antisamy 0.0.1 → 0.2.0

data/README.rdoc

@@ -5,7 +5,7 @@ user-supplier HTML and CSS. Please check out the AntiSamy project over at OWASP[
 
 == TODO
 
-* Add CSS scrubbing support
+* At some point support CSS3
 
 == Synopsis
 
@@ -29,6 +29,11 @@ Please check policy-examples[https://github.com/washu/antisamy-ruby/tree/master/
 * Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
 * Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
 
+== csspool
+
+We use a forked version of csspool 0.2.6 within antysamy, you can find the license
+for csspool in the rsac[https://github.com/washu/antisamy-ruby/tree/master/lib/antisamy/csspool] directory. csspool was re-namespaced to avoid any conflicts and updated for 1.9.2 ruby compatabilty
+
 == Copyright
 
 Copyright (c) 2011 Sal Scotto. See LICENSE.txt for

data/lib/antisamy/css/css_filter.rb

@@ -0,0 +1,187 @@
+require 'uri'
+module AntiSamy
+  class CssFilter < RSAC::DocumentHandler
+    
+    attr_accessor :clean, :errors, :style_sheets
+    
+    def initialize(policy,tag)
+      @policy = policy
+      @validator = CssValidator.new(@policy)
+      @errors = []
+      @clean = ''
+      @tag = tag
+      @selector_open = false
+      @style_sheets = []
+      @inline = !tag.nil?
+      @media_open = false
+      @current_media = nil
+    end
+    # Start of document
+    def start_document(input_source) #:nodoc:
+    end
+
+    # Receive notification of the end of a style sheet.
+    def end_document(input_source) #:nodoc:
+    end
+
+    # Receive notification of a comment
+    def comment(text)
+      @errors << ScanMessage.new(ScanMessage::ERROR_COMMENT_REMOVED,@tag,text)
+    end
+    
+    def error(exception)
+      #puts exception
+    end
+
+    def fatal_error(exception)
+      #puts exception
+    end
+    
+    def error(t)
+      #puts t
+    end
+    
+    def warn(t)
+      #puts t
+    end
+    
+    def warning_error(exception)
+      #puts exception
+    end    
+    # Receive notification of an unknown at rule not supported by this parser.
+    def ignorable_at_rule(at_rule)
+      if inline
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_RULE_NOTFOUND,@tag,at_rule)
+      else
+        @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_RULE_NOTFOUND,@tag,at_rule)
+      end
+    end
+    
+    # Namespace declaration
+    def namespace_declaration(prefix, uri) #:nodoc:
+    end
+
+    # Called on an import statement
+    def import_style(uri, media, default_namespace_uri = nil)
+      # check directive
+      unless @policy.directive(Policy::EMBED_STYLESHEETS)
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_DISABLED,@tag,uri)
+        return
+      end
+      # check for null uri
+      if uri.nil?
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_URL_INVALID,@tag)
+      end
+      # check uri rules
+      begin
+        luri = RSAC::LexicalURI.new(uri)
+        link = URI.parse(luri.string_value)
+        link.normalize!
+        onsite = @policy.expression("offsiteURL")
+        offsite = @policy.expression("onsiteURL")
+        # bad uri
+        raise "Invalid URI Pattern" if link.to_s !~ onsite and link.to_s !~ offsite
+        raise "Invalid URI" unless link.absolute?
+        @style_sheets << link
+      rescue Exception => e
+        @errors << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_URL_INVALID,@tag,uri)        
+      end
+    end
+
+    # Notification of the start of a media statement
+    def start_media(media)
+      @media_open = true
+      @current_media = media
+    end
+
+    # Notification of the end of a media statement
+    def end_media(media)
+      @media_open = false
+      @current_media = nil
+    end
+
+    # Notification of the start of a page statement
+    def start_page(name = nil, pseudo_page = nil) #:nodoc:
+    end
+
+    # Notification of the end of a page statement
+    def end_page(name = nil, pseudo_page = nil) # :nodoc:
+    end
+
+    # Notification of the beginning of a font face statement.
+    def start_font_face #:nodoc:
+    end
+
+    # Notification of the end of a font face statement.
+    def end_font_face #:nodoc:
+    end
+
+    # Notification of the beginning of a rule statement.
+    def start_selector(selectors)
+      count = 0
+      selectors.each do |s|
+        name = s.to_css
+        valid = false
+        begin
+          @validator.valid_selector?(name,s)
+          valid = true
+        rescue Exception => e
+          if @inline
+            @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_SELECTOR_NOTFOUND,@tag,name)
+          else
+            @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_SELECTOR_NOTFOUND,@tag,name)
+          end
+        
+        end
+        if valid
+          if count > 0
+            clean << ", "
+          end
+          clean << name
+          count += 1
+        else
+          # not allowed selector
+          if @inline
+            @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_SELECTOR_DISALLOWED,@tag,name)
+          else
+            @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_SELECTOR_DISALLOWED,@tag,name)
+          end
+        end
+      end
+      if count > 0
+        clean << " {\n"
+        @selector_open = true
+      end
+    end
+
+    # Notification of the end of a rule statement.
+    def end_selector(selectors)
+      if @selector_open
+        clean << "}\n"
+      end
+      @selector_open = false
+    end
+
+    # Notification of a declaration.
+    def property(name, value, important)      
+      return unless @selector_open and @inline
+      if @validator.valid_property?(name,value)
+        clean << "\t" unless @inline
+        clean << "#{name}:"
+        value.each do |v|
+          clean << " #{v.to_s}"
+        end
+        clean << ";"
+        clean << "\n" unless @inline
+      else
+        cval = value.to_s
+        if @inline
+          @errors << ScanMessage.new(ScanMessage::ERROR_CSS_TAG_PROPERTY_INVALID,@tag,name,cval)
+        else
+          @errors << ScanMessage.new(ScanMessage::ERROR_STYLESHEET_PROPERTY_INVALID,@tag,name,cval)
+        end        
+      end
+      
+    end
+  end
+end

data/lib/antisamy/css/css_scanner.rb

@@ -0,0 +1,84 @@
+require 'open-uri'
+module AntiSamy
+  # Css Scanner class
+  class CssScanner
+    attr_accessor :policy, :errors
+    # Create a scanner with a given policy
+    def initialize(policy)
+      @policy = policy
+      @errors = []
+    end
+    # Scan the input using the provided input and output encoding
+    # will raise an error if nil input or the maximum input size is exceeded
+    def scan_inline(a_value,name,max_input)
+      return scan_sheet("#{name} { #{a_value} }",max_input,name)
+    end
+
+    def scan_sheet(input,limit,tag = nil)
+      raise ArgumentError if input.nil?
+      raise ScanError, "Max input Exceeded #{input.size} > #{limit}" if input.size > limit
+      space_remaining = limit - input.size
+      # check poilcy stuff
+      if input =~ /^\s*<!\[CDATA\[(.*)\]\]>\s*$/
+        input = $1
+      end
+      # validator needs token sizes
+      filter = CssFilter.new(@policy,tag)
+      parser = RSAC::Parser.new(filter)
+      parser.error_handler = filter
+      parser.logger = filter
+      parser.parse(input)
+      # Populate the results
+      results = ScanResults.new(Time.now)
+      if @policy.directive(Policy::USE_XHTML)
+        result.clean_html = "<![CDATA[#{filter.clean}]]>"
+      else
+        results.clean_html = filter.clean
+      end
+      results.messages = filter.errors
+      # check for style sheets
+      sheets = filter.style_sheets
+      max_sheets = @policy.directive(Policy::MAX_SHEETS).to_i
+      max_sheets ||= 1
+      import_sheets = 0
+      if sheets.size > 0
+        timeout = 1000
+        if @policy.directive(Policy::CONN_TIMEOUT)
+          timeout = @policy.directive(Policy::CONN_TIMEOUT).to_i
+        end
+        timeout /= 1000
+        sheets.each do |sheet|
+          sheet_content = ''
+          begin
+            open(sheet,{:read_timeout => timeout}) do |f|
+              sheet_content = f.read(space_remaining)
+            end
+            space_remaining -= sheet_content.size
+            if import_sheets > max_sheets
+              # skip any remaing sheets if we exceeded the import count
+              results.messages << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_EXCEEDED,"@import",sheet)
+              break;
+            end
+            
+            if sheet_content.size > 0
+              #r = scan_sheet(sheet_content,space_remaining)
+              parser.parse(sheet_content)
+              #results.messages << r.messages
+              #results.messages.flatten!
+              import_sheets += 1
+            end
+            
+            if space_remaining <= 0 or sheet_content.empty?
+              results.messages << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_INPUT_SIZE,"@import",sheet)
+              break
+            end
+          rescue Exception => e
+            results.messages << ScanMessage.new(ScanMessage::ERROR_CSS_IMPORT_FAILURE,"@import",sheet)
+          end
+          # check the sheet rules
+        end
+      end      
+      results
+    end
+  end
+end

