Docker support, Hurl test harness, and fixes (#8, #33, #103)#115
Open
amarcalfaria wants to merge 8 commits into
Open
Docker support, Hurl test harness, and fixes (#8, #33, #103)#115amarcalfaria wants to merge 8 commits into
amarcalfaria wants to merge 8 commits into
Conversation
The old tests/spiracle_sqli_test.py was Python 2 and used a bespoke
<split> data format. Replace it with Hurl (hurl.dev): a generator turns
the existing mysql.txt/oracle.txt payload matrices into .hurl files
under tests/hurl/rasp/, with the block status as a {{block_status}}
variable. Because the 550 block code is only emitted when the Waratek
RASP agent intercepts the query, that suite is RASP-efficacy only; a
separate tests/hurl/smoke/ suite runs against a plain (unprotected)
deployment for CI, proving the app serves and that injections succeed
unprotected. Includes run.sh and docs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
First run failed on DROP TABLE (tables absent); re-runs failed on CREATE USER (user already present). Guard CREATE USER with IF NOT EXISTS and the three DROP TABLE statements with IF EXISTS so the script can be run repeatedly without manual cleanup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SendRedirect wrote plaintext instructions via getWriter() with no Content-Type header when the redirectMeTo param was absent. Every other output path in the app already sets Content-Type via setHeader; this was the last servlet response missing one. Use text/plain since the body is plain instructional text, not HTML. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ction (#103) CreateC3p0Connection.init() read non-existent bare property keys (c3p0.url, c3p0.classname, ...) instead of the per-database keys defined in Spiracle.properties (c3p0.oracle.url, ...). url resolved to null, so ComboPooledDataSource.setJdbcUrl(null) led to DriverManager.getDriver(null) and OracleDriver.acceptsURL(null) threw NPE. Derive the key prefix from the default.connection property (matching SpiracleInit's convention) so the correct per-database connection settings are loaded. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Multi-stage Dockerfile builds the WAR (JDK 8 / Maven) and deploys it on Tomcat 9 with the MySQL, MSSQL and Oracle JDBC drivers preinstalled. An entrypoint rewrites conf/Spiracle.properties from env vars (default connection + DB host/URL) so the committed config is untouched. One compose file per database (mysql/mssql/oracle) brings up the app plus a seeded database for a one-command, no-local-install test target. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…raversal/negative Expands test coverage beyond smoke with endpoint-level functional tests that run against an unprotected deployment: a regression test for the SendRedirect Content-Type fix (#8), benign + injection SQL behavior, reflected XSS, path traversal, and negative cases. Validated green against the MySQL Docker stack. (The rasp/ matrix remains agent-only.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
README now covers the per-database Docker compose stacks, the Hurl test suites (smoke/functional run on a plain deployment, rasp is agent-only), and the -Dversion.jdk/-Dversion.webxml build matrix with the master (Java 5-8) vs java4 branch split. Notes the SendRedirect Content-Type (#8), setupdb idempotency (#33), and Oracle NPE (#103) fixes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds container-based deployment, a language-agnostic test harness, and three bug fixes to the modern (Java 5–8) mainline. All changes are additive except the SQLi test-script replacement.
Docker support (#68)
Dockerfile(build WAR on JDK 8 / Maven → deploy on Tomcat 9, JDBC drivers preinstalled).docker-compose.{mysql,mssql,oracle}.yml, each bringing up the app + a seeded DB.docker/entrypoint.shrewritesconf/Spiracle.propertiesfrom env vars (default connection + DB host) so the committed config is untouched.docker compose -f docker-compose.mysql.yml up --buildthenhttp://localhost:8080/spiracle/.Hurl test harness
tests/spiracle_sqli_test.py(bespoke<split>format) with Hurl suites undertests/hurl/:smoke/+functional/— run against a plain (unprotected) deployment, no agent (covers SendRedirect, SQL, reflected XSS, path traversal, negative cases).rasp/— the 440-case injection matrix; asserts the550block status, which is only emitted with the Waratek RASP agent attached (agent-only).Fixes
Content-Typeon theSendRedirectfallback response (last servlet output path lacking one).setupdb_mysql.sqlis idempotent (IF [NOT] EXISTSon user/table create/drop).NullPointerExceptioninCreateC3p0Connection: it read non-existent bare property keys (c3p0.url...) yielding a null JDBC URL; now derives the per-DB key prefix fromdefault.connection.Docs
README.adocgains Docker quickstart, Testing, the-Dversion.jdk/-Dversion.webxmlbuild matrix, and a branch-model note (master = Java 5–8;java4= Java 1.4 variant).Notes
ReadHTMLNoSuchMethodErrorfix (commit1b21e16) which overlaps open PR WAL-5253. Use java5 compatible call to getRealPath() in ReadHTML.java #113 — dedupe on merge.Verification
mvn install -Dversion.webxml=30 -DskipTeststhen BUILD SUCCESS.