0

I need to test negative scenario of API owasps ESAPI.validator().isValidFileContent()

i have tried passing bytes of .exe and .ini files, where as the test was through i.e, the return type was true meaning its a valid file content.

What is considered as an invalid file?

Is any configuration required in the ESAPI.properties ?

leppie
  • 115,091
  • 17
  • 196
  • 297
Pramod CA
  • 47
  • 3
  • 11

1 Answers1

0

To find some negative test scenarios, I think you need to go through the api method definitions and all that. You may find the link http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/org/owasp/esapi/reference/DefaultValidator.java?r=364&spec=svn364 more helpful according to your REQUIREMENT. Do tell me your experience and results... NEGATIVE TEST SCENARIOS-- if allow null is false null will not be allowed. If the file size is more than the predefined in the properties file or than the number of bytes been passed in the same method(third parameter passed) than it will throw exception. If context is wrongly defined or any other context is used to upload the file it will throw exception. In all other cases it will return true i.e. a valid file.

 IMPLEMENTATION BELOW:
 /**
         * Returns true if input is valid file content.
         */
        public boolean isValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull) throws IntrusionException {
                try {
                        getValidFileContent( context, input, maxBytes, allowNull);
                        return true;
                } catch( Exception e ) {
                        return false;
                }
        }

/**
         * Returns validated file content as a byte array. Invalid input
         * will generate a descriptive ValidationException, and input that is clearly an attack
         * will generate a descriptive IntrusionException. 
         */
        public byte[] getValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull) throws ValidationException, IntrusionException {
                if (isEmpty(input)) {
                        if (allowNull) return null;
                        throw new ValidationException( context + ": Input required", "Input required: context=" + context + ", input=" + input, context );
                }

                long esapiMaxBytes = ESAPI.securityConfiguration().getAllowedFileUploadSize();
                if (input.length > esapiMaxBytes ) throw new ValidationException( context + ": Invalid file content can not exceed " + esapiMaxBytes + " bytes", "Exceeded ESAPI max length", context );
                if (input.length > maxBytes ) throw new ValidationException( context + ": Invalid file content can not exceed " + maxBytes + " bytes", "Exceeded maxBytes ( " + input.length + ")", context );

                return input;
        }

 /**
         * Helper function to check if a byte array is empty
         * 
         * @param input string input value
         * @return boolean response if input is empty or not
         */
        private final boolean isEmpty(byte[] input) {
                return (input==null || input.length == 0);
        }

Now I think you can develop some of the best negative and positive test scenarios according to your "REQUIREMENT". n YES you need to define the upload file size in the properties file. n an INVALID file is the one that does not pass the test on the above said parameters only, not on any other user defined parameter according to this method of ESAPI.

R.K.R
  • 132
  • 4
  • 18
  • Thanks for the input, i am tempted to reply , sorry for that, i see that there is no validation on the content of the file, the logic is there only to check for the size. When input is clearly an attack, its supposed to throw 'IntrusionException',as per the javadoc of the method,where as there is no code which throws 'IntrusionException', can anyone shed some light on this please. – Pramod CA Jul 05 '12 at 12:03
  • @RKR - As said in the earlier comment, there is no clarity on what is happening in the code., i only meant, i didn't get solution to my problem so that any one could reply. – Pramod CA Jul 26 '12 at 10:58
  • @P..CA I thought you will easily chalk out the negative test scenarios of the method ESAPI.validator().isValidFileContent() from the implementation of the same but you didnt. Thats why I attached the relevant link. Please see the explanation in the answer and go through the link. and now tell me whether u got all the required things or not. GOOD LUCK – R.K.R Jul 27 '12 at 10:26
  • I do have done the analysis, from the code its very clear that when input is an attack, its supposed to throw ValidationException and this is being thrown only when size exceeds configured limit and there is no logic when input is an attack, hence i am not sure how to proceed – Pramod CA Jul 30 '12 at 13:48