artmotion-xss_shield 0.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2007 Trampoline Systems
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,76 @@
+FIXME: THIS README IS NOT UP-TO-DATE.
+
+This plugin provides XSS protection for views coded in HAML and RHTML.
+
+ERB templates are sometimes used for HTML, and sometimes for
+other kinds of languages (SQL, email templates, YAML etc.).
+XSS Shield protects only those templates with .rhtml extension,
+leaving templates with .erb extension unprotected.
+
+=== Quick start ===
+
+Assuming you're using HAML for all your templates.
+
+* Install plugin.
+* Edit all your layout files and change:
+    = @content_for_layout
+    = yield(:foo) # Foo being usually :js or :css
+  to:
+    = @content_for_layout.mark_as_xss_protected
+    = yield(:foo).mark_as_xss_protected
+* By this point your application should be runnanble,
+  but might need some tweaking here and there to avoid potential
+  double-escaping.
+
+=== How it works ===
+
+It works by subclassing String into SafeString.
+When HAML engine seems a "= foo" fragment it check if result of executing "foo"
+is a SafeString. If it is - it copies it to the output, if it's anything else
+(String, Integer, nil and so on) it HTML-escapes it first.
+
+To avoid double-escaping output of h is a SafeString, as is everything you
+mark as XSS-protected.
+  = h(@foo)
+  = @foo # fully equivalent to h(@foo)
+  = "X <br /> Y".mark_as_xss_protected
+
+It would be cumbersome to require mark_as_xss_protected every time you use
+some helper like render :partial or link_to, so some helpers are modified
+to return SafeString.
+
+  = render :partial => "foo"
+  = link_to "Bar", :action => :bar
+
+If you trust your helpers, make them as XSS-protected:
+
+  module Some::Module
+    mark_helpers_as_xss_protected :text_field, :check_box
+  end
+
+Because it is not possible to alter syntactic keywords like yield
+or instance variables like @content_for_layout to mark them automatically
+as secure, layout files need some manual tweaking.
+
+=== Other template engines ===
+
+If a templates uses some templating engine other than HAML or ERB,
+or it uses ERB but has extension .erb not .rhtml, XSS Shield does not protect it.
+
+However some helpers like link_to and button_to are patched by XSS Shield to
+make them more secure, and this extra security will be there even when used
+in an otherwise unprotected context.
+
+For example with XSS shield
+  link_to "A & B", "/foo"
+will return (marked as safe):
+  '<a href="/foo">A &amp; B</a>'
+not (plain String):
+  '<a href="/foo">A & B</a>'
+
+Also - RHTML protection only works with default ERB engine (erb.rb from Ruby base).
+If you use some alternative ERB engine it probably won't work.
+
+Adding support for alternative templating engine should be relatively straightforward.
+It's mostly a matter of changing to_s to to_s_xss_protected in a few places
+in their source.

data/init.rb

@@ -0,0 +1,16 @@
+unless ENV['DISABLE_XSS_SHIELD']
+  puts "Loading XSS Shield"
+  require 'xss_shield'
+else
+  class ::String
+    def mark_as_xss_protected
+      self
+    end
+  end
+
+  class ::NilClass
+    def mark_as_xss_protected
+      self
+    end
+  end
+end

data/lib/gem_init.rb

@@ -0,0 +1,2 @@
+# delegate to original init.rb from the plugin
+require File.dirname(__FILE__) + '/../init'

data/lib/xss_shield.rb

@@ -0,0 +1,4 @@
+require 'xss_shield/safe_string'
+require 'xss_shield/haml_hacks'
+require 'xss_shield/erb_hacks'
+require 'xss_shield/secure_helpers'

