romanbsd-tarantula 0.1.8
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +47 -0
- data/MIT-LICENSE +20 -0
- data/README.rdoc +162 -0
- data/Rakefile +69 -0
- data/VERSION.yml +4 -0
- data/examples/example_helper.rb +48 -0
- data/examples/relevance/core_extensions/ellipsize_example.rb +19 -0
- data/examples/relevance/core_extensions/file_example.rb +8 -0
- data/examples/relevance/core_extensions/response_example.rb +29 -0
- data/examples/relevance/core_extensions/test_case_example.rb +20 -0
- data/examples/relevance/tarantula/attack_form_submission_example.rb +79 -0
- data/examples/relevance/tarantula/attack_handler_example.rb +29 -0
- data/examples/relevance/tarantula/crawler_example.rb +386 -0
- data/examples/relevance/tarantula/form_example.rb +50 -0
- data/examples/relevance/tarantula/form_submission_example.rb +71 -0
- data/examples/relevance/tarantula/html_document_handler_example.rb +43 -0
- data/examples/relevance/tarantula/html_report_helper_example.rb +46 -0
- data/examples/relevance/tarantula/html_reporter_example.rb +82 -0
- data/examples/relevance/tarantula/invalid_html_handler_example.rb +33 -0
- data/examples/relevance/tarantula/io_reporter_example.rb +11 -0
- data/examples/relevance/tarantula/link_example.rb +67 -0
- data/examples/relevance/tarantula/log_grabber_example.rb +26 -0
- data/examples/relevance/tarantula/rails_integration_proxy_example.rb +88 -0
- data/examples/relevance/tarantula/result_example.rb +85 -0
- data/examples/relevance/tarantula/tidy_handler_example.rb +58 -0
- data/examples/relevance/tarantula/transform_example.rb +20 -0
- data/examples/relevance/tarantula/w3c_validator_example.rb +71 -0
- data/examples/relevance/tarantula_example.rb +23 -0
- data/laf/images/button_active.png +0 -0
- data/laf/images/button_hover.png +0 -0
- data/laf/images/button_inactive.png +0 -0
- data/laf/images/header_bg.jpg +0 -0
- data/laf/images/logo.png +0 -0
- data/laf/images/tagline.png +0 -0
- data/laf/javascripts/jquery-1.2.3.js +3408 -0
- data/laf/javascripts/jquery-ui-tabs.js +890 -0
- data/laf/javascripts/jquery.tablesorter.js +861 -0
- data/laf/javascripts/niftyLayout.js +11 -0
- data/laf/javascripts/niftycube-details.js +298 -0
- data/laf/javascripts/niftycube.js +298 -0
- data/laf/javascripts/tarantula.js +10 -0
- data/laf/stylesheets/tarantula.css +345 -0
- data/laf/v2/detail.html +59 -0
- data/laf/v2/images/button_active.png +0 -0
- data/laf/v2/images/button_hover.png +0 -0
- data/laf/v2/images/button_inactive.png +0 -0
- data/laf/v2/images/header_bg.jpg +0 -0
- data/laf/v2/images/logo.png +0 -0
- data/laf/v2/images/tagline.png +0 -0
- data/laf/v2/index.html +77 -0
- data/laf/v2/stylesheets/tarantula.v2.css +324 -0
- data/lib/relevance/core_extensions/ellipsize.rb +34 -0
- data/lib/relevance/core_extensions/file.rb +9 -0
- data/lib/relevance/core_extensions/metaclass.rb +78 -0
- data/lib/relevance/core_extensions/response.rb +9 -0
- data/lib/relevance/core_extensions/string_chars_fix.rb +11 -0
- data/lib/relevance/core_extensions/test_case.rb +19 -0
- data/lib/relevance/tarantula/attack.rb +15 -0
- data/lib/relevance/tarantula/attack_form_submission.rb +75 -0
- data/lib/relevance/tarantula/attack_handler.rb +37 -0
- data/lib/relevance/tarantula/crawler.rb +264 -0
- data/lib/relevance/tarantula/detail.html.erb +82 -0
- data/lib/relevance/tarantula/form.rb +21 -0
- data/lib/relevance/tarantula/form_submission.rb +70 -0
- data/lib/relevance/tarantula/html_document_handler.rb +36 -0
- data/lib/relevance/tarantula/html_report_helper.rb +39 -0
- data/lib/relevance/tarantula/html_reporter.rb +105 -0
- data/lib/relevance/tarantula/index.html.erb +37 -0