data/lib/antisamy/css/css_validator.rb

@@ -0,0 +1,129 @@
+module AntiSamy
+  class CssValidator
+    
+    def initialize(policy)
+      @policy = policy
+    end
+    
+    # Check to see if this selector is valid according to the policy
+    def valid_selector?(name,selector)
+      #puts selector.inspect
+      return false if selector.nil?
+      case selector.selector_type
+      when :SAC_CHILD_SELECTOR
+        return valid_selector?(name,selector.selector) && valid_selector?(name,selector.ancestor)
+      when :SAC_CONDITIONAL_SELECTOR
+        return valid_selector?(name,selector.selector) && valid_condition?(name,selector.condition)
+      when :SAC_DESCENDANT_SELECTOR
+        return valid_selector?(name,selector.selector) && valid_selector?(name,selector.ancestor)
+      when :SAC_ELEMENT_NODE_SELECTOR
+        return valid_simple_selector(selector)
+      when :SAC_DIRECT_ADJACENT_SELECTOR
+        return valid_selector?(name,selector.selector) && valid_selector?(name,selector.sibling)
+      when :SAC_ANY_NODE_SELECTOR
+        return valid_simple_selector(selector)
+      else
+        raise ScanError, name
+      end
+    end
+    
+    # Validate a simple selector
+    def valid_simple_selector(selector) #:nodoc:
+      valid = false
+      inclusion = @policy.expression("cssElementSelector")
+      exclusion = @policy.expression("cssElementExclusion")
+      begin
+        css = selector.to_css
+        valid = (css =~ inclusion) and (css !~ exclusion)
+      rescue Exception=> e
+      end
+      valid     
+    end
+    
+    # Check if a given condition is valid according to the policy
+    def valid_condition?(name,condition)
+      type = condition.condition_type
+      case type
+      when :SAC_AND_CONDITION
+        a = condition.first
+        b = condition.second
+        return valid_condition?(name,a) && valid_condition?(name,b)
+      when :SAC_CLASS_CONDITION
+        inclusion = @policy.expression("cssClassSelector")
+        exclusion = @policy.expression("cssClassExclusion")
+        return validate_condition(condition,inclusion,exclusion)
+      when :SAC_ID_CONDITION
+        inclusion = @policy.expression("cssIDSelector")
+        exclusion = @policy.expression("cssIDExclusion")
+        return validate_condition(condition,inclusion,exclusion)
+      when :SAC_PSEUDO_CLASS_CONDITION
+        inclusion = @policy.expression("cssPseudoElementSelector")
+        exclusion = @policy.expression("cssPsuedoElementExclusion")
+        return validate_condition(condition,inclusion,exclusion)
+      when :SAC_ONE_OF_ATTRIBUTE_CONDITION
+        inclusion = @policy.expression("cssAttributeSelector")
+        exclusion = @policy.expression("cssAttributeExclusion")
+        return validate_condition(condition,inclusion,exclusion)
+      when :SAC_ATTRIBUTE_CONDITION
+        inclusion = @policy.expression("cssAttributeSelector")
+        exclusion = @policy.expression("cssAttributeExclusion")
+        return validate_condition(condition,inclusion,exclusion)
+      when :SAC_BEGIN_HYPHEN_ATTRIBUTE_CONDITION
+        inclusion = @policy.expression("cssAttributeSelector")
+        exclusion = @policy.expression("cssAttributeExclusion")
+        return validate_condition(condition,inclusion,exclusion)      
+      else
+        raise ScanError, name
+      end
+    end
+    
+    # validate the actual condition
+    def validate_condition(condition,inclusion,exclusion) #:nodoc:
+      valid = false
+      begin
+        css = condition.to_css
+        valid = (css =~ inclusion) and (css !~ exclusion)
+      rescue Exception=> e
+      end
+      valid
+    end
+    
+    # Validate each property value according to teh policy
+    def valid_property?(name,value)
+      prop = @policy.property(name) unless name.nil?
+      return false if prop.nil?
+      value.each do |prop_value|
+        v = prop_value.string_value
+        return false unless validate_value(prop,v)
+      end
+      return true
+    end
+    
+    # is this a valid property value
+    def validate_value(property,value) #:nodoc:
+      valid = false
+      # Check static strings
+      property.values.each do |al_val|
+        valid = true if al_val.downcase.eql?(value.downcase)
+      end
+      # Check regular expressions
+      unless valid
+        property.expressions.each do |xp_val|
+          valid = true if value =~ xp_value
+        end
+      end
+      # check short hand
+      unless valid
+        property.refs.each do |ref|
+          real = @policy.property(ref)
+          if real
+            valid = validate_value(real,value)
+          end
+        end
+      end
+      # We will check media above.
+      return valid
+    end
+    
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb

@@ -0,0 +1,50 @@
+module RSAC
+  module Conditions
+    class AttributeCondition < Condition
+      attr_accessor :local_name, :value, :specified
+      alias :specified? :specified
+
+      class << self
+        def build(name, raw)
+          condition, value = raw
+          case condition
+          when "~="
+            OneOfCondition.new(name, value)
+          when "|="
+            BeginHyphenCondition.new(name, value)
+          else
+            AttributeCondition.new(name, value, true)
+          end
+        end
+      end
+
+      def initialize(local_name, value, specified, condition_type=:SAC_ATTRIBUTE_CONDITION)
+        super(condition_type)
+        @local_name = local_name
+        @value = value
+        @specified = specified
+      end
+
+      def to_css
+        "[#{local_name}#{value && "=#{value}"}]"
+      end
+
+      def to_xpath
+        "[@#{local_name}#{value && "='#{value}'"}]"
+      end
+
+      def specificity
+        [0, 0, 1, 0]
+      end
+
+      def ==(other)
+        super && local_name == other.local_name && value == other.value &&
+        specified == other.specified
+      end
+
+      def hash
+        [local_name, value, specified].hash
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb

@@ -0,0 +1,18 @@
+module RSAC
+  module Conditions
+    class BeginHyphenCondition < AttributeCondition
+
+      def initialize(local_name, value)
+        super(local_name, value, true, :SAC_BEGIN_HYPHEN_ATTRIBUTE_CONDITION)
+      end
+
+      def to_css
+        "[#{local_name}|=#{value}]"
+      end
+
+      def to_xpath
+        "[contains(@#{local_name}, '#{value}')]"
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb

@@ -0,0 +1,18 @@
+module RSAC
+  module Conditions
+    class ClassCondition < AttributeCondition
+
+      def initialize(klass)
+        super("class", klass, true, :SAC_CLASS_CONDITION)
+      end
+
+      def to_css
+        ".#{value}"
+      end
+
+      def to_xpath
+        "[contains(@#{local_name}, '#{value}')]"
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb

@@ -0,0 +1,36 @@
+module RSAC
+  module Conditions
+    class CombinatorCondition < Condition
+      attr_accessor :first_condition, :second_condition
+      alias :first :first_condition
+      alias :second :second_condition
+
+      def initialize(first, second)
+        super(:SAC_AND_CONDITION)
+
+        @first_condition = first
+        @second_condition = second
+      end
+
+      def to_css
+        "#{first.to_css}#{second.to_css}"
+      end
+
+      def to_xpath
+        "#{first.to_xpath}#{second.to_xpath}"
+      end
+
+      def specificity
+        first.specificity.zip(second.specificity).map { |x,y| x + y }
+      end
+
+      def ==(other)
+        super && first == other.first && second == other.second
+      end
+
+      def hash
+        [first, second].hash
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/condition.rb

@@ -0,0 +1,29 @@
+module RSAC
+  module Conditions
+    class Condition
+
+      attr_accessor :condition_type
+
+      def initialize(condition_type)
+        @condition_type = condition_type
+      end
+
+      def ==(other)
+        self.class === other && condition_type == other.condition_type
+      end
+
+      def hash
+        condition_type.hash
+      end
+
+      def eql?(other)
+        self == other
+      end
+
+      def to_css
+        nil
+      end
+
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb

@@ -0,0 +1,23 @@
+module RSAC
+  module Conditions
+    class IDCondition < AttributeCondition
+
+      def initialize(id)
+        id = id[1..id.size] if id[0] == ?#
+        super("id", id, true, :SAC_ID_CONDITION)
+      end
+
+      def to_css
+        "##{value}"
+      end
+
+      def to_xpath
+        "[@id='#{value}']"
+      end
+
+      def specificity
+        [0, 1, 0, 0]
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb

@@ -0,0 +1,18 @@
+module RSAC
+  module Conditions
+    class OneOfCondition < AttributeCondition
+
+      def initialize(local_name, value)
+        super(local_name, value, true, :SAC_ONE_OF_ATTRIBUTE_CONDITION)
+      end
+
+      def to_css
+        "[#{local_name}~=#{value}]"
+      end
+
+      def to_xpath
+        "[contains(@#{local_name}, '#{value}')]"
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb

@@ -0,0 +1,20 @@
+module RSAC
+  module Conditions
+    class PseudoClassCondition < AttributeCondition
+      def initialize(pseudo_class)
+        super(nil, pseudo_class, false, :SAC_PSEUDO_CLASS_CONDITION)
+      end
+
+      def to_css
+        ":#{value}"
+      end
+
+      def to_xpath
+      end
+
+      def specificity
+        [0, 0, 0, 0]
+      end
+    end
+  end
+end

data/lib/antisamy/csspool/rsac/sac/conditions.rb

@@ -0,0 +1,5 @@
+require "antisamy/csspool/rsac/sac/conditions/condition"
+
+%w(attribute begin_hyphen class combinator id one_of pseudo_class).each do |type|
+  require "antisamy/csspool/rsac/sac/conditions/#{type}_condition"
+end