformed inputs to uncover failures.

Features & Changes implemented:

• A small fuzz generator which feeds the upload/ route with a string of randomized ASCII characters.
• A fuzzing harness that sends repeated multipart form requests to the /upload route.
• Basic input handling for error responses 404, 500 errors to observer server behavior.
• Implemented the path converter in Flask routes to allow special characters in URLs without triggering 404s.

Why this matters:

• Increased robustness against malformed inputs.
• Early input-handling assumptions.

How to test:

1.Run the app:

• Python app.py

2.Run the fuzzing harness:

• cd fuzz-testing
• Python fuzing-harness.py

3.Observe server responses and verify inputs handled without crashes.

Fuzzer output after execution:

Database entries after fuzzing:

• PostgreSQL database is used for this fuzz-testing.

[gemini-code-assist]

Summary of Changes

Hello @Pragnasri-363, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly expands the application's functionality by introducing a comprehensive Flask-based web application for managing patient image uploads and narratives. A key aspect of this development is the integration of a fuzz testing harness specifically targeting the '/upload' route. This proactive measure aims to enhance the application's security and stability by identifying how it handles various malformed inputs, thereby improving its overall robustness and preventing potential crashes or vulnerabilities.

Highlights

• Fuzz Testing Implementation: A new fuzzing harness has been added to stress test the '/upload' route with randomized inputs, aiming to uncover vulnerabilities or unexpected behaviors.
• Robustness Enhancements: The application now includes basic input handling for error responses (404, 500) and utilizes Flask's path converter to allow special characters in URLs, improving resilience against malformed inputs.
• Core Application Setup: The pull request introduces the main Flask application ('app.py'), defining database models ('Entries', 'Notification'), and setting up routes for home, upload, search, gallery, and admin functionalities.
• Database Migrations: Alembic has been integrated for database migrations, with an initial migration script to create the 'entries' table.
• Frontend and Backend Integration: New Jinja2 templates ('admin.html', 'gallery.html', 'index.html', 'upload.html') and associated static assets ('styles.css', 'main.js') have been added to support the application's user interface and administrative features.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a fuzz testing harness for the /upload route, which is a great step towards improving the application's robustness. The changes also include setting up the basic Flask application structure with database models, migrations, and frontend assets.

My review has identified several critical security vulnerabilities and other issues that should be addressed. These include hardcoded secrets, insecure admin access, leaking of internal error details, and missing dependencies. I've provided specific comments and suggestions for each issue. Addressing these will significantly improve the security and stability of the application.

[gemini-code-assist]

This function automatically grants admin privileges for any request to a path starting with /admin, without any authentication or authorization check. This is a critical security vulnerability that exposes all admin functionality to any user. Please implement a proper authentication mechanism (e.g., checking for an admin user in the session after a login) to verify admin identity before granting access.

[gemini-code-assist]

This file is missing key dependencies used in the application, namely Flask-Migrate and alembic. Without these, the application will fail to start or run migrations. Please add them to the requirements file.

Flask
Flask-SQLAlchemy
psycopg2-binary
requests
Flask-Migrate
alembic

[gemini-code-assist]

The dependencies are not pinned to specific versions. This can lead to unexpected issues in the future if a dependency releases a breaking change. For reproducible builds, it's a best practice to pin your dependencies to ensure that the same versions are used across all environments. You can generate a pinned requirements.txt file by running pip freeze > requirements.txt in your virtual environment.

[gemini-code-assist]

This img tag points to static/avatars/default-admin.png, but the avatars directory and the image file have not been added to the repository in this pull request. This will result in a broken image on the admin dashboard. Please add the image file or use a different placeholder.