[OWASP_PHPSEC] OWASP Documentation

Sven Rautenberg sven at rtbg.de
Sat Jul 27 08:58:02 UTC 2013


I'm in the process of setting up my environment to actually execute
anything. All my previous findings were made by looking at the code and
maybe run a small part manually.

When I see that my IDE highlights the following in a testcase:

$hr = HttpRequest::getParameter('HTTP_REFERER');

And the complaint is that "getParameter" does not exist as a method in
HttpRequest, then I'm pretty sure the test suite hasn't been run for a
while, because this test can never be green.

I do apprechiate that there are some tests at least. Some of them are
way more complicated than they need to be (like the test for
confidentialString, that does not check for the decrypted result, but
tries to query a database instead with the values), some are more or
less created in an uncommon way (for example, do no try/catch in a test,
PHPUnit will complain if an exception is thrown but wasn't expected),
and some aspects are currently really hard to test. Just think of the
HttpRequest class that detects the used SAPI - which is always CLI if
you run the tests from the command line - it would be necessary to run
the tests via Apache to find the bugs and have complete coverage, or (my
favorite) it needs more abstraction to allow faking the stuff.

These testing issues need some experience to understand and avoid. And
it is true that during the time of exploration and experimentation
having too many tests will at least be nasty. But having none is also
not very good, because you will not notice if you break something important.

I'll be around some more time to give my feedback.

Regards,
Sven

Am 27.07.2013 10:27, schrieb rahul chaudhary:
> HI,,,can you tell which tests are not working, because I am constantly
> checking test cases to work and they are working fine in my system...
> 
> For some test cases, you need to have the DB installed.
> 
> and yes, some of the test cases are not up to the standard. But as said,
> for now they just demonstrate the working....in dew time they will be
> updated using useful feedback from people like you. :)
> 
> 
> On Fri, Jul 26, 2013 at 3:27 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> 
>> Hi Sven,
>> Since we're changing things a lot (change not as in refactoring, as in
>> changing the whole ideas), its not wise to go TDD. We're leaving test
>> coverage for the final phase in summer.
>> You should be aware that some developers in the team are working under
>> GSoC.
>> -Abbas
>> ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display a
>> file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com
>>
>> On Mordad 4, 1392, at 11:47 PM, Sven Rautenberg <sven at rtbg.de> wrote:
>>
>> Hi all,
>>
>> I'll take that opportunity and mention my sadness about the tests that
>> are not really written, nor working.
>>
>> A test is the first opportunity to run the productive code. If it feels
>> weird or cumbersome to write the test, then probably the code under test
>> is not yet designed well.
>>
>> And the tests are always a working code example: They use the actual
>> code (if the using code gets outdated, tests go red and get fixed, so
>> examples are automatically updated), and they show both input parameters
>> and expected and unexpected return values.
>>
>> I'd really suggest to write tests first.
>>
>> Regards,
>>
>> Sven
>>
>>
>> Am 26.07.2013 21:01, schrieb Johanna Curiel:
>>
>> Hi Rauf
>>
>> I took a fast overview of your documentation which looks great, so keep
>> the good work. something I recommend strongly is the use of code examples.
>> Creating code snippets where you can explain how to use the library it's a
>> great way to help users understand how they should implement the library
>>
>> regards
>>
>> Johanna
>>
>>
>>
>>
>> On Jul 26, 2013, at 2:42 AM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> Hello All and specially Johanna :P,
>>
>> I have finished my part of OWASP's documentation. You can look it here.
>> https://www.owasp.org/index.php/Projects/OWASP_PHP_Security_Project/Roadmap
>>
>> Left are belongs to Abhishek. As more libraries will be added, I will add
>> more documents there.
>>
>> I know that this document is not perfect and not at all final. So Johanna
>> and others, please read that and suggest what more to add. I have not added
>> technical details because that would be generated though PHPDocs and will
>> be kept in github docs or some other place. OWASPs wiki is just for
>> overview and reference.
>>
>> SO please let me know what more to put there.
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
> 
> 



More information about the OWASP_PHP_Security_Project mailing list