////////////////////////////////////////////////////////////////////////
//
// Copyright (c) 2009-2013 Denim Group, Ltd.
//
// The contents of this file are subject to the Mozilla Public License
// Version 2.0 (the "License"); you may not use this file except in
// compliance with the License. You may obtain a copy of the License at
// http://www.mozilla.org/MPL/
//
// Software distributed under the License is distributed on an "AS IS"
// basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
// License for the specific language governing rights and limitations
// under the License.
//
// The Original Code is ThreadFix.
//
// The Initial Developer of the Original Code is Denim Group, Ltd.
// Portions created by Denim Group, Ltd. are Copyright (C)
// Denim Group, Ltd. All Rights Reserved.
//
// Contributor(s): Denim Group, Ltd.
//
////////////////////////////////////////////////////////////////////////
package com.denimgroup.threadfix.selenium.tests;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.junit.After;
import org.junit.Before;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.chrome.ChromeDriverService;
import org.openqa.selenium.firefox.FirefoxDriver;
import org.openqa.selenium.ie.InternetExplorerDriver;
import org.openqa.selenium.remote.CapabilityType;
import org.openqa.selenium.remote.DesiredCapabilities;
import org.openqa.selenium.remote.RemoteWebDriver;
import com.denimgroup.threadfix.data.entities.GenericVulnerability;
@RunWith(Parameterized.class)
public abstract class BaseTest {
protected final Log log = LogFactory.getLog(this.getClass());
private WebDriver driver;
private static ChromeDriverService service;
public BaseTest(String browser){
if(browser.equals("chrome")){
String location = BaseTest.class.getClassLoader().getResource("Drivers").getFile();
String log = "";
if(System.getProperty("os.name").startsWith("Windows")){
location = location + "/chromedriver.exe";
log = "NUL";
}else{
location = location + "/chromedriver";
log = "/dev/null";
}
service = new ChromeDriverService.Builder()
.usingDriverExecutable(new File(location))
.usingAnyFreePort()
.withLogFile(new File(log))
.build();
try {
service.start();
} catch (IOException e) {
e.printStackTrace();
}
driver = new RemoteWebDriver(service.getUrl(),DesiredCapabilities.chrome());
}
if(browser.equals("firefox")){
driver = new FirefoxDriver();
}
if(browser.equals("IE")){
String location = BaseTest.class.getClassLoader().getResource("Drivers").getFile();
location = location + "/IEDriverServer.exe";
DesiredCapabilities capabilities = new DesiredCapabilities();
capabilities.setCapability(CapabilityType.ACCEPT_SSL_CERTS, true);
driver = new InternetExplorerDriver(capabilities);
}
}
@Parameterized.Parameters
public static Collection<String[]> drivers() {
Collection<String[]> params = new ArrayList<String[]>();
String ff = System.getProperty("FIREFOX");
String chrome = System.getProperty("CHROME");
String ie = System.getProperty("IE");
if(!(ff==null) && ff.equals("true")){
String[] f = {"firefox"};
params.add(f);
}
if(!(chrome==null) && chrome.equals("true")){
String[] f = {"chrome"};
params.add(f);
}
if(!(ie==null) && ie.equals("true")){
String[] f = {"IE"};
params.add(f);
}
return params;
}
@Before
public void init() {
}
@After
public void shutDown() {
if(driver instanceof InternetExplorerDriver || driver instanceof FirefoxDriver){
driver.quit();
}else{
service.stop();
}
}
public WebDriver getDriver(){
log.debug("Getting Driver");
return driver;
}
/**
* This method is a wrapper for RandomStringUtils.random with a preset character set.