- data/lib/relevance/tarantula/invalid_html_handler.rb +18 -0
- data/lib/relevance/tarantula/io_reporter.rb +34 -0
- data/lib/relevance/tarantula/link.rb +56 -0
- data/lib/relevance/tarantula/log_grabber.rb +16 -0
- data/lib/relevance/tarantula/rails_integration_proxy.rb +68 -0
- data/lib/relevance/tarantula/recording.rb +12 -0
- data/lib/relevance/tarantula/response.rb +13 -0
- data/lib/relevance/tarantula/result.rb +66 -0
- data/lib/relevance/tarantula/test_report.html.erb +32 -0
- data/lib/relevance/tarantula/tidy_handler.rb +32 -0
- data/lib/relevance/tarantula/transform.rb +17 -0
- data/lib/relevance/tarantula/w3c_validator.rb +33 -0
- data/lib/relevance/tarantula.rb +59 -0
- data/tasks/tarantula_tasks.rake +36 -0
- data/template/tarantula_test.rb +22 -0
- data/vendor/w3c_validators/CHANGELOG +14 -0
- data/vendor/w3c_validators/LICENSE +60 -0
- data/vendor/w3c_validators/README +120 -0
- data/vendor/w3c_validators/README.svn +4 -0
- data/vendor/w3c_validators/lib/w3c_validators/constants.rb +80 -0
- data/vendor/w3c_validators/lib/w3c_validators/css_validator.rb +149 -0
- data/vendor/w3c_validators/lib/w3c_validators/exceptions.rb +4 -0
- data/vendor/w3c_validators/lib/w3c_validators/feed_validator.rb +110 -0
- data/vendor/w3c_validators/lib/w3c_validators/markup_validator.rb +227 -0
- data/vendor/w3c_validators/lib/w3c_validators/message.rb +82 -0
- data/vendor/w3c_validators/lib/w3c_validators/results.rb +62 -0
- data/vendor/w3c_validators/lib/w3c_validators/validator.rb +157 -0
- data/vendor/w3c_validators/lib/w3c_validators.rb +5 -0
- data/vendor/w3c_validators/rakefile.rb +53 -0
- data/vendor/w3c_validators/test/fixtures/invalid_css.css +2 -0
- data/vendor/w3c_validators/test/fixtures/invalid_encoding.html +10 -0
- data/vendor/w3c_validators/test/fixtures/invalid_feed.xml +19 -0
- data/vendor/w3c_validators/test/fixtures/invalid_html5.html +16 -0
- data/vendor/w3c_validators/test/fixtures/invalid_markup.html +11 -0
- data/vendor/w3c_validators/test/fixtures/valid_css.css +2 -0
- data/vendor/w3c_validators/test/fixtures/valid_feed.xml +20 -0
- data/vendor/w3c_validators/test/fixtures/valid_html5.html +16 -0
- data/vendor/w3c_validators/test/fixtures/valid_markup.html +11 -0
- data/vendor/w3c_validators/test/test_css_validator.rb +51 -0
- data/vendor/w3c_validators/test/test_exceptions.rb +35 -0
- data/vendor/w3c_validators/test/test_feed_validator.rb +61 -0
- data/vendor/w3c_validators/test/test_helper.rb +6 -0
- data/vendor/w3c_validators/test/test_html5_validator.rb +64 -0
- data/vendor/w3c_validators/test/test_markup_validator.rb +94 -0
- data/vendor/xss-shield/MIT-LICENSE +20 -0
- data/vendor/xss-shield/README +76 -0
- data/vendor/xss-shield/init.rb +16 -0
- data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb +111 -0
- data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb +42 -0
- data/vendor/xss-shield/lib/xss_shield/safe_string.rb +47 -0
- data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb +40 -0
- data/vendor/xss-shield/lib/xss_shield.rb +6 -0
- data/vendor/xss-shield/test/test_actionview_integration.rb +40 -0
- data/vendor/xss-shield/test/test_erb.rb +44 -0
- data/vendor/xss-shield/test/test_haml.rb +43 -0
- data/vendor/xss-shield/test/test_helpers.rb +25 -0
- data/vendor/xss-shield/test/test_safe_string.rb +55 -0
- metadata +218 -0
data/CHANGELOG
ADDED
@@ -0,0 +1,47 @@
|
|
1
|
+
v0.1.8 Add timeouts for crawls to help really long builds [Rob Sanheim]
|
2
|
+
|
3
|
+
v0.1.7 Minor clean up [Rob Sanheim]
|
4
|
+
|
5
|
+
v0.1.6
|
6
|
+
* add testing for all Rails versions 2.0.2 and up
|
7
|
+
* various clean up and housekeeping tasks;
|
8
|
+
* start Ruby 1.9 work (but we need Hpricot)
|
9
|
+
* show 50 chars of URL, not 30
|
10
|
+
* ensure that ActiveRecord gets loaded correctly for the crawler, so that it can rescue RecordNotFound exceptions
|
11
|
+
[Rob Sanheim]
|
12
|
+
|
13
|
+
v0.1.5 Initial implementation of updated look-and-feel [Erik Yowell] [Jason Rudolph]
|
14
|
+
|
15
|
+
v0.1.4 Bugfix: Include look-and-feel files when building the gem #16 [Jason Rudolph]
|
16
|
+
|
17
|
+
v0.1.3 Update list of known static file types (e.g., PDFs) to prevent false reports of 404s for links to files that exist in RAILS_ROOT/public [Aaron Bedra]
|
18
|
+
|
19
|
+
v0.1.2 Remove dependency on Facets gem [Aaron Bedra]
|
20
|
+
|
21
|
+
v0.1.1 Bugfix: Add ability to handle anchor tags that lack an href attribute #13 [Kevin Gisi]
|
22
|
+
|
23
|
+
v0.1.0
|
24
|
+
* Improve the generated test template to include inline documentation and make the simple case simple [Jason Rudolph]
|
25
|
+
* Update README to better serve first-time users [Jason Rudolph]
|
26
|
+
* Update development dependencies declarations [Jason Rudolph]
|
27
|
+
* Internal refactorings [Aaron Bedra]
|
28
|
+
** Convert test suite to micronaut
|
29
|
+
** Replace Echoe with Jeweler for gem management
|
30
|
+
** Remove unused code
|
31
|
+
|
32
|
+
v0.0.8.1
|
33
|
+
* Fix numerous installation and initial setup issues
|
34
|
+
* Enhance rake tasks to support use of Tarantula in a continuous integration environment
|
35
|
+
** Use "rake tarantula:test" to run headless with build-friendly exit codes
|
36
|
+
** Use "rake tarantula:report" to open the Tarantula report in your browser
|
37
|
+
* Update README
|
38
|
+
** Provide better installation and setup documentation
|
39
|
+
** Include example of adding a custom attack handler
|
40
|
+
* Simplify design to address concerns about hard-to-read fonts
|
41
|
+
|
42
|
+
v0.0.5
|
43
|
+
* Make sure we don't include Relevance::Tarantula into Object - will cause issues with Rails dependencies and is a bad idea in general
|
44
|
+
* Update Rakefile for development dependencies
|
45
|
+
* Other small clean up tasks
|
46
|
+
|
47
|
+
v0.0.1 Tarantula becomes a gem. [Aaron Bedra]
|
data/MIT-LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2008-2009 Relevance, Inc.
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,162 @@
|
|
1
|
+
= Tarantula
|
2
|
+
|
3
|
+
== DESCRIPTION
|
4
|
+
|
5
|
+
Tarantula is a big fuzzy spider. It crawls your Rails application, fuzzing data to see what breaks.
|
6
|
+
|
7
|
+
== Usage
|
8
|
+
|
9
|
+
=== Installation
|
10
|
+
|
11
|
+
The latest and greatest version is always available on GitHub. (See the rakefile for dependencies, or
|
12
|
+
just let Rubygems handle it.)
|
13
|
+
|
14
|
+
gem install relevance-tarantula --source http://gems.github.com
|
15
|
+
|
16
|
+
You can also grab it from RubyForge, where we will push stable releases but may not be as bleeding edge
|
17
|
+
as the GitHub gem.
|
18
|
+
|
19
|
+
gem install tarantula
|
20
|
+
|
21
|
+
=== Project Setup
|
22
|
+
|
23
|
+
To set up Tarantula into your application, add the following line into either config/environment.rb or
|
24
|
+
config/environments/test.rb (preferred). This assumes that you have Rails 2.1 or higher installed.
|
25
|
+
|
26
|
+
config.gem 'relevance-tarantula', :source => "http://gems.github.com", :lib => 'relevance/tarantula'
|
27
|
+
|
28
|
+
Since Rails doesn't (yet) support automatically loading rake tasks that live inside gems, you will need
|
29
|
+
to update your Rakefile to load Tarantula's rake tasks. The simplest approach is to start by vendoring
|
30
|
+
Tarantula into your Rails app.
