require 'spec_helper' jsp_content =< <%@page import="com.codesake.test"%> Hello World <% String message = (String) request.getAttribute("message"); if(message != null) { %>

<%=message%>

<% } else { %>

<% } %>
<% Cookie c = new Cookie("name", "a_value") Cookie cc = new Cookie("second", 12) %> EOS describe Codesake::Engine::Jsp do before(:all) do File.open("test.jsp", "w") do |f| f.write(jsp_content) end @jsp = Codesake::Engine::Jsp.new("test.jsp", {}) @jsp.analyse end after(:all) do File.delete("test.jsp") if File.exists?("test.jsp") end it_behaves_like Codesake::Utils::Files # it_behaves_like Codesake::Utils::Secrets it_behaves_like Codesake::Engine::Core it "takes a filename as input" do @jsp.filename.should_not be_nil @jsp.filename.should_not be_empty end it "analyses a jsp for imported packages" do expected_result = [{:package=>"com.codesake.test", :line=>3}] @jsp.imports.should == expected_result end it "analyses a jsp file for attack entrypoints" do expected_result = [{:line=>32, :param=>"message", :var=>"message"}] @jsp.attack_entrypoints.should == expected_result end it "analyses a jsp file for reflected variables" do expected_result = [{:line=>8, :var=>"request.getContextPath()", :false_positive=>true}, {:line=>24, :var=>"request.getContextPath()", :false_positive=>true}, {:line=>25, :var=>"request.getContextPath()", :false_positive=>true}, {:line=>26, :var=>"request.getContextPath()", :false_positive=>true}, {:line=>27, :var=>"request.getContextPath()", :false_positive=>true}, {:line=>28, :var=>"request.getContextPath()", :false_positive=>true}, {:line=>36, :var=>"message", :false_positive=>false}, {:line=>44, :var=>"request.getContextPath()", :false_positive=>true}, {:line=>46, :var=>"request.getLocalName()", :false_positive=>true} ] @jsp.reflected_xss.should == expected_result end it "analyses a jsp file for cookies" do expected_result = [{:line=>51, :name=>"name", :value=>"a_value", :var=>"c"}, {:line=>52, :name=>"second", :value=>"12", :var=>"cc"}] @jsp.cookies.should == expected_result end end