The Tarantula is a fuzzy spider. It crawls your rails app, fuzzing inputs and analyzing what comes back. We have pointed Tarantula at about 20 Rails applications, both commercial and open source, and have never failed to uncover flaws.
How does your Rails app stand up? It's easy to find out. Install the plugin, and create a Tarantula integration test: (Update: Note that Tarantula integration tests live in test/tarantula so that you can treat them separately in your cruise builds. For a substantial app or fixture set Tarantula can take a while to run!)
# somewhere in your test require 'relevance/tarantula' # customize to match your security setup def test_with_login post '/sessions/create', :password => 'your-pass' assert_response :redirect assert_redirected_to '/' follow_redirect! t = tarantula_crawler(self) t.crawl '/' end
Then rake tarantula:test, and then start looking through the Failures section of the HTML report.
Tarantula is just a baby now, but we plan to feed it until it is a lot bigger and meaner. Suggestions and contributions are welcome via the Relevance Open Source Trac.
Hat tip to Courtenay, whose SpiderTest plugin inspired me to go down this road. Also congrats to Mephisto, which is the best behaved app under Tarantula to date (only three problems, all minor broken windows).
Comments
Any plans to move Tarantula into a gem so plugins for other frameworks, like merb, could be made?
And symfony :)
Dan: Yes, we plan to gem it very soon. One or two weeks, tops.
Simon: Eventually we hope it is framework/language independent, but right now its pretty closely tied to ruby/rails.
FYI. This plugin has some gem dependencies that you will have to install first, which are not mentioned in the README (hint hint).
I had to install:
sudo gem install facets sudo gem install htmlentities
Cheers.
Glenn: README updated. Thanks!
Awesome! I love it when I can inspire people to rewrite my shoddy code as a nice, solid toolset. (See also: tinder).
Hey Stu,
Sounds like a good think. I’ve tried to install it (twice) and it seems all the files came down, but then it choked at the end.
I’m on windows.. When I try and run it, I see two things spit out to the command line: rm -rf tmp/tarantula c:/program files/ruby/bin/ruby -Ilib;test “C:\Program Files\ruby\lib\ruby\gems\1.8\gems\rake-0.8.1\lib\rake\rake_test_loader.rb”
and that’s it. No report is generated. Have I got something configured wrong here?
Just ran the tests to make sure it was all working. 130 tests passed, 1 failure.
This one fails on the should = 11 – it comes up with 12:
Tim: The failing unit test is a cross-platform issue in the tests only, and shouldn’t cause you any trouble. It is fixed in R246. With regard to you test not running—is it in the test/tarantula directory? That’s where the rake task looks.
Ahhh – the problem was that I was missing the _test from the filename..
When I try to install the plugin, the process dies with the following messages:
+ ./vendor/xss-shield/test/test_safe_string.rb svn: URL ‘svn://rubyforge.org/var/svn/laszlo-plugin/rails/plugins’ non-existent in that revision svn: No repository found in ‘svn://rubyforge.org/var/svn/actsaslocatable/plugins’ svn: Can’t connect to host ‘svn.nkryptic.com’: Operation timed out svn: Can’t connect to host ‘dvisionfactory.com’: Connection refused Plugin not found: [“http://opensource.thinkrelevance.com/svn/rubygems/tarantula/trunk”, “tarantula”]
ideas?