antisamy 0.0.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. data/README.rdoc +6 -1
  2. data/lib/antisamy/css/css_filter.rb +187 -0
  3. data/lib/antisamy/css/css_scanner.rb +84 -0
  4. data/lib/antisamy/css/css_validator.rb +129 -0
  5. data/lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb +50 -0
  6. data/lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb +18 -0
  7. data/lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb +18 -0
  8. data/lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb +36 -0
  9. data/lib/antisamy/csspool/rsac/sac/conditions/condition.rb +29 -0
  10. data/lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb +23 -0
  11. data/lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb +18 -0
  12. data/lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb +20 -0
  13. data/lib/antisamy/csspool/rsac/sac/conditions.rb +5 -0
  14. data/lib/antisamy/csspool/rsac/sac/document_handler.rb +66 -0
  15. data/lib/antisamy/csspool/rsac/sac/error_handler.rb +13 -0
  16. data/lib/antisamy/csspool/rsac/sac/generated_parser.rb +1012 -0
  17. data/lib/antisamy/csspool/rsac/sac/generated_property_parser.rb +9284 -0
  18. data/lib/antisamy/csspool/rsac/sac/lexeme.rb +27 -0
  19. data/lib/antisamy/csspool/rsac/sac/lexical_unit.rb +201 -0
  20. data/lib/antisamy/csspool/rsac/sac/parse_exception.rb +4 -0
  21. data/lib/antisamy/csspool/rsac/sac/parser.rb +109 -0
  22. data/lib/antisamy/csspool/rsac/sac/property_parser.rb +44 -0
  23. data/lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb +36 -0
  24. data/lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb +45 -0
  25. data/lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb +36 -0
  26. data/lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb +35 -0
  27. data/lib/antisamy/csspool/rsac/sac/selectors/selector.rb +25 -0
  28. data/lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb +35 -0
  29. data/lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb +21 -0
  30. data/lib/antisamy/csspool/rsac/sac/selectors.rb +5 -0
  31. data/lib/antisamy/csspool/rsac/sac/token.rb +25 -0
  32. data/lib/antisamy/csspool/rsac/sac/tokenizer.rb +185 -0
  33. data/lib/antisamy/csspool/rsac/sac.rb +14 -0
  34. data/lib/antisamy/csspool/rsac/stylesheet/rule.rb +20 -0
  35. data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb +76 -0
  36. data/lib/antisamy/csspool/rsac/stylesheet.rb +3 -0
  37. data/lib/antisamy/csspool/rsac.rb +1 -0
  38. data/lib/antisamy/html/handler.rb +4 -0
  39. data/lib/antisamy/html/sax_filter.rb +49 -33
  40. data/lib/antisamy/html/scanner.rb +1 -43
  41. data/lib/antisamy/policy.rb +8 -3
  42. data/lib/antisamy/scan_results.rb +68 -0
  43. data/lib/antisamy.rb +4 -0
  44. data/spec/antisamy_spec.rb +111 -3
  45. metadata +39 -3
@@ -2,7 +2,9 @@ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
2
 
3
3
  module AntiSamy
4
4
  describe AntiSamy do
5
- let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy.xml"}
5
+ let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-testing.xml"}
6
+ let(:strict_policy) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-anythinggoes.xml"}
7
+ let(:policy_object) {AntiSamy.policy(policy_file)}
6
8
 
7
9
  it "should load a policy" do
8
10
  p = AntiSamy.policy(policy_file)
@@ -17,12 +19,118 @@ module AntiSamy
17
19
  end
18
20
 
19
21
  it "should tak our input and remove the script tags" do
20
- input = "<p>Hi</p><script> some junk</script>"
22
+ input = "<p style='font-size: 16px'>Hi</p><script> some junk</script>"
21
23
  expec = "<p>Hi</p>"
22
24
  p = AntiSamy.policy(policy_file)
23
25
  r = AntiSamy.scan(input,p)
24
26
  r.clean_html.should == expec
27
+ r.messages.size.should == 2 # error 1 for script tag, error 2 for style tag
25
28
  end
26
-
29
+
30
+ # Script attacks
31
+ {
32
+ "test<script>alert(document.cookie)</script>" => "script",
33
+ "<<<><<script src=http://fake-evil.ru/test.js>" => "<script",
34
+ "<script<script src=http://fake-evil.ru/test.js>>" => "<script",
35
+ "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "<script",
36