|
31
|
+
|
32
|
+
mkdir -p vendor/gems
|
33
|
+
cd vendor/gems
|
34
|
+
gem unpack relevance-tarantula
|
35
|
+
|
36
|
+
You can then add the following line into your Rakefile, which will allow your application to discover
|
37
|
+
Tarantula's rake tasks.
|
38
|
+
|
39
|
+
load File.join(RAILS_ROOT, Dir["vendor/gems/relevance-tarantula-*/tasks/*.rake"])
|
40
|
+
|
41
|
+
=== Crawling Your App
|
42
|
+
|
43
|
+
Use the included rake task to create a Rails integration test that will allow Tarantula to crawl your
|
44
|
+
app.
|
45
|
+
|
46
|
+
#!sh
|
47
|
+
rake tarantula:setup
|
48
|
+
|
49
|
+
Take a moment to familiarize yourself with the generated test. If parts of your application require
|
50
|
+
login, update the test to make sure Tarantula can access those parts of your app.
|
51
|
+
|
52
|
+
require "relevance/tarantula"
|
53
|
+
|
54
|
+
class TarantulaTest < ActionController::IntegrationTest
|
55
|
+
# Load enough test data to ensure that there's a link to every page in your
|
56
|
+
# application. Doing so allows Tarantula to follow those links and crawl
|
57
|
+
# every page. For many applications, you can load a decent data set by
|
58
|
+
# loading all fixtures.
|
59
|
+
fixtures :all
|
60
|
+
|
61
|
+
def test_tarantula
|
62
|
+
# If your application requires users to log in before accessing certain
|
63
|
+
# pages, uncomment the lines below and update them to allow this test to
|
64
|
+
# log in to your application. Doing so allows Tarantula to crawl the
|
65
|
+
# pages that are only accessible to logged-in users.
|
66
|
+
#
|
67
|
+
# post '/session', :login => 'quentin', :password => 'monkey'
|
68
|
+
# follow_redirect!
|
69
|
+
|
70
|
+
tarantula_crawl(self)
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
If you want to set custom options, you can get access to the crawler and set properties before running
|
75
|
+
it. For example, this would turn on HTMLTidy.
|
76
|
+
|
77
|
+
def test_tarantula
|
78
|
+
post '/session', :login => 'kilgore', :password => 'trout'
|
79
|
+
assert_response :redirect
|
80
|
+
assert_redirected_to '/'
|
81
|
+
follow_redirect!
|
82
|
+
|
83
|
+
t = tarantula_crawler(self)
|
84
|
+
t.handlers << Relevance::Tarantula::TidyHandler.new
|
85
|
+
t.crawl '/'
|
86
|
+
end
|
87
|
+
|
88
|
+
Now it's time to turn Tarantula loose on your app. Assuming your project is at /work/project/:
|
89
|
+
|
90
|
+
#!sh
|
91
|
+
cd /work/project
|
92
|
+
rake tarantula:test
|
93
|
+
|
94
|
+
== Verbose Mode
|
95
|
+
|
96
|
+
If you run the test using the steps shown above, Tarantula will produce a report in tmp/tarantula. You
|
97
|
+
can also set VERBOSE=true to see more detail as the test runs.
|
98
|
+
|
99
|
+
For more options, please see the test suite.
|
100
|
+
|
101
|
+
== Allowed Errors
|
102
|
+
|
103
|
+
If, for example, a 404 is an appropriate response for some URLs, you can tell Tarantula to allow 404s
|
104
|
+
for URLs matching a given regex:
|
105
|
+
|
106
|
+
t = tarantula_crawler(self)
|
107
|
+
t.allow_404_for %r{/users/\d+/}
|
108
|
+
|
109
|
+
== Custom Attack Handlers
|
110
|
+
|
111
|
+
You can specify the attack strings that Tarantula throws at your application.
|
112
|
+
|
113
|
+
def test_tarantula
|
114
|
+
t = tarantula_crawler(self)
|
115
|
+
|
116
|
+
Relevance::Tarantula::AttackFormSubmission.attacks << {
|
117
|
+
:name => :xss,
|
118
|
+
:input => "<script>gotcha!</script>",
|
119
|
+
:output => "<script>gotcha!</script>",
|
120
|
+
}
|
121
|
+
|
122
|
+
Relevance::Tarantula::AttackFormSubmission.attacks << {
|
123
|
+
:name => :sql_injection,
|
124
|
+
:input => "a'; DROP TABLE posts;",
|
125
|
+
}
|
126
|
+
|
127
|
+
t.handlers << Relevance::Tarantula::AttackHandler.new
|
128
|
+
t.fuzzers << Relevance::Tarantula::AttackFormSubmission
|
129
|
+
t.times_to_crawl = 2
|
130
|
+
t.crawl "/posts"
|
131
|
+
end
|
132
|
+
|
133
|
+
This example adds custom attacks for both SQL injection and XSS. It also tells Tarantula to crawl the
|
134
|
+
app 2 times. This is important for XSS attacks because the results won't appear until the second time
|
135
|
+
Tarantula performs the crawl.
