search

Test-More / Test2-Harness

Alternative to Test::Harness
Other
23 stars 26 forks source link

yath fails when test script has taint mode on #211

Open garu opened 3 years ago

garu commented 3 years ago

Hey there!

First of all, thank you so much for the amazing work you do, not just with yath but with the whole Test2 suite. It's super shiny, I really enjoy it! šŸ˜

So much so I've been looking to s/prove/yath/ on all my projects, but I've ran into this issue. I need to test for taintedness detection and to do so the test script must be run with -T. But when I do so, yath dies on me šŸ˜­ 

ā–¶ perl -v
This is perl 5, version 32, subversion 0 (v5.32.0) built for darwin-2level

ā–¶ perl -MTest2::Harness -E 'say $Test2::Harness::VERSION'
1.000042

ā–¶ perl -MTest::Simple -E 'say $Test::Simple::VERSION'
1.302183

ā–¶ cat t/poc.t
#!perl -T
use Test::More tests => 1;
ok 1;

ā–¶ yath test t/poc.t
( STDERR )  job  1    Insecure dependency in open while running with -T switch at /Users/garu/.plenv/versions/5.32.0/lib/perl5/site_perl/5.32.0/Test2/Formatter/Stream.pm line 99.
( STDERR )  job  1    BEGIN failed--compilation aborted at /Users/garu/.plenv/versions/5.32.0/lib/perl5/site_perl/5.32.0/Test/More.pm line 22.
( STDERR )  job  1    Compilation failed in require at t/poc.t line 2.
( STDERR )  job  1    BEGIN failed--compilation aborted at t/poc.t line 2.
( FAILED )  job  1    t/poc.t
< REASON >  job  1    Test script returned error (Err: 2)
< REASON >  job  1    No plan was declared, and no assertions were made.

The following jobs failed:
+--------------------------------------+-----------+
| Job ID                               | Test File |
+--------------------------------------+-----------+
| 8D64CC92-67BE-11EB-9255-476B473236A9 | t/poc.t   |
+--------------------------------------+-----------+

                                Yath Result Summary
-----------------------------------------------------------------------------------
     Fail Count: 1
     File Count: 1
Assertion Count: 0
      Wall Time: 0.70 seconds
       CPU Time: 1.09 seconds (usr: 0.27s | sys: 0.05s | cusr: 0.60s | csys: 0.17s)
      CPU Usage: 154%
    -->  Result: FAILED  <--

Please let me know if there's anything I can do to help track this down.

Thanks again!

JRaspass commented 3 years ago

So this also bit me at work, $dir is tainted which then spreads to $file and then fails the open. A grotesque "fix" looks like this:

--- a/lib/Test2/Formatter/Stream.pm
+++ b/lib/Test2/Formatter/Stream.pm
@@ -89,6 +89,8 @@ sub fh {
     $pid = $self->{+_PID} = $$;
     $tid = $self->{+_TID} = get_tid();

+    ($dir) = $dir =~ /(.*)/;
+
     my $file = File::Spec->catfile($dir, join(ipc_separator() => 'events', $pid, $tid) . ".jsonl");

     my @now = ($<, $>, $(, $));

But I'm confident there must be a more targetted fix available. I am however surprised how little attention this issue is getting, is running tests under taint mode really that rare!?