Item8538: Unit tests run without taint checking, and miss taint issues
Priority: Normal
Current State: Closed
Released In: 1.0.10, 1.1.0
Target Release: patch
The Unit Test framework
TestRunner.pl does not enable Taint checking, where as the live web environment runs with the -T flag enabled.
This can result in missed issues in the unit tests compared to the live web environment, and it is not possible to write a unit test to expose Taint issues.
Enabling -T breaks
TestRunner.pl in several places
- In the BEGIN block, $root is tainted
- glob processing in the -clean routine is tainted.
- File::Find in TestRunner.pm needs untaint => 1 option.
- Several modules add relative paths to the @INC resulting in taint errors
--
GeorgeClark - 16 Feb 2010
TODO: Review whether
Unit::Request
taints its data structures the same way a real
Foswiki::Response
with CGI does.
--
PaulHarvey - 24 May 2010
Finally found the taint issue with
DependencyTests.pm "require".
- FoswikiSuite.pm: push( @INC, '.' ); This will taint the path
- FoswikiTestCase.pm: unshift @INC, '../../bin'; # SMELL: dodgy (Yes - taints the path)
- TestRunner.pl: Cleanly adds to the path. The above modules duplicate the paths.
I've been able to comment out the @INC additions - especially the relative ../../ path - and spot-checking, tests still run.
--
GeorgeClark - 26 May 2010
Reopening this to get Release 1.0 unit tests to run with -T flag. With these commits, the tests run except for
MailerContrib, which has two failures.
--
GeorgeClark - 20 Jun 2010