|
136
|
+
|
137
|
+
== Timeout
|
138
|
+
|
139
|
+
You can specify a timeout for each specific crawl that Tarantula runs. For example:
|
140
|
+
|
141
|
+
def test_tarantula
|
142
|
+
t = tarantula_crawler(self)
|
143
|
+
t.times_to_crawl = 2
|
144
|
+
t.crawl_timeout = 5.minutes
|
145
|
+
t.crawl "/"
|
146
|
+
end
|
147
|
+
|
148
|
+
The above will crawl your app twice, and each specific crawl will timeout if it takes longer then 5 minutes. You may need a timeout to keep the tarantula test time reasonable if your app is large or just happens to have a large amount of 'never-ending' links, such as with an any sort of "auto-admin" interface.
|
149
|
+
|
150
|
+
== Bugs/Requests
|
151
|
+
|
152
|
+
Please submit your bug reports, patches, or feature requests at Lighthouse:
|
153
|
+
|
154
|
+
http://relevance.lighthouseapp.com/projects/17868-tarantula/overview
|
155
|
+
|
156
|
+
You can view the continuous integration results for Tarantula, including results against all supported versions of Rails, on RunCodeRun here:
|
157
|
+
|
158
|
+
http://runcoderun.com/relevance/tarantula
|
159
|
+
|
160
|
+
== License
|
161
|
+
|
162
|
+
Tarantula is released under the MIT license.
|
data/Rakefile
ADDED
@@ -0,0 +1,69 @@
|
|
1
|
+
require 'rake'
|
2
|
+
require 'rake/testtask'
|
3
|
+
require 'rake/rdoctask'
|
4
|
+
gem "spicycode-micronaut", ">= 0.2.4"
|
5
|
+
require 'micronaut'
|
6
|
+
require 'micronaut/rake_task'
|
7
|
+
|
8
|
+
begin
|
9
|
+
require 'jeweler'
|
10
|
+
files = ["CHANGELOG", "MIT-LICENSE", "Rakefile", "README.rdoc", "VERSION.yml"]
|
11
|
+
files << Dir["examples/**/*", "laf/**/*", "lib/**/*", "tasks/**/*", "template/**/*",
|
12
|
+
"vendor/**/*"]
|
13
|
+
|
14
|
+
Jeweler::Tasks.new do |s|
|
15
|
+
s.name = "tarantula"
|
16
|
+
s.summary = "A big hairy fuzzy spider that crawls your site, wreaking havoc"
|
17
|
+
s.description = "A big hairy fuzzy spider that crawls your site, wreaking havoc"
|
18
|
+
s.homepage = "http://github.com/relevance/tarantula"
|
19
|
+
s.email = "opensource@thinkrelevance.com"
|
20
|
+
s.authors = ["Relevance, Inc."]
|
21
|
+
s.require_paths = ["lib"]
|
22
|
+
s.files = files.flatten
|
23
|
+
s.add_dependency 'htmlentities'
|
24
|
+
s.add_dependency 'hpricot'
|
25
|
+
s.rubyforge_project = 'thinkrelevance'
|
26
|
+
end
|
27
|
+
rescue LoadError
|
28
|
+
puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
|
29
|
+
end
|
30
|
+
|
31
|
+
desc 'Generate documentation for the tarantula plugin.'