data/lib/xss_shield/erb_hacks.rb

@@ -0,0 +1,111 @@
+class XSSProtectedERB < ERB
+  class Compiler < ::ERB::Compiler
+    def compile(s)
+      out = Buffer.new(self)
+
+      content = ''
+      scanner = make_scanner(s)
+      scanner.scan do |token|
+	if scanner.stag.nil?
+	  case token
+          when PercentLine
+	    out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+	    content = ''
+            out.push(token.to_s)
+            out.cr
+	  when :cr
+	    out.cr
+	  when '<%', '<%=', '<%#'
+	    scanner.stag = token
+	    out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+	    content = ''
+	  when "\n"
+	    content << "\n"
+	    out.push("#{@put_cmd} #{content.dump}")
+	    out.cr
+	    content = ''
+	  when '<%%'
+	    content << '<%'
+	  else
+	    content << token
+	  end
+	else
+	  case token
+	  when '%>'
+	    case scanner.stag
+	    when '<%'
+	      if content[-1] == ?\n
+		content.chop!
+		out.push(content)
+		out.cr
+	      else
+		out.push(content)
+	      end
+	    when '<%='
+              # NOTE: Changed lines
+	      out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
+              # NOTE: End changed lines
+	    when '<%#'
+	      # out.push("# #{content.dump}")
+	    end
+	    scanner.stag = nil
+	    content = ''
+	  when '%%>'
+	    content << '%>'
+	  else
+	    content << token
+	  end
+	end
+      end
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      out.close
+      out.script
+    end
+  end
+
+  def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
+    @safe_level = safe_level
+    compiler = XSSProtectedERB::Compiler.new(trim_mode)
+    set_eoutvar(compiler, eoutvar)
+    @src = compiler.compile(str)
+    @filename = nil
+  end
+end
+
+module ActionView
+  class Base
+    private
+      def create_template_source(extension, template, render_symbol, locals)
+        if template_requires_setup?(extension)
+          body = case extension.to_sym
+            when :rxml, :builder
+              content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
+              "#{content_type_handler}.content_type ||= Mime::XML\n" +
+              "xml = Builder::XmlMarkup.new(:indent => 2)\n" +
+              template +
+              "\nxml.target!\n"
+            when :rjs
+              "controller.response.content_type ||= Mime::JS\n" +
+              "update_page do |page|\n#{template}\nend"
+          end
+        # NOTE: Changed lines
+        elsif extension.to_sym == :rhtml
+          body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
+        # NOTE: End changed lines
+        else
+          body = ERB.new(template, nil, @@erb_trim_mode).src
+        end
+
+        @@template_args[render_symbol] ||= {}
+        locals_keys = @@template_args[render_symbol].keys | locals
+        @@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
+
+        locals_code = ""
+        locals_keys.each do |key|
+          locals_code << "#{key} = local_assigns[:#{key}]\n"
+        end
+
+        "def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
+      end
+  end
+end

data/lib/xss_shield/haml_hacks.rb

@@ -0,0 +1,42 @@
+raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
+
+module Haml
+  class Engine
+    def push_script(text, flattened)
+      unless options[:suppress_eval]
+        push_silent("haml_temp = #{text}", true)
+        push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
+        out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
+        if @block_opened
+          push_and_tabulate([:loud, out])
+        else
+          @precompiled << out
+        end
+      end
+    end
+
+    def build_attributes(attributes = {})
+      # We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to &apos;
+      # making ' as attribute quote not workable
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+
+  class Buffer
+    def build_attributes(attributes = {})
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+end

data/lib/xss_shield/safe_string.rb

@@ -0,0 +1,47 @@
+class SafeString < String
+  def to_s
+    self
+  end
+  def to_s_xss_protected
+    self
+  end
+end
+
+class String
+  def mark_as_xss_protected
+    SafeString.new(self)
+  end
+end
+
+class NilClass
+  def mark_as_xss_protected
+    self
+  end
+end
+
+# ERB::Util.h and (include ERB::Util; h) are different methods
+module ERB::Util
+  class <<self
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+  end
+  
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+end
+
+class Object
+  def to_s_xss_protected
+    ERB::Util.h(to_s).mark_as_xss_protected
+  end
+end
+
+class Array
+  def join_xss_protected(sep="")
+    map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
+  end
+end

