From 9652ea5ae998cfc5133e38e3ad6728ee8cf0d303 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 27 Feb 2026 03:18:21 +0000
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=20Fix:=20Implement=20unrestric?=
 =?UTF-8?q?ted=20URL=20length=20limit=20(DoS=20Risk)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit introduces a configurable maximum URL length limit to mitigate
potential Denial of Service (DoS) attacks where extremely long URLs could
lead to resource exhaustion.

- Added `max_url_length` to `Config` (defaults to 65536).
- Added `MAX_URL_LENGTH` environment variable support.
- Enforced URL length validation in the `create_url` API handler.
- Added integration tests to verify the fix.

Co-authored-by: ToolchainLab <263750431+ToolchainLab@users.noreply.github.com>

From 7861c52b430c879a5ae4da3dd6a9214b209fa270 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 27 Feb 2026 03:26:06 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Fix:=20Comprehensiv?=
 =?UTF-8?q?e=20expansion=20of=20security=20test=20suite?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit replaces the superficial security tests with a rigorous,
implementation-level integration test suite covering critical threat vectors.

- Added `tests/security_auth_tests.rs`: JWT claim extraction and role validation.
- Added `tests/security_redirect_tests.rs`: SSRF, open redirect, and Punycode spoofing.
- Added `tests/security_analytics_tests.rs`: IP spoofing and trust chain validation.
- Added `tests/security_injection_tests.rs`: SQLi and XSS resilience in storage.
- Added `tests/security_concurrency_tests.rs`: TOCTOU race condition stress tests.
- Centralized malicious payloads in `tests/common/payloads.rs`.
- Documented testing strategy in `docs/SECURITY_TEST_PLAN.md`.
- Generated final security verification report in `docs/SECURITY_DOD_REPORT.md`.
- Removed redundant `tests/security_tests.rs`.

Co-authored-by: ToolchainLab <263750431+ToolchainLab@users.noreply.github.com>