|
32
|
+
Rake::RDocTask.new(:rdoc) do |rdoc|
|
33
|
+
rdoc.rdoc_dir = 'rdoc'
|
34
|
+
rdoc.title = 'Tarantula'
|
35
|
+
rdoc.options << '--line-numbers' << '--inline-source'
|
36
|
+
rdoc.rdoc_files.include('README.rdoc')
|
37
|
+
rdoc.rdoc_files.include('lib/**/*.rb')
|
38
|
+
end
|
39
|
+
|
40
|
+
desc "Run all micronaut examples"
|
41
|
+
Micronaut::RakeTask.new :examples do |t|
|
42
|
+
t.pattern = "examples/**/*_example.rb"
|
43
|
+
end
|
44
|
+
|
45
|
+
namespace :examples do
|
46
|
+
desc "Run all micronaut examples using rcov"
|
47
|
+
Micronaut::RakeTask.new :coverage do |t|
|
48
|
+
t.pattern = "examples/**/*_example.rb"
|
49
|
+
t.rcov = true
|
50
|
+
t.rcov_opts = %[--exclude "gems/*,/Library/Ruby/*,config/*" --text-summary --sort coverage --no-validator-links]
|
51
|
+
end
|
52
|
+
|
53
|
+
RAILS_VERSIONS = %w[2.0.2 2.1.0 2.1.1 2.2.2 2.3.1 2.3.2]
|
54
|
+
|
55
|
+
desc "Run exmaples with multiple versions of rails"
|
56
|
+
task :multi_rails do
|
57
|
+
RAILS_VERSIONS.each do |rails_version|
|
58
|
+
puts
|
59
|
+
sh "RAILS_VERSION='#{rails_version}' rake examples"
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
end
|
64
|
+
|
65
|
+
if ENV["RUN_CODE_RUN"]
|
66
|
+
task :default => "examples:multi_rails"
|
67
|
+
else
|
68
|
+
task :default => "examples"
|
69
|
+
end
|
data/VERSION.yml
ADDED
@@ -0,0 +1,48 @@
|
|
1
|
+
lib_path = File.expand_path(File.dirname(__FILE__) + "/../lib")
|
2
|
+
$LOAD_PATH.unshift lib_path unless $LOAD_PATH.include?(lib_path)
|
3
|
+
|
4
|
+
gem "spicycode-micronaut", ">= 0.2.4"
|
5
|
+
gem "log_buddy"
|
6
|
+
gem "mocha"
|
7
|
+
if rails_version = ENV['RAILS_VERSION']
|
8
|
+
gem "rails", rails_version
|
9
|
+
end
|
10
|
+
require "rails/version"
|
11
|
+
if Rails::VERSION::STRING < "2.3.1" && RUBY_VERSION >= "1.9.1"
|
12
|
+
puts "Tarantula requires Rails 2.3.1 or higher for Ruby 1.9 support"
|
13
|
+
exit(1)
|
14
|
+
end
|
15
|
+
puts "==== Testing with Rails #{Rails::VERSION::STRING} ===="
|
16
|
+
gem 'actionpack'
|
17
|
+
gem 'activerecord'
|
18
|
+
gem 'activesupport'
|
19
|
+
|
20
|
+
require 'ostruct'
|
21
|
+
require 'active_support'
|
22
|
+
require 'action_controller'
|
23
|
+
require 'active_record'
|
24
|
+
require 'relevance/tarantula'
|
25
|
+
require 'micronaut'
|
26
|
+
require 'mocha'
|
27
|
+
|
28
|
+
def test_output_dir
|
29
|
+
File.join(File.dirname(__FILE__), "..", "tmp", "test_output")
|
30
|
+
end
|
31
|
+
|
32
|
+
# TODO change puts/print to use a single method for logging, which will then make the stubbing cleaner
|
33
|
+
def stub_puts_and_print(obj)
|
34
|
+
obj.stubs(:puts)
|
35
|
+
obj.stubs(:print)
|
36
|
+
end
|
37
|
+
|
38
|
+
def not_in_editor?
|
39
|
+
['TM_MODE', 'EMACS', 'VIM'].all? { |k| !ENV.has_key?(k) }
|
40
|
+
end
|
41
|
+
|
42
|
+
Micronaut.configure do |c|
|
43
|
+
c.alias_example_to :fit, :focused => true
|
44
|
+
c.alias_example_to :xit, :disabled => true
|
45
|
+
c.mock_with :mocha
|
46
|
+
c.color_enabled = not_in_editor?
|
47
|
+
c.filter_run :focused => true
|
48
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "../..", "example_helper.rb"))
|
2
|
+
|
3
|
+
describe "Relevance::CoreExtensions::Object#ellipsize" do
|
4
|
+
it "converts nil to empty string" do
|
5
|
+
nil.ellipsize.should == ""
|
6
|
+
end
|
7
|
+
|
8
|
+
it "doesn't touch short strings" do
|
9
|
+
"hello".ellipsize.should == "hello"
|
10
|
+
end
|
11
|
+
|
12
|
+
it "calls inspect on non-strings" do
|
13
|
+
[1,2,3].ellipsize.should == "[1, 2, 3]"
|
14
|
+
end
|
15
|
+
|
16
|
+
it "shortens long strings and adds ..." do
|
17
|
+
"long-string".ellipsize(5).should == "long-..."