data/lib/xss_shield/secure_helpers.rb

@@ -0,0 +1,40 @@
+class Module
+  def mark_helpers_as_xss_protected(*ms)
+    ms.each do |m|
+      begin
+        instance_method("#{m}_with_xss_protection")
+      rescue NameError
+        define_method :"#{m}_with_xss_protection" do |*args|
+          send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
+        end
+        alias_method_chain m, :xss_protection
+      end
+    end
+  end
+end
+
+class ActionView::Base
+  mark_helpers_as_xss_protected :javascript_include_tag,
+                                :stylesheet_link_tag,
+                                :render,
+                                :text_field_tag,
+                                :submit_tag,
+                                :radio_button,
+                                :text_area,
+                                :auto_discovery_link_tag,
+                                :image_tag
+
+  def link_to_with_xss_protection(text, *args)
+    link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :link_to, :xss_protection
+
+  def button_to_with_xss_protection(text, *args)
+    button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :button_to, :xss_protection
+end
+
+module ActionView::Helpers::FormHelper
+  mark_helpers_as_xss_protected :text_field, :check_box
+end

data/test/test_actionview_integration.rb

@@ -0,0 +1,40 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestActionViewIntegration < Test::Unit::TestCase
+  def assert_renders(expected, input, extension)
+    base = ActionView::Base.new
+    actual = base.render_template(extension, input, "foo.#{extension}")
+    assert_equal expected, actual
+  end
+
+  def test_erb
+    assert_renders <<OUT, <<IN, :erb
+A & B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+
+  def test_rhtml
+    assert_renders <<OUT, <<IN, :rhtml
+A &amp; B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+ 
+  def test_haml
+    assert_renders <<OUT, <<IN, :haml
+A &amp; B
+A & B
+OUT
+= "A & B"
+= "A & B".mark_as_xss_protected
+IN
+  end
+end

data/test/test_erb.rb

@@ -0,0 +1,44 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestERB < Test::Unit::TestCase
+  def assert_renders_erb(expected, input, shield=true)
+    erb_class = shield ? XSSProtectedERB : ERB
+
+    actual = eval(erb_class.new(input).src)
+    
+    assert_equal expected, actual
+  end
+  
+  def test_erb_with_shield
+    assert_renders_erb <<OUT, <<IN, true
+Foo &amp;amp; Bar
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+OUT
+<%= "Foo &amp; Bar"  %>
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+  
+  def test_erb_without_shield
+    assert_renders_erb <<OUT, <<IN, false
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo & Bar
+OUT
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar"  %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+end

data/test/test_haml.rb

@@ -0,0 +1,43 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHaml < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_haml_engine
+    assert_haml_renders <<OUT, <<IN
+A & B
+C &amp; D
+E &amp; F
+G & H
+I &amp; J
+OUT
+A & B
+= "C & D"
+= h("E & F")
+= "G & H".mark_as_xss_protected
+= "I & J".to_s_xss_protected
+IN
+  end
+  
+  def test_attribute_escaping_in_haml
+    @base.instance_eval {
+      @foo = "A < & > ' \" B"
+    }
+    assert_haml_renders <<OUT, <<IN
+<div foo="A &lt; &amp; &gt; ' &quot; B" />
+<div foo="A < & > ' " B" />
+OUT
+%div{:foo => @foo}/
+%div{:foo => @foo.mark_as_xss_protected}/
+IN
+    # Note that '/" explicitly marked as XSS-protected can break validity
+  end
+end

data/test/test_helpers.rb

@@ -0,0 +1,25 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHelpers < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_link_to
+    assert_haml_renders <<OUT, <<IN
+<a href="/bar">Foo</a>
+<a href="/bar">Foo &amp; Bar</a>
+<a href="/bar">Foo & Bar</a>
+OUT
+= link_to "Foo", "/bar"
+= link_to "Foo & Bar", "/bar"
+= link_to "Foo & Bar".mark_as_xss_protected, "/bar"
+IN
+  end
+end

