• Stars
    star
    444
  • Rank 98,300 (Top 2 %)
  • Language
    Ruby
  • License
    MIT License
  • Created over 16 years ago
  • Updated over 11 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

a big hairy fuzzy spider that crawls your site, wreaking havoc

Tarantula

DESCRIPTION

Tarantula is a big fuzzy spider. It crawls your Rails 2.3 and 3.x applications, fuzzing data to see what breaks.

<img src=“https://secure.travis-ci.org/relevance/tarantula.png” />

Usage

Installation

The latest and greatest version is always available on GitHub. (See the rakefile for dependencies, or just let RubyGems handle it). Add it to your Gemfile as normal:

gem "tarantula"

Or for Rails 3 applications:

gem 'tarantula', :require => 'tarantula-rails3'

Crawling Your App

Use the included rake task to create a Rails integration test that will allow Tarantula to crawl your app.

$ rake tarantula:setup

Take a moment to familiarize yourself with the generated test. If parts of your application require login, update the test to make sure Tarantula can access those parts of your app.

require "relevance/tarantula"
require "test_helper"

class TarantulaTest < ActionController::IntegrationTest
  # Load enough test data to ensure that there's a link to every page in your
  # application. Doing so allows Tarantula to follow those links and crawl
  # every page.  For many applications, you can load a decent data set by
  # loading all fixtures.
  fixtures :all

  def test_tarantula
    # If your application requires users to log in before accessing certain
    # pages, uncomment the lines below and update them to allow this test to
    # log in to your application.  Doing so allows Tarantula to crawl the
    # pages that are only accessible to logged-in users.
    #
    #   post '/session', :login => 'quentin', :password => 'monkey'
    #   follow_redirect!

    tarantula_crawl(self)
  end
end

If you want to set custom options, you can get access to the crawler and set properties before running it. For example, this would turn on HTMLTidy.

def test_tarantula
  post '/session', :login => 'kilgore', :password => 'trout'
  assert_response :redirect
  assert_redirected_to '/'
  follow_redirect!

  t = tarantula_crawler(self)
  t.handlers << Relevance::Tarantula::TidyHandler.new
  t.crawl '/'
end

Now it’s time to turn Tarantula loose on your app. Assuming your project is at /work/project/:

$ cd /work/project
$ rake tarantula:test

Verbose Mode

If you run the test using the steps shown above, Tarantula will produce a report in tmp/tarantula. You can also set VERBOSE=true to see more detail as the test runs.

For more options, please see the test suite.

Allowed Errors

If, for example, a 404 is an appropriate response for some URLs, you can tell Tarantula to allow 404s for URLs matching a given regex:

t = tarantula_crawler(self)
t.allow_404_for %r{/users/\d+/}

Testing for Common Attacks

You can specify the attack strings that Tarantula throws at your application.

def test_tarantula
  t = tarantula_crawler(self)

  Relevance::Tarantula::FormSubmission.attacks << { 
    :name => :xss,
    :input => "<script>gotcha!</script>",
    :output => "<script>gotcha!</script>",
  }

  Relevance::Tarantula::FormSubmission.attacks << { 
    :name => :sql_injection,
    :input => "a'; DROP TABLE posts;",
  }

  t.handlers << Relevance::Tarantula::AttackHandler.new
  t.times_to_crawl = 2
  t.crawl "/posts"
end

This example adds custom attacks for both SQL injection and XSS. It also tells Tarantula to crawl the app 2 times. This is important for XSS attacks because the results won’t appear until the second time Tarantula performs the crawl.

Timeout

You can specify a timeout for each specific crawl that Tarantula runs. For example:

def test_tarantula
  t = tarantula_crawler(self)
  t.times_to_crawl = 2
  t.crawl_timeout = 5.minutes
  t.crawl "/"
end

The above will crawl your app twice, and each specific crawl will timeout if it takes longer then 5 minutes. You may need a timeout to keep the tarantula test time reasonable if your app is large or just happens to have a large amount of ‘never-ending’ links, such as with an any sort of “auto-admin” interface.

Bugs/Requests

Please submit your bug reports, patches, or feature requests in Github Issues.

License

Tarantula is released under the MIT license.

