esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard

Published 20 hours ago verified publisher icon ESAPI

Temporary files not being cleaned up on WAF JUnit tests

Open meg23 opened this issue 10 years ago • 9 comments

From [email protected] on November 11, 2009 21:33:01

The WAF class InterceptingServletOutputStream is creating temporary files via:

this.out = new RandomAccessFile ( File.createTempFile("oew", ".hop"), "rw" );

that are not being cleaned up when certain WAF JUnit tests are being run. For example,

/tmp> ls -l oew7672934197290659613.hop -rw------- 1 kevin users 57 2009-11-09 21:29 oew7672934197290659613.hop /tmp> cat oew7672934197290659613.hop This is the body of a response for /here_is_the_2008 /tmp>

I just found 81, mostly empty files of pattern

 /tmp/oew###################.hop

on my system. Most likely it was because of all the WAF tests that were failing. However might be a good idea to create an @AfterClass annotation that cleans them up in case of test failures (or could do in teardown() method as well).

I have not ran any WAF JUnit tests since they've been fixed so this probably may have disappeared, but certainly has the potential to reappear again at any time.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=55

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on November 11, 2009 18:33:33

Status: New

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on October 31, 2010 21:24:01

Labels: -Priority-Low Priority-Medium WAF

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on October 31, 2010 23:03:42

Status: Accepted
Labels: Milestone-Release2.0

meg23 avatar Nov 13 '14 17:11 meg23

From chrisisbeef on November 20, 2010 13:51:51

Labels: -WAF Component-WAF

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on August 31, 2012 01:38:16

I have similar issue in aplication running on WebLogic Server. Files like oew*.hop are not deleted form /tmp directory after http request and these files are still open which cause I get 'To many open files' exception (I have checked it using lsof command). Is there an option to force ESAPI to delete *.hop files after request ? Thanks in advance.

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on July 05, 2013 02:53:16

Can somebody help me understand the necessity of creating temp files and reading the bytes when scanning the response? Issues like what Miloshmazur reported above would definitely occur, when implementing this in massive online banking applications.

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on July 05, 2013 02:55:28

And one more thing, this is not hust specific to JUnit test cases. Even in regular application flow, temp file clean-up is not done.

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on September 26, 2014 20:17:53

Labels: FirstBug

meg23 avatar Nov 13 '14 17:11 meg23

This no longer seems to be a problem, although I cannot pinpoint any particular 'commit' that would have fixed this. It may have been that the tempFile.deleteOnExit(); that is called on line 61 of the InterceptingServletOutputStream CTOR maybe just wasn't working with earlier JDKs.

Has anyone recently noticed temporary files of the form "/tmp/oew*.hop" not being removed? I see no trace of them any longer and am unable to reproduce this issue.

kwwall avatar Jul 05 '19 20:07 kwwall