Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2785 from testssl/stderr

Browse Source 
Ensure that stderr is caught / $prg=testssl.sh
This commit is contained in:
Dirk Wetter
2025-05-28 20:16:32 +02:00
committed by GitHub
parent 75d8f8aa90 ba360bae7e
commit fbbf68857f
7 changed files with 18 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/unit_tests_macos.yml vendored
View File

@@ -51,4 +51,4 @@ jobs:
- name: run it
run: |
prove -v t
prove -v t 2>&1

2
.github/workflows/unit_tests_ubuntu.yml vendored
View File

@@ -57,4 +57,4 @@ jobs:
- name: run it
run: |
prove -v t
prove -v t 2>&1

6
t/23_client_simulation.t
View File

@@ -31,14 +31,14 @@ $uri="google.com";
# unlink "tmp.json";
printf "\n%s\n", "Client simulations unit test via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run $uri 2>&1`;
$socket_out = `$prg $check2run $uri 2>&1`;
# $socket_json = json('tmp.json');
unlike($socket_out, qr/$socket_regex_bl/, "");
$tests++;
# unlink "tmp.json";
printf "\n%s\n", "Client simulations unit test via OpenSSL --> $uri ...";
$openssl_out = `./testssl.sh $check2run --ssl-native $uri 2>&1`;
$openssl_out = `$prg $check2run --ssl-native $uri 2>&1`;
# $openssl_json = json('tmp.json');
unlike($openssl_out, qr/$openssl_regex_bl/, "");
$tests++;
@@ -48,7 +48,7 @@ $uri="smtp-relay.gmail.com:587";
# unlink "tmp.json";
printf "\n%s\n", "STARTTLS: Client simulations unit test via sockets --> $uri ...";
$socket_out = `./testssl.sh $check2run -t smtp $uri 2>&1`;
$socket_out = `$prg $check2run -t smtp $uri 2>&1`;
# $socket_json = json('tmp.json');
unlike($socket_out, qr/$socket_regex_bl/, "");
$tests++;

10
t/31_isJSON_valid.t
View File

@@ -29,7 +29,7 @@ unlink 'tmp.json';
#1
printf "%s\n", ".. plain JSON --> $uri ";
$out = `./testssl.sh $check2run --jsonfile tmp.json $uri`;
$out = `$prg $check2run --jsonfile tmp.json $uri`;
$json = json('tmp.json');
unlink 'tmp.json';
my @errors=eval { decode_json($json) };
@@ -39,7 +39,7 @@ $tests++;
#2
printf "%s\n", ".. pretty JSON --> $uri ";
$out = `./testssl.sh $check2run --jsonfile-pretty tmp.json $uri`;
$out = `$prg $check2run --jsonfile-pretty tmp.json $uri`;
$json = json('tmp.json');
unlink 'tmp.json';
@errors=eval { decode_json($json) };
@@ -50,7 +50,7 @@ $tests++;
#3
my $uri = "smtp-relay.gmail.com:587";
printf "%s\n", " .. plain JSON and STARTTLS --> $uri ...";
$out = `./testssl.sh --jsonfile tmp.json $check2run -t smtp $uri`;
$out = `$prg --jsonfile tmp.json $check2run -t smtp $uri`;
$json = json('tmp.json');
unlink 'tmp.json';
@errors=eval { decode_json($json) };
@@ -65,7 +65,7 @@ if ( $os eq "linux" ){
# This testssl.sh run deliberately does NOT work as github actions block port 25 egress.
# but the output should be fine. The idea is to have a unit test for a failed connection.
printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ...";
$out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`;
$out = `$prg --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`;
$json = json('tmp.json');
unlink 'tmp.json';
@errors=eval { decode_json($json) };
@@ -75,7 +75,7 @@ if ( $os eq "linux" ){
#5
# Same as above but with pretty JSON
printf "%s\n", ".. pretty JSON for a failed run '--mx $uri' ...";
$out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`;
$out = `$prg --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`;
$json = json('tmp.json');
unlink 'tmp.json';
@errors=eval { decode_json($json) };

9
t/51_badssl.com.t
View File

@@ -6,6 +6,7 @@ use Data::Dumper;
use JSON;
my $tests = 0;
my $prg="./testssl.sh";
my (
$out,
@@ -14,14 +15,14 @@ my (
);
# OK
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okout = `$prg -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json');
unlink 'tmp.json';
cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++;
# Expiration
pass("Running testssl against expired.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`;
$out = `$prg -S --jsonfile tmp.json --color 0 expired.badssl.com`;
like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++;
like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;
$json = json('tmp.json');
@@ -39,7 +40,7 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
$out = `$prg -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
@@ -98,7 +99,7 @@ is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Incomplete chain
pass("Running testssl against incomplete-chain.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
$out = `$prg -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';

3
t/baseline_data/default_testssl.csvfile
View File

@@ -81,9 +81,10 @@
"cookie_count","testssl.sh/81.169.166.184","443","INFO","0 at '/'","",""
"X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
"X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; object-src 'self'; base-uri 'none'; form-action 'none'; img-src 'self' ; default-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;","",""
"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; object-src 'self'; base-uri 'none'; form-action 'none'; img-src 'self' ; default-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests; form-action 'none'","",""
"Cross-Origin-Opener-Policy","testssl.sh/81.169.166.184","443","INFO","same-origin-allow-popups","",""
"Cross-Origin-Resource-Policy","testssl.sh/81.169.166.184","443","INFO","same-site","",""
"Cross-Origin-Embedder-Policy","testssl.sh/81.169.166.184","443","INFO","require-corp","",""
"banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
"heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
"CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"