More Repositories

1

labrepl

Clojure
504
star
2

rcov

The new home of RCov on GitHub
Ruby
409
star
3

streamlined

Ruby
207
star
4

diametric

Diametric is a library for building schemas, queries, and transactions for Datomic from Ruby objects.
Ruby
169
star
5

org-html-slideshow

JavaScript presentation slides generated from Emacs org-mode
Clojure
160
star
6

functional-koans

A set of common ideas for learning functional programming
156
star
7

etc

bash scripts, aliases, other misc things go here
Shell
153
star
8

log_buddy

logbuddy is your friendly little log buddy by your side
Ruby
141
star
9

clojure-conj

134
star
10

edn-ruby

Ruby implementation of Extensible Data Notation as defined by Rich Hickey
Ruby
119
star
11

cap_gun

Bang! You've deployed!
Ruby
115
star
12

castronaut

CAS Server
Ruby
101
star
13

mycroft

It's your data, look at it anywhere
Clojure
66
star
14

vasco

A route-explorer for Rails
JavaScript
57
star
15

hooppps

Ruby
56
star
16

boids

Boids flocking simulator in ClojureScript (for ClojureScript training)
JavaScript
38
star
17

blue-ridge-sample-app

Sample Rails project demonstrating JavaScript testing with Blue-Ridge
JavaScript
30
star
18

how_we_work

Relevance's How We Work site
JavaScript
22
star
19

java-tdd

TDD Examples, Labs, and References
Java
19
star
20

multi_rails

Test against many versions of Rails with a single command.
Ruby
19
star
21

spec_converter

Ruby
15
star
22

smoke_signals

CruiseControl.rb Campfire notifications
Ruby
11
star
23

cache_test

Fork of Damien Merenne's cache_test plugin. Updated to work with Rails 2.1.x.
10
star
24

jquery-demos

Demos and Presentation on jQuery
JavaScript
9
star
25

github_hook

Simple object wrapper around the Github post receive JSON payload.
Ruby
7
star
26

Iteration-Zero

Slides for Iteration Zero talk
5
star
27

clojure-async-blocks

Area to rough out async blocks in clojure
Clojure
5
star
28

prototaculous

sample code and presentation on Prototype and Scriptaculous
JavaScript
5
star
29

contegix-cloud-client

Contegix Cloud client API reference implementation
Ruby
5
star
30

relevance_rails

Relevance awesome sauce packaged up in an easy to use gem
Ruby
5
star
31

obsidian

It's metastable
Ruby
5
star
32

connectomatic

A simple gem that makes it easy to use multiple databases from Rails
Ruby
4
star
33

relevant-datetime

Datetime widget for Relevant
Ruby
4
star
34

relevant-hudson

Hudson widget for Relevant
Ruby
4
star
35

relevant-google-calendar

Google Calendar plugin for Relevant
Ruby
4
star
36

ending-legacy-code

Ending legacy code in our lifetime
4
star
37

koality

Runs opinionated code quality tools as part of you test stuite
Ruby
4
star
38

relevant-html

Simple html widget for Relevant
Ruby
3
star
39

automan

Let's just say it's awesome. Fair enough?
JavaScript
3
star
40

relevant-twitter

Twitter widget for the Relevant radiator
Ruby
3
star
41

boomstick

Boomstick tries to make it easier to explore Clojure and Datomic by generating an Ubuntu image containing a selection of Clojure editors, Datomic, and supporting software.
Shell
3
star
42

git-control

Git Control of Your Source (conference talk)
3
star
43

elzar

BAM!
Ruby
3
star
44

relevant-eventbrite-signups

Show event signups on Relevant
Ruby
3
star
45

jvm-shootout

JVM Shootout: Examples and presentation on various JVM languages
Clojure
3
star
46

relevant-widget

Base widget functionality for widgets
Ruby
3
star
47

relevant-github

View github feeds via Relevant
Ruby
3
star
48

rails-template

Build a Rails template for Relevance projects!
Ruby
3
star
49

relevance_portfolio_iteration_switcher

Simple switcher for navigating between iterations of projects in our portfolio.
Ruby
1
star
50

fluxion

Asynchronous metric collection, aggregation, and delivery
Clojure
1
star
51

slushy

Aussie kitchenhand helping in the provisional kitchen with Fog and Chef
Ruby
1
star
52

refactotum

Refactotum -- Presentation for RailsConf 2011 Refactotum Tutorial
1
star