* @return random string
*/
protected String getRandomString(int length) {
return RandomStringUtils.random(length,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
}
protected <T> Set<Set<T>> powerSet(T[] items) {
int count = 1 << items.length;
Set<Set<T>> setOfSets = new HashSet<Set<T>>();
for (int i = 0; i < count; i++) {
Set<T> set = new HashSet<T>();
int j = 0;
for (T item : items) {
if ((i >> j++) % 2 == 1)
set.add(item);
}
setOfSets.add(set);
}
return setOfSets;
}
// TODO move to a less fragile method of checking names
final static String ACCESS_CONTROL = "Improper Access Control";
final static String ARGUMENT_INJECTION = "Argument Injection or Modification";
final static String ASP_NET_CUSTOM_ERROR = "ASP.NET Misconfiguration: Missing Custom Error Page";
final static String ASP_NET_DEBUG = "ASP.NET Misconfiguration: Creating Debug Binary";
final static String ASP_NET_VALIDATION_MISSING = "ASP.NET Misconfiguration: Not Using Input Validation Framework";
final static String CLEARTEXT_SENSITIVE_INFO = "Cleartext Transmission of Sensitive Information";
final static String CODE_INJECTION = "Improper Control of Generation of Code ('Code Injection')";
final static String COMMAND_INJECTION = "Improper Neutralization of Special Elements used in a Command ('Command Injection')";
final static String CONFIGURATION = "Configuration";
final static String CSRF = "Cross-Site Request Forgery (CSRF)";
final static String DIRECTORY_LISTING = "Information Exposure Through Directory Listing";
final static String EVAL_INJECTION = GenericVulnerability.CWE_EVAL_INJECTION;
final static String EXTERNAL_CONTROL_OF_PARAM = "External Control of Assumed-Immutable Web Parameter";
final static String EXTERNAL_FILEPATH_CONTROL = "External Control of File Name or Path";
final static String FAILURE_TO_HANDLE_ENCODING = "Improper Handling of Alternate Encoding";
final static String FILES_ACCESSIBLE = "Files or Directories Accessible to External Parties";
final static String FORCED_BROWSING = "Direct Request ('Forced Browsing')";
final static String FORMAT_STRING_INJECTION = GenericVulnerability.CWE_FORMAT_STRING_INJECTION;
final static String GENERIC_INJECTION = "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')";
final static String IMPROPER_CROSS_BOUNDARY_REMOVAL_OF_DATA = "Improper Cross-boundary Removal of Sensitive Data";
final static String IMPROPER_HANDLING_OF_MISSING_VALUES = "Improper Handling of Missing Values";
final static String IMPROPER_INPUT_VALIDATION = "Improper Input Validation";
final static String IMPROPER_RESOURCE_SHUTDOWN = "Improper Resource Shutdown or Release";
final static String IMPROPER_RESTRICTION_AUTH = "Improper Restriction of Excessive Authentication Attempts";
final static String INFORMATION_EXPOSURE = "Information Exposure";
final static String INFO_EXPOSURE_ERROR_MESSAGE = "Information Exposure Through an Error Message";
final static String INFO_LEAK_BROWSER_CACHE = "Information Exposure Through Browser Caching";
final static String INFO_LEAK_COMMENTS = "Information Exposure Through Comments";
final static String INFO_LEAK_DIRECTORIES = "File and Directory Information Exposure";
final static String INFO_LEAK_SERVER_ERROR = "Information Exposure Through Server Error Message";
final static String INFO_LEAK_TEST_CODE = "Information Exposure Through Test Code";
final static String LDAP_INJECTION = GenericVulnerability.CWE_LDAP_INJECTION;
final static String NON_SECURE_COOKIE = "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute";
final static String NON_SERIALIZABLE_OBJECT = "J2EE Bad Practices: Non-serializable Object Stored in Session";
final static String NULL_POINTER = "Unchecked Return Value to NULL Pointer Dereference";
final static String OPEN_REDIRECT = "URL Redirection to Untrusted Site ('Open Redirect')";
final static String OS_INJECTION = GenericVulnerability.CWE_OS_COMMAND_INJECTION;
final static String PATH_TRAVERSAL = GenericVulnerability.CWE_PATH_TRAVERSAL;
final static String REFLECTION_ATTACK = "Reflection Attack in an Authentication Protocol";
final static String RESOURCE_INJECTION = "Improper Control of Resource Identifiers ('Resource Injection')";
final static String SESSION_FIXATION = "Session Fixation";
final static String SOURCE_CODE_INCLUDE = "Information Exposure Through Include Source Code";
final static String SQLI = GenericVulnerability.CWE_SQL_INJECTION;
final static String TRUST_BOUNDARY_VIOLATION = "Trust Boundary Violation";
final static String UNCHECKED_ERROR = "Unchecked Error Condition";
final static String XML_INJECTION = "XML Injection (aka Blind XPath Injection)";
final static String XPATH_INJECTION = GenericVulnerability.CWE_XPATH_INJECTION;
final static String XSS = GenericVulnerability.CWE_CROSS_SITE_SCRIPTING;
}