+ '<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>' => "onload",
37
+ "<BODY ONLOAD=alert('XSS')>" => "alert",
38
+ "<iframe src=http://ha.ckers.org/scriptlet.html <" => "<iframe",
39
+ "<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">" => "src"
40
+ }.each_pair do |k,v|
41
+ it "should remove #{v} from #{k} for script attacks" do
42
+ r = AntiSamy.scan(k,policy_object)
43
+ r.clean_html.should_not include(v)
44
+ end
45
+ end
46
+
47
+ #Image Attacks
48
+ {
49
+ "<img src='http://www.myspace.com/img.gif'>"=>"<img",
50
+ "<img src=javascript:alert(document.cookie)>"=>"<img",
51
+ "<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"=>"<img",
52
+ "<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>" => "&amp;",
53
+ "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>"=>"&amp;",
54
+ "<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">" => "alert",
55
+ "<IMG SRC=\"javascript:alert('XSS')\"" => "javascript",
56
+ "<IMG LOWSRC=\"javascript:alert('XSS')\">"=>"javascript",
57
+ "<BGSOUND SRC=\"javascript:alert('XSS');\">"=>"javascript",
58
+ }.each_pair do |k,v|
59
+ it "should remove #{v} from #{k} for image attacks" do
60
+ r = AntiSamy.scan(k,policy_object)
61
+ r.clean_html.should_not include(v)
62
+ end
63
+ end
64
+
65
+ # Css attacks
66
+ {
67
+ "<div style=\"position:absolute\">" => "position",
68
+ "<style>b { position:absolute }</style>" => "position",
69
+ "<div style=\"z-index:25\">" => "z-index",
70
+ "<style>z-index:25</style>" => "z-index",
71
+ "<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family"
72
+ }.each_pair do |k,v|
73
+ it "should remove #{v} from #{k} for CSS attacks" do
74
+ r = AntiSamy.scan(k,policy_object)
75
+ r.clean_html.should_not include(v)
76
+ end
77
+ end
78
+
79
+ #href attacks
80
+ {
81
+ "<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">" => "href",
82
+ "<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">" => "href",
83
+ "<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>" => "ha.ckers",
84
+ "<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "ha.ckers",
85
+ "<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "xss",
86
+ "<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS" => "javascript",
87
+ "<IMG SRC='vbscript:msgbox(\"XSS\")'>" => "vbscript",
88
+ "<a . href=\"http://www.test.com\">" => "href",
89
+ "<a - href=\"http://www.test.com\">" => "href",
90
+ "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">" => "meta",
91
+ "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">" => "meta",
92
+ "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">" => "meta",
93
+ "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>" => "iframe",
94
+ "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>" => "javascript",
95
+ "<TABLE BACKGROUND=\"javascript:alert('XSS')\">" => "background",
96
+ "<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">" => "background",
97
+ "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">" => "javascript",
98
+ "<DIV STYLE=\"width: expression(alert('XSS'));\">" => "alert",
99
+ "<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">" => "alert",
100
+ "<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>" => "alert",
101
+ "<BASE HREF=\"javascript:alert('XSS');//\">" => "javascript",
102
+ "<BaSe hReF=\"http://arbitrary.com/\">" => "base",
103
+ "<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>" => "object",
104
+ "<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>" => "object",
105
+ "<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
106
+ "<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
107
+ "<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
108
+ "<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
109
+ "<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
110
+ "<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
111
+ "<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
112
+ "<SCRIPT SRC=http://ha.ckers.org/xss.js" => "script",
113
+ "<div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>" => "style",
114