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,8 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "../..", "example_helper.rb"))
|
2
|
+
require 'relevance/core_extensions/file'
|
3
|
+
|
4
|
+
describe "Relevance::CoreExtensions::File#extension" do
|
5
|
+
it "should return the extension without the leading dot" do
|
6
|
+
File.extension("foo.bar").should == "bar"
|
7
|
+
end
|
8
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "../..", "example_helper.rb"))
|
2
|
+
require 'relevance/core_extensions/file'
|
3
|
+
|
4
|
+
describe "Relevance::CoreExtensions::Response#html?" do
|
5
|
+
before do
|
6
|
+
@response = OpenStruct.new
|
7
|
+
@response.extend(Relevance::CoreExtensions::Response)
|
8
|
+
end
|
9
|
+
|
10
|
+
it "should be html if the content-type is 'text/html'" do
|
11
|
+
@response.content_type = "text/html"
|
12
|
+
@response.should be_html
|
13
|
+
@response.content_type = "text/html;charset=iso-8859-2"
|
14
|
+
@response.should be_html
|
15
|
+
end
|
16
|
+
|
17
|
+
it "should not be html if the content-type isn't an html type" do
|
18
|
+
@response.content_type = "text/plain"
|
19
|
+
@response.should_not be_html
|
20
|
+
end
|
21
|
+
|
22
|
+
# better ideas welcome, but be careful not to
|
23
|
+
# castrate tarantula for proxies that don't set the content-type
|
24
|
+
it "should pretend we have html if the content-type is nil" do
|
25
|
+
@response.content_type = nil
|
26
|
+
@response.should be_html
|
27
|
+
end
|
28
|
+
|
29
|
+
end
|
@@ -0,0 +1,20 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "../..", "example_helper.rb"))
|
2
|
+
require 'relevance/core_extensions/test_case'
|
3
|
+
|
4
|
+
describe "TestCase extensions" do
|
5
|
+
pending "can create the crawler" do
|
6
|
+
Relevance::Tarantula::RailsIntegrationProxy.stubs(:rails_root).returns("STUB_RAILS_ROOT")
|
7
|
+
Relevance::Tarantula::Crawler.any_instance.stubs(:rails_root).returns("STUB_RAILS_ROOT")
|
8
|
+
tarantula_crawler(stub_everything)
|
9
|
+
end
|
10
|
+
|
11
|
+
pending "can crawl" do
|
12
|
+
(crawler = mock).expects(:crawl).with("/foo")
|
13
|
+
expects(:tarantula_crawler).returns(crawler)
|
14
|
+
tarantula_crawl(:integration_test_stub, :url => "/foo")
|
15
|
+
end
|
16
|
+
|
17
|
+
it "should get mixed into ActionController::IntegrationTest" do
|
18
|
+
ActionController::IntegrationTest.ancestors.should include(Relevance::CoreExtensions::TestCaseExtensions)
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,79 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "example_helper.rb"))
|
2
|
+
|
3
|
+
describe "Relevance::Tarantula::AttackFormSubmission" do
|
4
|
+
|
5
|
+
# TODO: add more from field types to this example form as needed
|
6
|
+
before do
|
7
|
+
@tag = Hpricot(<<END)
|
8
|
+
<form action="/session" method="post">
|
9
|
+
<input id="email" name="email" size="30" type="text" />
|
10
|
+
<textarea id="comment" name="comment"value="1" />
|
11
|
+
<input name="commit" type="submit" value="Postit" />
|
12
|
+
<input name="secret" type="hidden" value="secret" />
|
13
|
+
<select id="foo_opened_on_1i" name="foo[opened_on(1i)]">
|
14
|
+
<option value="2003">2003</option>
|
15
|
+
<option value="2004">2004</option>
|
16
|
+
</select>
|
17
|
+
</form>
|
18
|
+
END
|
19
|
+
@form = Relevance::Tarantula::Form.new(@tag.at('form'))
|
20
|
+
@fs = Relevance::Tarantula::AttackFormSubmission.new(@form, Relevance::Tarantula::Attack.new({:name => 'foo_name', :input => 'foo_code', :output => 'foo_code'}))
|
21
|
+
end
|
22
|
+
|
23
|
+
it "can mutate text areas" do
|
24
|
+
@fs.mutate_text_areas(@form).should == {"comment" => "foo_code"}
|
25
|
