angular_xss 0.3.0 → 0.4.1

data/Gemfile.rails-6.1.haml-5.lock

@@ -0,0 +1,90 @@
+PATH
+  remote: .
+  specs:
+    angular_xss (0.4.1)
+      activesupport
+      haml (>= 3.1.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionpack (6.1.3.2)
+      actionview (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      rack (~> 2.0, >= 2.0.9)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actionview (6.1.3.2)
+      activesupport (= 6.1.3.2)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activesupport (6.1.3.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    builder (3.2.4)
+    concurrent-ruby (1.1.9)
+    crass (1.0.6)
+    diff-lcs (1.4.4)
+    erubi (1.10.0)
+    gemika (0.6.0)
+    haml (5.2.1)
+      temple (>= 0.8.0)
+      tilt
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
+    loofah (2.10.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mini_portile2 (2.5.3)
+    minitest (5.14.4)
+    nokogiri (1.11.7)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    racc (1.5.2)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    rake (13.0.3)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
+    temple (0.8.2)
+    tilt (2.0.10)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    zeitwerk (2.4.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  actionpack (~> 6.1)
+  angular_xss!
+  gemika
+  haml (~> 5)
+  rake
+  rspec
+
+BUNDLED WITH
+   2.2.20

data/Gemfile.rails-7.0.haml-5

@@ -0,0 +1,8 @@
+source 'http://rubygems.org'
+
+gem 'actionpack', '~>7.0'
+gem 'rspec'
+gem 'haml', '~> 5'
+gem 'angular_xss', :path => '.'
+gem 'gemika'
+gem 'rake'

data/Gemfile.rails-7.0.haml-5.lock

@@ -0,0 +1,86 @@
+PATH
+  remote: .
+  specs:
+    angular_xss (0.4.1)
+      activesupport
+      haml (>= 3.1.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionpack (7.0.0)
+      actionview (= 7.0.0)
+      activesupport (= 7.0.0)
+      rack (~> 2.0, >= 2.2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actionview (7.0.0)
+      activesupport (= 7.0.0)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activesupport (7.0.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    builder (3.2.4)
+    concurrent-ruby (1.1.9)
+    crass (1.0.6)
+    diff-lcs (1.4.4)
+    erubi (1.10.0)
+    gemika (0.6.1)
+    haml (5.2.2)
+      temple (>= 0.8.0)
+      tilt
+    i18n (1.8.11)
+      concurrent-ruby (~> 1.0)
+    loofah (2.13.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    minitest (5.15.0)
+    nokogiri (1.12.5-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.6.0)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.4.2)
+      loofah (~> 2.3)
+    rake (13.0.6)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.3)
+    temple (0.8.2)
+    tilt (2.0.10)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  actionpack (~> 7.0)
+  angular_xss!
+  gemika
+  haml (~> 5)
+  rake
+  rspec
+
+BUNDLED WITH
+   2.2.26

data/README.md

@@ -1,4 +1,4 @@
-angular_xss [![Build Status](https://travis-ci.org/makandra/angular_xss.png?branch=master)](https://travis-ci.org/makandra/angular_xss)
+angular_xss [![Build Status](https://github.com/makandra/angular_xss/workflows/Tests/badge.svg)](https://github.com/makandra/angular_xss/actions)
 ===========
 
 When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`).
@@ -57,6 +57,7 @@ Development
 
 - Fork the repository.
 - Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
+- You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
 - Send a pull request.
 
 

data/Rakefile

@@ -1,70 +1,7 @@
 require 'rake'
 require 'bundler/gem_tasks'
+require 'gemika/tasks'
 
-desc 'Default: Run all specs.'
-task :default => 'all:spec'
-
-
-namespace :travis do
-
-  desc 'Run tests on Travis CI'
-  task :run => ['slimgems', 'all:bundle:install', 'all:spec']
-
-  desc 'Install slimgems'
-  task :slimgems do
-    if RUBY_VERSION == '1.8.7'
-      system('gem install slimgems')
-    end
-  end
-
-end
-
-namespace :all do
-
-  desc "Run specs on all spec apps"
-  task :spec do
-    success = true
-    for_each_directory_of('spec/**/Rakefile') do |directory|
-      env = "SPEC=../../#{ENV['SPEC']} " if ENV['SPEC']
-      success &= system("cd #{directory} && #{env} bundle exec rake spec")
-    end
-    fail "Tests failed" unless success
-  end
 
