[OWASP-ESAPI] Changes to tests

Andrew van der Stock vanderaj at owasp.org
Wed Oct 29 18:01:39 EDT 2008 

Hi there,

There are a small number of Windows specific tests in ESAPI's test  
suite. These obviously will fail on Linux / Solaris / MacOS X.

I'm going to be making two changes today, with the aim of fixing all  
the platform dependent issues prior to Portugal. I understand that  
there is code issues with one of the tests, and so my fixes will not  
try to address that, although we should aim to do so.

In ValidatorTest.java, the code assumes a bunch of windows  
directories. These should succeed / fail on Windows as the case may  
be, and fail on other platforms. What happens when you run the tests  
on other platforms like Linux or MacOS X is that the all tests fail  
miserably.

I've got code that adds a bunch of positive and negative tests and  
tries them all with the correct assertTrue or assertFalse depending on  
the desired result. I have this working on MacOS X, but not on Vista  
yet. This could be because Vista is hard core about permissions - I am  
still checking this one.

Additionally, in ValidatorTest.java, there's code that tries to upload  
to /etc, which Windows does not possess, but on Linux / MacOS X does  
exist. Obviously, in all cases this should fail regardless of  
platform. What is the test result on Windows with the current test? I  
don't want to "fix" the test to run correctly on MacOS X / Linux  
unless I understand what we're trying to prove with this test.

In ExecutorTest.java, the code tries to execute Windows commands. I'm  
have modified it so that it has a Windows path and a Unix path, where  
it will test for both positive and negative cases for both platforms  
using the correct encoder for the platform.

However, as a design goal, I have worked with clients that develop on  
Windows boxes (i.e. ESAPI to this point) and run production on Solaris  
or Linux. We really should have a continuous integration server  
running builds on Windows, Linux and Solaris/Intel so we can check  
that ESAPI works cross-platform.

Additionally, we should add one more method to the Executor interface  
that drops the codec parameter so that it auto-detects the platform  
and has an adapter pattern for Windows / Unix. We can extend the  
reference implementation adapter if we find ourselves on another  
supported platform in the future. I don't want to change/break the  
interface before Portugal, but I'd certainly like for some discussion  
on it.

Thoughts?

thanks,
Andrew

More information about the OWASP-ESAPI mailing list