data/test/test_safe_string.rb

@@ -0,0 +1,55 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestSafeString < Test::Unit::TestCase
+  def test_safe_string
+    assert_equal "foo", "foo".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected
+    assert_equal "foo &amp;amp; bar", "foo &amp; bar".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected.to_s_xss_protected
+    assert_equal "foo &amp; bar", h("foo & bar").to_s_xss_protected
+    assert_equal "foo &amp;amp; bar", h(h("foo & bar"))
+    
+    assert_not_equal "foo".mark_as_xss_protected.object_id, "foo".mark_as_xss_protected.object_id
+    x = "foo & bar".mark_as_xss_protected
+    assert_equal x.mark_as_xss_protected, x
+    # Not sure if this makes sense
+    assert_not_equal x.mark_as_xss_protected.object_id, x.object_id
+
+    assert_equal x.to_s, x
+    assert_equal x.to_s.object_id, x.object_id
+  end
+  
+  def test_nonstring_objects
+    assert_equal "15", 15.to_s_xss_protected
+    assert_equal SafeString, 15.to_s_xss_protected.class
+  end
+  
+  def test_nil
+    assert_equal "", nil.to_s_xss_protected
+    assert_equal SafeString, nil.to_s_xss_protected.class
+    assert_equal nil, nil.mark_as_xss_protected
+  end
+  
+  def test_join
+    assert_equal "", [].join_xss_protected
+    assert_equal "", [].join_xss_protected(",")
+    assert_equal "a", ["a"].join_xss_protected
+    assert_equal "a", ["a"].join_xss_protected(",")
+    assert_equal "ab", ["a", "b"].join_xss_protected
+    assert_equal "a,b", ["a", "b"].join_xss_protected(",")
+
+    assert_equal "a&amp;b", ["a", "b"].join_xss_protected("&")
+    assert_equal "a&amp;amp;b", ["a", "b"].join_xss_protected("&amp;")
+    assert_equal "a&amp;b", ["a", "b"].join_xss_protected("&amp;".mark_as_xss_protected)
+
+    assert_equal "&lt;&amp;&gt;", ["<", ">"].join_xss_protected("&")
+    assert_equal "&lt;&amp;amp;&gt;", ["<", ">"].join_xss_protected("&amp;")
+    assert_equal "&lt;&amp;&gt;", ["<", ">"].join_xss_protected("&amp;".mark_as_xss_protected)
+
+    assert_equal "< &amp; &gt;", ["<".mark_as_xss_protected, ">"].join_xss_protected(" & ")
+    assert_equal "&lt; &amp; >", ["<", ">".mark_as_xss_protected].join_xss_protected(" & ")
+    assert_equal "&lt; & &gt;", ["<", ">"].join_xss_protected(" & ".mark_as_xss_protected)
+  end
+end

metadata

@@ -0,0 +1,71 @@
+--- !ruby/object:Gem::Specification 
+name: artmotion-xss_shield
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Tomasz Wegrzanowski
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-06-26 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: This plugin provides XSS protection for views coded in HAML and RHTML.  ERB templates are sometimes used for HTML, and sometimes for other kinds of languages (SQL, email templates, YAML etc.). XSS Shield protects only those templates with .rhtml extension, leaving templates with .erb extension unprotected.
+email: ""
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- MIT-LICENSE
+- README
+- init.rb
+- lib/xss_shield
+- lib/xss_shield/safe_string.rb
+- lib/xss_shield/haml_hacks.rb
+- lib/xss_shield/erb_hacks.rb
+- lib/xss_shield/secure_helpers.rb
+- lib/gem_init.rb
+- lib/xss_shield.rb
+- test/test_helpers.rb
+- test/test_actionview_integration.rb
+- test/test_erb.rb
+- test/test_haml.rb
+- test/test_safe_string.rb
+has_rdoc: false
+homepage: http://code.google.com/p/xss-shield/
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: XSS Shield protects your views against cross-site scripting attacks without error-prone manual escaping with h().
+test_files: 
+- test/test_helpers.rb
+- test/test_actionview_integration.rb
+- test/test_erb.rb
+- test/test_haml.rb
+- test/test_safe_string.rb