-  namespace :bundle do
-
-    desc "Bundle all spec apps"
-    task :install do
-      for_each_directory_of('spec/**/Gemfile') do |directory|
-        Bundler.with_clean_env do
-          system("cd #{directory} && bundle install")
-        end
-      end
-    end
-
-    desc "Update all gems, or a list of gem given by the GEM environment variable"
-    task :update do
-      for_each_directory_of('spec/**/Gemfile') do |directory|
-        Bundler.with_clean_env do
-          system("cd #{directory} && bundle update #{ENV['GEM']}")
-        end
-      end
-    end
-
-  end
-
-end
-
-def for_each_directory_of(path, &block)
-  Dir[path].sort.each do |rakefile|
-    directory = File.dirname(rakefile)
-    puts '', "\033[44m#{directory}\033[0m", ''
-
-    if (RUBY_VERSION == '1.8.7' && directory =~ /-4\.2$/) ||
-      (RUBY_VERSION != '1.8.7' && directory =~ /-2\.3$/)
-      puts "Skipping tests for Ruby #{RUBY_VERSION} since it is unsupported"
-    else
-      block.call(directory)
-    end
-  end
-end
+desc 'Default: Run all specs.'
+task :default => 'matrix:spec'

data/angular_xss.gemspec

@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
   s.summary = 'Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.'
   s.description = s.summary
   s.license = 'MIT'
+  s.metadata = { 'rubygems_mfa_required' => 'true' }
 
   s.files         = `git ls-files`.split($\)
   s.test_files    = s.files.grep(%r{^spec/})

data/lib/angular_xss/action_view.rb

@@ -8,6 +8,7 @@ ActionView::Template.class_eval do
     end
   end
 
-  alias_method_chain :compile, :angular_xss
+  alias_method :compile_without_angular_xss, :compile
+  alias_method :compile, :compile_with_angular_xss
 
 end

data/lib/angular_xss/erb.rb

@@ -12,7 +12,8 @@ ERB::Util.module_eval do
       end
     end
 
-    alias_method_chain :unwrapped_html_escape, :escaping_angular_expressions
+    alias_method :unwrapped_html_escape_without_escaping_angular_expressions, :unwrapped_html_escape
+    alias_method :unwrapped_html_escape, :unwrapped_html_escape_with_escaping_angular_expressions
 
     singleton_class.send(:remove_method, :unwrapped_html_escape)
     module_function :unwrapped_html_escape

data/lib/angular_xss/haml.rb

@@ -1,15 +1,32 @@
-# Use module_eval so we crash when Haml::Helpers has not yet been loaded.
-Haml::Helpers.module_eval do
-
-  def html_escape_with_escaping_angular_expressions(s)
-    s = s.to_s
-    if s.html_safe?
-      s
-    else
-      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
+# Haml 5.0 and 5.1 fall back to erb
+if Haml::VERSION < '5'
+  # Use module_eval so we crash when Haml::Helpers has not yet been loaded.
+  Haml::Helpers.module_eval do
+
+    def html_escape_with_escaping_angular_expressions(s)
+      s = s.to_s
+      if s.html_safe?
+        s
+      else
+        html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
+      end
     end
+
+    alias_method :html_escape_without_escaping_angular_expressions, :html_escape
+    alias_method :html_escape, :html_escape_with_escaping_angular_expressions
   end
 
-  alias_method_chain :html_escape, :escaping_angular_expressions
+elsif Haml::VERSION >= '5.2' 
+  Haml::Helpers.module_eval do
+
+    def html_escape_without_haml_xss_with_escaping_angular_expressions(s)
+      s = s.to_s
+      return s if s.html_safe?
 
+      html_escape_without_haml_xss_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
+    end
+
+    alias_method :html_escape_without_haml_xss_without_escaping_angular_expressions, :html_escape_without_haml_xss
+    alias_method :html_escape_without_haml_xss, :html_escape_without_haml_xss_with_escaping_angular_expressions
+  end
 end

data/lib/angular_xss/safe_buffer.rb

@@ -1,19 +1,44 @@
+##
+# Monkey patch ActiveSupport::SafeBuffer to escape double braces from Angular
+#
+# Link to the original implementation without Angular XSS escaping:
+# https://github.com/rails/rails/blob/7-0-stable/activesupport/lib/active_support/core_ext/string/output_safety.rb#L295
+#
 ActiveSupport::SafeBuffer.class_eval do
 
-  if private_method_defined? :html_escape_interpolated_argument
+  html_escape = :html_escape_interpolated_argument
+
+  if private_method_defined?(html_escape) || # Rails < 6.1
+    private_method_defined?(:"explicit_#{html_escape}") # Rails >= 6.1
 
     private
 
-    def html_escape_interpolated_argument_with_rails_xss(arg)
-      if arg.html_safe?
+    def explicit_html_escape_interpolated_argument_with_angular_xss(arg)
+      if !html_safe? || arg.html_safe?
         arg
       else
-        html_escape_interpolated_argument_without_rails_xss(AngularXss::Escaper.escape(arg))
+        explicit_html_escape_interpolated_argument_without_angular_xss(AngularXss::Escaper.escape(arg))
       end
     end
 
