The foswiki svn repository will become read-only on Friday 8/8. Developers should register for a http://github.com/ account for commit access to foswiki.

Item8538: Unit tests run without taint checking, and miss taint issues

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Normal Closed Engine UnitTestContrib  
The Unit Test framework TestRunner.pl does not enable Taint checking, where as the live web environment runs with the -T flag enabled.

This can result in missed issues in the unit tests compared to the live web environment, and it is not possible to write a unit test to expose Taint issues.

Enabling -T breaks TestRunner.pl in several places
  • In the BEGIN block, $root is tainted thumbs up
  • glob processing in the -clean routine is tainted. thumbs up
  • File::Find in TestRunner.pm needs untaint => 1 option. thumbs up
  • Several modules add relative paths to the @INC resulting in taint errors

-- GeorgeClark - 16 Feb 2010

TODO: Review whether Unit::Request taints its data structures the same way a real Foswiki::Response with CGI does.

-- PaulHarvey - 24 May 2010

Finally found the taint issue with DependencyTests.pm "require".

  • FoswikiSuite.pm: push( @INC, '.' ); This will taint the path
  • FoswikiTestCase.pm: unshift @INC, '../../bin'; # SMELL: dodgy (Yes - taints the path)
  • TestRunner.pl: Cleanly adds to the path. The above modules duplicate the paths.

I've been able to comment out the @INC additions - especially the relative ../../ path - and spot-checking, tests still run.

-- GeorgeClark - 26 May 2010

Reopening this to get Release 1.0 unit tests to run with -T flag. With these commits, the tests run except for MailerContrib, which has two failures.

-- GeorgeClark - 20 Jun 2010

 
Topic revision: r32 - 08 Sep 2010, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License