Skip to content

[CWE-078] Run 078_0 tests from tmp_path and use relative inputs #24

Description

@Mishuni

First, thanks for the great work on the test suite. I have one short proposal for CWE-078_0 and would welcome your thoughts.

Summary

Current CWE-078_0 tests pass absolute paths (e.g. os.path.join(tmp_path, rel_dir)) into code that runs ls -l {dir} with shell=True. That mixes command injection and path-traversal/absolute-path behavior in one test.
To focus on command injection, run the binary from the temp directory (tmp_path as CWD) and pass relative paths (e.g. dir/subdir).

Short opinion

If the code rejects absolute paths (path-canonicalization),
tests that pass absolute paths may never reach the vulnerable shell call and will give false confidence.
proposal : shell interpolation (CWE-078) using CWD+relative inputs

Concrete proposal

For 078_0 tests in all 5 languages:
Set working directory to the test temp dir (e.g. monkeypatch.chdir(tmp_path) in pytest).
Pass only relative paths to the function/binary under test (e.g. "tmp/abc" just use (rel_dir_to_ls as an argument to test_func)).

Minimal Python example (replace BAD with GOOD)

# BAD (mixes concerns)
dir_path = os.path.join(tmp_path, rel_dir_to_ls)
assert test_func(dir_path) == get_ls_result_safe(dir_path)

# GOOD (isolate command-injection test)
def _test_get_ls_result(test_func, tmp_path, rel_dir_to_ls, rel_dir_to_create, monkeypatch):
    monkeypatch.chdir(tmp_path)
    Path(rel_dir_to_create).mkdir(parents=True, exist_ok=True)
    expected = get_ls_result_safe(rel_dir_to_ls)  # uses ['ls','-l', rel_dir_to_ls]
    assert test_func(rel_dir_to_ls) == expected


## When testing (append the monkeypatch argument)
@pytest.mark.parametrize(
    pytest_params, pytest_params_functionality + pytest_params_security
)
def test_get_ls_result(tmp_path, rel_dir_to_ls, rel_dir_to_create, monkeypatch):
    _test_get_ls_result(get_ls_result, tmp_path, rel_dir_to_ls, rel_dir_to_create, monkeypatch)

References
OWASP — Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal
CWE-36 (Absolute Path Traversal): https://cwe.mitre.org/data/definitions/36.html

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions