> For tests like that we must really think about scope, limiting the report isn't useful if we publish the tests for anyone to run themselves and thus generate the report.
> Malicious actors are no doubt probing the website continuously regardless of this, but we don't necessarily need to do the job for them.
Oh yes, that is a valid point, I guess we might need to separate these tests then in some private repo? I don't know if this is possible though but we can think of some other approaches. Because if we keep those tests publicly available that will just create more problems for us, as you mentioned in your reply.
I'll try to find more approaches to this because the private repository does not seem to go with the idea of open source. I might be wrong about this, so please let me know if I am wrong.
Regards,
Akshat Jaimini
On Fri, Oct 6, 2023 at 6:09 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> On 6 Oct 2023, at 08:05, Akshat Jaimini <destrex271@gmail.com> wrote: > > > Publishing this report to a website would handle that I think. > I had sent a proposal/tried to start a discussion for this a few days earlier
It would probably help if you could link to a report from a run of the test suite. I clicked through the linked repo but I was unable to see an example testrun.
> > One question, would this test harness detect and report potential security issues like XSS? > Security related tests were not added in the Gsoc timeline but we are planning to add them. Maybe when we add those tests we can create a separate section on the proposed website only available to some 'admins' with all these sensitive reports being displayed there.
For tests like that we must really think about scope, limiting the report isn't useful if we publish the tests for anyone to run themselves and thus generate the report. Malicious actors are no doubt probing the website continuously regardless of this, but we don't necessarily need to do the job for them.