+ "<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>" => "calc.exe",
115
+ "<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->" => "javascript",
116
+ "<a></a style=\"\"xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')\">" => "<a style=",
117
+ "<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>" => "href",
118
+ "<b><i>Some Text</b></i>" => "<i />",
119
+ "<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family",
120
+ "<style type=\"text/css\"><![CDATA[P { margin-bottom: 0.08in; } ]]></style>" => "margin"
121
+
122
+ }.each_pair do |k,v|
123
+ it "should remove #{v} from #{k} for href attacks" do
124
+ r = AntiSamy.scan(k,policy_object)
125
+ r.clean_html.should_not include(v)
126
+ end
127
+ end
128
+
129
+ it "shoud import some stylesheets" do
130
+ input = "<style>@import url(http://www.owasp.org/skins/monobook/main.css);@import url(http://www.w3schools.com/stdtheme.css);@import url(http://www.google.com/ig/f/t1wcX5O39cc/ig.css); </style>"
131
+ r = AntiSamy.scan(input,policy_object)
132
+ r.clean_html.should_not be_empty
133
+ end
134
+
27
135
  end
28
136
  end
metadata CHANGED
@@ -2,7 +2,7 @@
2
2
  name: antisamy
3
3
  version: !ruby/object:Gem::Version
4
4
  prerelease:
5
- version: 0.0.1
5
+ version: 0.2.0
6
6
  platform: ruby
7
7
  authors:
8
8
  - Sal Scotto
@@ -10,7 +10,7 @@ autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
12
 
13
- date: 2011-03-07 00:00:00 -05:00
13
+ date: 2011-03-14 00:00:00 -04:00
14
14
  default_executable:
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
@@ -112,6 +112,42 @@ extra_rdoc_files:
112
112
  - README.rdoc
113
113
  files:
114
114
  - lib/antisamy.rb
115
+ - lib/antisamy/css/css_filter.rb
116
+ - lib/antisamy/css/css_scanner.rb
117
+ - lib/antisamy/css/css_validator.rb
118
+ - lib/antisamy/csspool/rsac.rb
119
+ - lib/antisamy/csspool/rsac/sac.rb
120
+ - lib/antisamy/csspool/rsac/sac/conditions.rb
121
+ - lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb
122
+ - lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb
123
+ - lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb
124
+ - lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb
125
+ - lib/antisamy/csspool/rsac/sac/conditions/condition.rb
126
+ - lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb
127
+ - lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb
128
+ - lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb
129
+ - lib/antisamy/csspool/rsac/sac/document_handler.rb
130
+ - lib/antisamy/csspool/rsac/sac/error_handler.rb
131
+ - lib/antisamy/csspool/rsac/sac/generated_parser.rb
132
+ - lib/antisamy/csspool/rsac/sac/generated_property_parser.rb
133
+ - lib/antisamy/csspool/rsac/sac/lexeme.rb
134
+ - lib/antisamy/csspool/rsac/sac/lexical_unit.rb
135
+ - lib/antisamy/csspool/rsac/sac/parse_exception.rb
136
+ - lib/antisamy/csspool/rsac/sac/parser.rb
137
+ - lib/antisamy/csspool/rsac/sac/property_parser.rb
138
+ - lib/antisamy/csspool/rsac/sac/selectors.rb
139
+ - lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb
140
+ - lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb
141
+ - lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb
142
+ - lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb
143
+ - lib/antisamy/csspool/rsac/sac/selectors/selector.rb
144
+ - lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb
145
+ - lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb
146
+ - lib/antisamy/csspool/rsac/sac/token.rb
147
+ - lib/antisamy/csspool/rsac/sac/tokenizer.rb
148
+ - lib/antisamy/csspool/rsac/stylesheet.rb
149
+ - lib/antisamy/csspool/rsac/stylesheet/rule.rb
150
+ - lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb
115
151
  - lib/antisamy/html/handler.rb
116
152
  - lib/antisamy/html/sax_filter.rb
117
153
  - lib/antisamy/html/scanner.rb
@@ -138,7 +174,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
138
174
  requirements:
139
175
  - - ">="
140
176
  - !ruby/object:Gem::Version
141
- hash: -39737283441268027
177
+ hash: -3694882257398018241
142
178
  segments:
143
179
  - 0
144
180
  version: "0"