[Esapi-user] [Esapi-dev] It's SOUP!!!

Kevin W. Wall kevin.w.wall at gmail.com
Fri Feb 4 13:45:30 EST 2011 

On 02/04/2011 11:14 AM, Calderon, Juan Carlos (GE, Corporate, consultant) wrote:
> Hello Kevin
> 
> Yes, the default waf-policy.xml file can be on
> "target\test-classes\.esapi" I guess that should solve most of the junit
> errors for WAF

Juan,

Things are still failing, unless I've done something wrong or misunderstood
you.

Under my local ESAPI SVN checkout area, I did

	cd configuration/esapi
	cp -r waf* ~/.esapi
	cd ../..
	mvn test

The results...
========================================================
Results :

Tests in error:
  testShouldReplaceContent(org.owasp.esapi.waf.DynamicInsertionTest)
  testShouldNotReplaceContent(org.owasp.esapi.waf.DynamicInsertionTest)
  testGoodExtension(org.owasp.esapi.waf.RestrictExtensionTest)
  testBadExtension(org.owasp.esapi.waf.RestrictExtensionTest)

enforceAuthorizationRuleNotFoundNullKey(org.owasp.esapi.reference.accesscontrol.policyloader.ACRPolicyFileLoaderTest)

testSetup(org.owasp.esapi.reference.accesscontrol.policyloader.ACRPolicyFileLoaderTest)

isAuthorizedEchoPolicyParameter(org.owasp.esapi.reference.accesscontrol.policyloader.ACRPolicyFileLoaderTest)
  testRedirectBeanShellRule(org.owasp.esapi.waf.BeanShellTest)
  testShouldAddHeader(org.owasp.esapi.waf.AddHeaderTest)
  testShouldNotAddHeader(org.owasp.esapi.waf.AddHeaderTest)
  testGoodRequest(org.owasp.esapi.waf.GoodRequestTest)
  testMatchRule(org.owasp.esapi.reference.AccessControllerTest)
  testIsAuthorizedForURL(org.owasp.esapi.reference.AccessControllerTest)
  testIsAuthorizedForFunction(org.owasp.esapi.reference.AccessControllerTest)
  testIsAuthorizedForData(org.owasp.esapi.reference.AccessControllerTest)
  testIsAuthorizedForFile(org.owasp.esapi.reference.AccessControllerTest)
  testIsAuthorizedForService(org.owasp.esapi.reference.AccessControllerTest)
  testGetValidSafeHTML(org.owasp.esapi.reference.ValidatorTest)
  testIsValidSafeHTML(org.owasp.esapi.reference.ValidatorTest)
  testConfigurationCanBeRead(org.owasp.esapi.waf.WAFFilterTest)
  testShouldAddHeader(org.owasp.esapi.waf.AddHeaderTest)
  testShouldNotAddHeader(org.owasp.esapi.waf.AddHeaderTest)
  testRedirectBeanShellRule(org.owasp.esapi.waf.BeanShellTest)
  testBadDetectOutbound(org.owasp.esapi.waf.DetectOutboundTest)
  testGoodDetectOutbound(org.owasp.esapi.waf.DetectOutboundTest)
  testAuthenticatedRequest(org.owasp.esapi.waf.EnforceAuthenticationTest)
  testUnauthenticatedRequest(org.owasp.esapi.waf.EnforceAuthenticationTest)
  testGoodSchemeSSLRequired(org.owasp.esapi.waf.EnforceHTTPSTest)
  testBadSchemeSSLNotRequired(org.owasp.esapi.waf.EnforceHTTPSTest)
  testBadSchemeSSLRequired(org.owasp.esapi.waf.EnforceHTTPSTest)
  testGoodRequest(org.owasp.esapi.waf.GoodRequestTest)
  testAddHttpOnlyOnCustomCookie(org.owasp.esapi.waf.HttpOnlyTest)
  testUnauthorizedRequest(org.owasp.esapi.waf.MustMatchTest)
  testAuthorizedRequest(org.owasp.esapi.waf.MustMatchTest)
  testShouldReplaceContent(org.owasp.esapi.waf.DynamicInsertionTest)
  testShouldNotReplaceContent(org.owasp.esapi.waf.DynamicInsertionTest)
  testNoContentType(org.owasp.esapi.waf.RestrictContentTypeTest)
  testGoodContentType(org.owasp.esapi.waf.RestrictContentTypeTest)
  testBadContentType(org.owasp.esapi.waf.RestrictContentTypeTest)
  testGoodExtension(org.owasp.esapi.waf.RestrictExtensionTest)
  testBadExtension(org.owasp.esapi.waf.RestrictExtensionTest)
  testGoodMethod(org.owasp.esapi.waf.RestrictMethodTest)
  testBadMethod(org.owasp.esapi.waf.RestrictMethodTest)
  testBadUserAgent(org.owasp.esapi.waf.RestrictUserAgentTest)
  testGoodUserAgent(org.owasp.esapi.waf.RestrictUserAgentTest)
  testNonAttacktAfterVirtualPatch(org.owasp.esapi.waf.VirtualPatchTest)
  testAttackAfterVirtualPatch(org.owasp.esapi.waf.VirtualPatchTest)
  testNoContentType(org.owasp.esapi.waf.RestrictContentTypeTest)
  testGoodContentType(org.owasp.esapi.waf.RestrictContentTypeTest)
  testBadContentType(org.owasp.esapi.waf.RestrictContentTypeTest)
  testAddHttpOnlyOnCustomCookie(org.owasp.esapi.waf.HttpOnlyTest)
  testNonAttacktAfterVirtualPatch(org.owasp.esapi.waf.VirtualPatchTest)
  testAttackAfterVirtualPatch(org.owasp.esapi.waf.VirtualPatchTest)
  testGoodMethod(org.owasp.esapi.waf.RestrictMethodTest)
  testBadMethod(org.owasp.esapi.waf.RestrictMethodTest)
  testBadDetectOutbound(org.owasp.esapi.waf.DetectOutboundTest)
  testGoodDetectOutbound(org.owasp.esapi.waf.DetectOutboundTest)
  testGoodSchemeSSLRequired(org.owasp.esapi.waf.EnforceHTTPSTest)
  testBadSchemeSSLNotRequired(org.owasp.esapi.waf.EnforceHTTPSTest)
  testBadSchemeSSLRequired(org.owasp.esapi.waf.EnforceHTTPSTest)
  testBadUserAgent(org.owasp.esapi.waf.RestrictUserAgentTest)
  testGoodUserAgent(org.owasp.esapi.waf.RestrictUserAgentTest)
  testAuthenticatedRequest(org.owasp.esapi.waf.EnforceAuthenticationTest)
  testUnauthenticatedRequest(org.owasp.esapi.waf.EnforceAuthenticationTest)
  testUnauthorizedRequest(org.owasp.esapi.waf.MustMatchTest)
  testAuthorizedRequest(org.owasp.esapi.waf.MustMatchTest)

Tests run: 531, Failures: 0, Errors: 66, Skipped: 0

========================================================
	
All errors in the JUnit tests are either WAF or AccessController related.

Perhaps I copied these files to the wrong directory or something. I also
tried copying all the WAF XML files to ~/.esapi directly with the same
results.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list