[OWASP-ESAPI] Changes to tests
Andrew van der Stock
vanderaj at owasp.org
Wed Oct 29 18:01:39 EDT 2008
There are a small number of Windows specific tests in ESAPI's test
suite. These obviously will fail on Linux / Solaris / MacOS X.
I'm going to be making two changes today, with the aim of fixing all
the platform dependent issues prior to Portugal. I understand that
there is code issues with one of the tests, and so my fixes will not
try to address that, although we should aim to do so.
In ValidatorTest.java, the code assumes a bunch of windows
directories. These should succeed / fail on Windows as the case may
be, and fail on other platforms. What happens when you run the tests
on other platforms like Linux or MacOS X is that the all tests fail
I've got code that adds a bunch of positive and negative tests and
tries them all with the correct assertTrue or assertFalse depending on
the desired result. I have this working on MacOS X, but not on Vista
yet. This could be because Vista is hard core about permissions - I am
still checking this one.
Additionally, in ValidatorTest.java, there's code that tries to upload
to /etc, which Windows does not possess, but on Linux / MacOS X does
exist. Obviously, in all cases this should fail regardless of
platform. What is the test result on Windows with the current test? I
don't want to "fix" the test to run correctly on MacOS X / Linux
unless I understand what we're trying to prove with this test.
In ExecutorTest.java, the code tries to execute Windows commands. I'm
have modified it so that it has a Windows path and a Unix path, where
it will test for both positive and negative cases for both platforms
using the correct encoder for the platform.
However, as a design goal, I have worked with clients that develop on
Windows boxes (i.e. ESAPI to this point) and run production on Solaris
or Linux. We really should have a continuous integration server
running builds on Windows, Linux and Solaris/Intel so we can check
that ESAPI works cross-platform.
Additionally, we should add one more method to the Executor interface
that drops the codec parameter so that it auto-detects the platform
and has an adapter pattern for Windows / Unix. We can extend the
reference implementation adapter if we find ourselves on another
supported platform in the future. I don't want to change/break the
interface before Portugal, but I'd certainly like for some discussion
More information about the OWASP-ESAPI