-    alias_method_chain :html_escape_interpolated_argument, :rails_xss
+    if private_method_defined?(html_escape)
+      alias_method :"explicit_#{html_escape}_without_angular_xss", html_escape
+      alias_method html_escape, :"explicit_#{html_escape}_with_angular_xss"
+    elsif private_method_defined?(:"explicit_#{html_escape}")
+      alias_method :"explicit_#{html_escape}_without_angular_xss", :"explicit_#{html_escape}"
+      alias_method :"explicit_#{html_escape}", :"explicit_#{html_escape}_with_angular_xss"
+    end
 
+    if private_method_defined?(:"implicit_#{html_escape}")
+      def implicit_html_escape_interpolated_argument_with_angular_xss(arg)
+        if !html_safe? || arg.html_safe?
+          arg
+        else
+          implicit_html_escape_interpolated_argument_without_angular_xss(AngularXss::Escaper.escape(arg))
+        end
+      end
+      alias_method :"implicit_#{html_escape}_without_angular_xss", :"implicit_#{html_escape}"
+      alias_method :"implicit_#{html_escape}", :"implicit_#{html_escape}_with_angular_xss"
+    end
   end
-
 end

data/lib/angular_xss/version.rb

@@ -1,3 +1,3 @@
 module AngularXss
-  VERSION = '0.3.0'
+  VERSION = '0.4.1'
 end

data/spec/{shared/tests → angular_xss}/erb_spec.rb

@@ -2,6 +2,6 @@ require 'spec_helper'
 
 describe 'Angular XSS prevention in ERB', :type => :view do
 
-  it_should_act_like 'engine preventing Angular XSS', :partial => 'test/test_erb'
+  it_should_behave_like 'engine preventing Angular XSS', :partial => 'test_erb'
 
 end

data/spec/{shared/tests → angular_xss}/haml_spec.rb

@@ -2,6 +2,6 @@ require 'spec_helper'
 
 describe 'Angular XSS prevention in Haml', :type => :view do
 
-  it_should_act_like 'engine preventing Angular XSS', :partial => 'test/test_haml'
+  it_should_behave_like 'engine preventing Angular XSS', :partial => 'test_haml'
 
 end

data/spec/spec_helper.rb

@@ -0,0 +1,37 @@
+require 'pathname'
+require 'active_support/all'
+require 'action_dispatch'
+require 'action_view'
+
+begin
+  # Rails 3.2
+  require 'rails'
+rescue LoadError
+  # Rails 4+
+end
+
+module Rails
+  def self.env
+    'test'.inquiry
+  end
+end
+
+require 'haml'
+require 'haml/template'
+
+require 'angular_xss'
+
+
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+TEMPLATE_ROOT = Pathname.new(__dir__).join('templates')
+
+
+RSpec.configure do |config|
+  config.mock_with :rspec do |c|
+    c.syntax = [:should, :expect]
+  end
+  config.expect_with :rspec do |c|
+    c.syntax = [:should, :expect]
+  end
+end

data/spec/{shared/support → support}/engine_preventing_angular_xss.rb

@@ -1,6 +1,12 @@
-shared_examples_for 'engine preventing Angular XSS' do
+shared_examples_for 'engine preventing Angular XSS' do |partial:|
 
-  let(:engine) { respond_to?(:view) ? view : template }
+  let(:path_set) { ActionView::LookupContext.new([TEMPLATE_ROOT]) }
+
+  if defined?(ActionView::VERSION) && ActionView::VERSION::MAJOR >= 6
+    let(:engine) { ActionView::Base.with_empty_template_cache.new(path_set, {}, nil) }
+  else
+    let(:engine) { ActionView::Base.new(path_set) }
+  end
 
   let(:html) { engine.render(partial) }
 
@@ -72,4 +78,10 @@ shared_examples_for 'engine preventing Angular XSS' do
     html.should_not include('{{unsafe}}')
   end
 
+  it 'does not escape twice' do
+    escaped = AngularXss::Escaper.escape('{{')
+    double_escaped = AngularXss::Escaper.escape(escaped)
+    html.should_not include(double_escaped)
+  end
+
 end

data/spec/{shared/app_root/app/views/test → templates}/_test_haml.haml

@@ -29,7 +29,9 @@
 %div{:class => '{{safe}}', :id => '{{safe}}'}
 
 -# Compiled at runtime:
-%div{:class => '{{unsafe}}', :id => '{{unsafe}}', :foo => rand}
-%div(bar="#{'{{unsafe}}'}")
-%div{:foo => '{{safe}}'.html_safe, :bar => '{{unsafe}}'}
+- unsafe = '{{unsafe}}'
+- safe = '{{safe}}'.html_safe
+%div{:class => unsafe, :id => unsafe}
+%div(bar="#{unsafe}")
+  %div{:foo => safe, :bar => unsafe}
   {{safe}}