Item8538: Unit tests run without taint checking, and miss taint issues

Priority: Normal
Current State: Closed
Released In: 1.0.10, 1.1.0
Target Release: patch
Applies To: Engine
Component: UnitTestContrib
Reported By: GeorgeClark
Waiting For:
Last Change By: KennethLavrsen
The Unit Test framework does not enable Taint checking, where as the live web environment runs with the -T flag enabled.

This can result in missed issues in the unit tests compared to the live web environment, and it is not possible to write a unit test to expose Taint issues.

Enabling -T breaks in several places
  • In the BEGIN block, $root is tainted yes
  • glob processing in the -clean routine is tainted. yes
  • File::Find in needs untaint => 1 option. yes
  • Several modules add relative paths to the @INC resulting in taint errors

-- GeorgeClark - 16 Feb 2010

TODO: Review whether Unit::Request taints its data structures the same way a real Foswiki::Response with CGI does.

-- PaulHarvey - 24 May 2010

Finally found the taint issue with "require".

  • push( @INC, '.' ); This will taint the path
  • unshift @INC, '../../bin'; # SMELL: dodgy (Yes - taints the path)
  • Cleanly adds to the path. The above modules duplicate the paths.

I've been able to comment out the @INC additions - especially the relative ../../ path - and spot-checking, tests still run.

-- GeorgeClark - 26 May 2010

Reopening this to get Release 1.0 unit tests to run with -T flag. With these commits, the tests run except for MailerContrib, which has two failures.

-- GeorgeClark - 20 Jun 2010

Topic revision: r32 - 08 Sep 2010, KennethLavrsen - This page was cached on 10 Oct 2015 - 07:08. Get a fresh version here.
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License