[OWASP-ESAPI] WAF unit tests (was Re: Help needed building OWASP ESAPI from source) using Eclipse
arshan.dabirsiaghi at aspectsecurity.com
Fri Nov 13 13:14:12 EST 2009
You are right about RestrictUserAgentTest. It's still failing, but that is a problem. I will continue to hunt these down.
From: Ed Schaller [mailto:schallee at darkmist.net]
Sent: Fri 11/13/2009 12:52 PM
To: Arshan Dabirsiaghi
Cc: Ed Schaller; Kevin W. Wall; owasp-esapi
Subject: WAF unit tests (was Re: [OWASP-ESAPI] Help needed building OWASP ESAPI from source) using Eclipse
> I would appreciate any help with the last two failing tests. They work standalone, and not just on my own environment - I've confirmed with Jeff and Jim - yet on surefire they fail. I wracked my brain for about 2.5 hours on this before I decided maybe I should become a rodeo clown instead.
I started looking at some of these recently (my family is sick and I
am too now so I don't remember when exactly). One thing that I noticed
about the test setup is that the filter's init method is never called
in the unit tests. Could this be part of the issue?
I did track down one failure. RestrictUserAgentTest is
failing because it expects RestrictUserAgentRule to redirect the
response. RestrictUserAgentRule, however, specifically does a BlockAction
regardless of the DEFAULT_FAIL_ACTION. There is an interesting comment
in the code before this saying "If we don't force this to "block",
the user will infinitely blocking our bandwidth. Better to just reject."
Either the test is wrong or the block is wrong;) I'm not familiar enough
with WAF to know which though.
Incidentally, WAF unit tests are the only ones that are failing for me
in linux now;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI