Test-suite for a password protected website

David Dick david_dick at iprimus.com.au
Mon Dec 29 14:37:12 CST 2003 


Joshua Goodall wrote:

>Using code that represents a well-known security error cannot be recommended
>without major, major caveats about usage.
>
>For example, Leif - there have been plenty of application vulnerabilities
>that have allowed people to run commands like "ps" *without* obtaining
>shell access, as you've erroneously assumed.  Very few of them would
>be stopped by a firewall, and I expect there will be more in future.
>
>I have discovered such vulnerabilities during audits of commercial
>software (a memorable case was an unsafe use of "ls" in a commercial
>ftp server).
>
>The rest of the "gives us more time" items you've listed seem like
>pretty trivial barriers in these days where real black-hats can and
>do write invasive kernel modules (c.f. recent Debian compromise).
>
>So David - please don't ever pass a password you care about via
>an environment variable.
>
>- J
>
>  
>

The problem is to allow automated as well as normal running of a program 
if the user desires it.  For a test-suite, both of these cases seem 
highly desirable.  Automated execution means the access method need to 
be written in the clear somewhere.  Whatever method is chosen for 
automated testing, the game is over in milliseconds of the box being 
compromised. 

Additionally, while reading from stdin is as secure as it is possible to 
get (afaik), to automate it, it requires the user to be well versed in 
Expect.  Most programmers (not perl programmers of course ;)) have no 
idea even how to use Expect, let alone users. 

Thinking a bit more about it, it's not even as simple as that (you could 
generate the test suite at "make" time for the user).  A typical perl 
test-suite runs the main (Test::Harness) process which kicks off x 
number of test scripts and reads the results from them.  To pass input 
to the test script as well as reading output from it would require 
Expect (or equivalent 'orrible code) to be hacked into Test::Harness (or 
more specifically Test::Harness::Straps) as well.  So you have Expect 
kicking off the Test::Harness process, which then uses Expect itself to 
handle the sub-processes.  Very ugly.  It opens up the problem of how to 
test the test-suite actually even works at all on the box you are 
deploying on.  To the innocent user, it may seem as if the code has 
failed to build correctly.

More information about the Melbourne-pm mailing list