ReadyAPI TestServer can receive a large number of test recipes from different sources and can send them to different tested APIs, and receive results. So, it can be seen as a source of spam. Also, some of test recipes can potentially have malicious script code that is dangerous as, in many cases, TestServer resides on a server computer in a network. This topic describes possible security issues and workarounds.
ReadyAPI TestServer sends and receives a large number of requests. Your company’s proxies and firewalls may report the server computer as a source of spam. To avoid this, make sure to inform your IT department about installing ReadyAPI TestServer so they can change the firewall settings, if needed.
To prevent using TestServer as a source of spam, you can command it to receive test recipes only from the computer, where TestServer is installed. You can do this at the beginning of using the product, while you are learning how to work with it, or until your network security settings are configured properly. You can allow requests from other machines at any time later.
The last page of the TestServer installation wizard asks you which mode you would like to choose. To change this setting, use the
server.allowExternalRequests property in the ready-api-testserver.properties file.
By default, ReadyAPI TestServer can send requests to any computer. To prevent using TestServer for spamming, you can limit the hosts, to which TestServer is allowed to send requests. To do this, specify the allowed hosts using the
allowed.connect.targets property. You can find it in the ready-api-testserver.properties file.
ReadyAPI TestServer supports the HTTPS protocol. However, the default certificate included into the installation package is not secure. We strongly recommend that you use your own SSL certificate to ensure that your requests to TestServer (test recipes) cannot be intercepted.
To import your certificate to TestServer, run TestServer with the
-c command-line argument and the keystore file containing both private and public keys. See Configuring TestServer After Installation.
ReadyAPI TestServer can run a large number of tests daily. If some tests leave behind logs or other information, your server can run out of hard drive space. To prevent this, tests run on ReadyAPI TestServer can only write to files in the temp directory, and the directories specified in the
allowed.file.paths property. You can find it in the ready-api-testserver.properties file.
Groovy scripts run on ReadyAPI TestServer can be more malicious than other test steps. So, there are some limitations for them.
They are not allowed to:
Terminate the server.
Create classloaders to load other code.
Access any files outside of the temp directory and directories specified in the
allowed.file.paths property (except for the groovy log file).
Execute system commands.
Create listeners on TestServer to accept connections from other machines.
Connect to hosts other than those specified by the allowed.connect.targets property.