+
end
|
26
|
+
|
27
|
+
it "can mutate selects" do
|
28
|
+
Hpricot::Elements.any_instance.stubs(:rand).returns(stub(:[] => "2006-stub"))
|
29
|
+
@fs.mutate_selects(@form).should == {"foo[opened_on(1i)]" => "2006-stub"}
|
30
|
+
end
|
31
|
+
|
32
|
+
it "can mutate inputs" do
|
33
|
+
@fs.mutate_inputs(@form).should == {"commit"=>"foo_code", "secret"=>"foo_code", "email"=>"foo_code"}
|
34
|
+
end
|
35
|
+
|
36
|
+
it "has a signature based on action, fields, and attack name" do
|
37
|
+
@fs.signature.should == ['/session', [
|
38
|
+
"comment",
|
39
|
+
"commit",
|
40
|
+
"email",
|
41
|
+
"foo[opened_on(1i)]",
|
42
|
+
"secret"],
|
43
|
+
"foo_name"
|
44
|
+
]
|
45
|
+
end
|
46
|
+
|
47
|
+
it "has a friendly to_s" do
|
48
|
+
@fs.to_s.should =~ %r{^/session post}
|
49
|
+
end
|
50
|
+
|
51
|
+
it "processes all its attacks" do
|
52
|
+
Relevance::Tarantula::AttackFormSubmission.stubs(:attacks).returns([
|
53
|
+
Relevance::Tarantula::Attack.new({:name => 'foo_name1', :input => 'foo_input', :output => 'foo_output'}),
|
54
|
+
Relevance::Tarantula::Attack.new({:name => 'foo_name2', :input => 'foo_input', :output => 'foo_output'}),
|
55
|
+
])
|
56
|
+
Relevance::Tarantula::AttackFormSubmission.mutate(@form).size.should == 2
|
57
|
+
end
|
58
|
+
|
59
|
+
it "maps hash attacks to Attack instances" do
|
60
|
+
Relevance::Tarantula::AttackFormSubmission.instance_variable_set("@attacks", [{ :name => "attack name"}])
|
61
|
+
Relevance::Tarantula::AttackFormSubmission.attacks.should == [Relevance::Tarantula::Attack.new({:name => "attack name"})]
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
describe "Relevance::Tarantula::AttackFormSubmission for a crummy form" do
|
66
|
+
before do
|
67
|
+
@tag = Hpricot(<<END)
|
68
|
+
<form action="/session" method="post">
|
69
|
+
<input value="no_name" />
|
70
|
+
</form>
|
71
|
+
END
|
72
|
+
@form = Relevance::Tarantula::Form.new(@tag.at('form'))
|
73
|
+
@fs = Relevance::Tarantula::AttackFormSubmission.new(@form, {:name => 'foo_name', :input => 'foo_code', :output => 'foo_code'})
|
74
|
+
end
|
75
|
+
|
76
|
+
it "ignores unnamed inputs" do
|
77
|
+
@fs.mutate_inputs(@form).should == {}
|
78
|
+
end
|
79
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "example_helper.rb"))
|
2
|
+
|
3
|
+
describe "Relevance::Tarantula::AttackHandler" do
|
4
|
+
before do
|
5
|
+
@handler = Relevance::Tarantula::AttackHandler.new
|
6
|
+
attack = Relevance::Tarantula::Attack.new({:name => 'foo_name', :input => 'foo_code', :output => '<bad>'})
|
7
|
+
@handler.stubs(:attacks).returns([attack])
|
8
|
+
end
|
9
|
+
|
10
|
+
it "lets safe documents through" do
|
11
|
+
result = @handler.handle(Relevance::Tarantula::Result.new(:response => stub(:html? => true, :body => '<a href="/foo">good</a>')))
|
12
|
+
result.should == nil
|
13
|
+
end
|
14
|
+
|
15
|
+
it "detects the supplied code" do
|
16
|
+
result = @handler.handle(Relevance::Tarantula::Result.new(:response => stub(:html? => true, :body => '<a href="/foo"><bad></a>')))
|
17
|
+
result.success.should == false
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe "Attacks without an output specified" do
|
22
|
+
it "never matches anything" do
|
23
|
+
handler = Relevance::Tarantula::AttackHandler.new
|
24
|
+
attack = Relevance::Tarantula::Attack.new({:name => 'foo_name', :input => 'foo_code'})
|
25
|
+
Relevance::Tarantula::AttackFormSubmission.stubs(:attacks).returns([attack])
|
26
|
+
result = handler.handle(Relevance::Tarantula::Result.new(:response => stub(:html? => true, :body => '<a href="/foo">good</a>')))
|
27
|
+
result.should == nil
|
28
|
+
end
|
29
|
+
end
|