OWASP ESAPI PHP tests: Security configuration file does not exist

To get the source for OWASP ESAPI PHP:

 svn checkout http://owasp-esapi-php.googlecode.com/svn/trunk/ owasp-esapi-php-read-only

Make sure phpunit is installed with PEAR. To run the unit tests:

 root@mercy:/home/jj5/Desktop/owasp-esapi-php-read-only# phpunit test
 Security configuration file does not exist.PHP Fatal error:  Call to a member function xpath()
 on a non-object in /home/jj5/Desktop/owasp-esapi-php-read-only/src/reference/DefaultSecurityConfiguration.php on line 226

To get a better error message:

 root@mercy:/home/jj5/Desktop/owasp-esapi-php-read-only# grep -R 'Security conf' .
 ./src/reference/DefaultSecurityConfiguration.php:            throw new Exception("Security configuration file does not exist.");

Edit ‘src/refererence/DefaultSecurityConfiguration.php’ and replace “Security configuration file does not exist.” with “Security configuration file ‘$path’ does not exist.”

Try again:

 root@mercy:/home/jj5/Desktop/owasp-esapi-php-read-only# phpunit test
 Security configuration file '/home/jj5/Desktop/owasp-esapi-php-read-only/test/filters/../../testresources/ESAPI.xml' does not exist.PHP Fatal error:  Call to a member function xpath() on a non-object in /home/jj5/Desktop/owasp-esapi-php-read-only/src/reference/DefaultSecurityConfiguration.php on line 226

So the problem is a misconfigured path to the ESAPI.xml file,

 root@mercy:/home/jj5/Desktop/owasp-esapi-php-read-only# grep -R \\.\\.\\/testres .
 ./test/filters/SafeRequestTest.php:            $ESAPI = new ESAPI(dirname(__FILE__) . '/../../testresources/ESAPI.xml');
 ...

Edit the SafeRequestTest.php file:

 root@mercy:/home/jj5/Desktop/owasp-esapi-php-read-only# vim test/filters/SafeRequestTest.php 

On line 58 change “/../../testresources” to “/../testresources”.

Now our tests will run:

 root@mercy:/home/jj5/Desktop/owasp-esapi-php-read-only# phpunit test

Leave a Reply