codez-tarantula 0.5.0

data/vendor/xss-shield/init.rb

@@ -0,0 +1,16 @@
+unless ENV['DISABLE_XSS_SHIELD']
+  puts "Loading XSS Shield"
+  require 'xss_shield'
+else
+  class ::String
+    def mark_as_xss_protected
+      self
+    end
+  end
+
+  class ::NilClass
+    def mark_as_xss_protected
+      self
+    end
+  end
+end

data/vendor/xss-shield/lib/xss_shield.rb

@@ -0,0 +1,6 @@
+require 'xss_shield/safe_string'
+# Tarantula doesn't use haml
+# require 'xss_shield/haml_hacks'
+# ERB hacks blow up Rails
+# require 'xss_shield/erb_hacks'
+require 'xss_shield/secure_helpers'

data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb

@@ -0,0 +1,111 @@
+class XSSProtectedERB < ERB
+  class Compiler < ::ERB::Compiler
+    def compile(s)
+      out = Buffer.new(self)
+
+      content = ''
+      scanner = make_scanner(s)
+      scanner.scan do |token|
+  if scanner.stag.nil?
+    case token
+          when PercentLine
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      content = ''
+            out.push(token.to_s)
+            out.cr
+    when :cr
+      out.cr
+    when '<%', '<%=', '<%#'
+      scanner.stag = token
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      content = ''
+    when "\n"
+      content << "\n"
+      out.push("#{@put_cmd} #{content.dump}")
+      out.cr
+      content = ''
+    when '<%%'
+      content << '<%'
+    else
+      content << token
+    end
+  else
+    case token
+    when '%>'
+      case scanner.stag
+      when '<%'
+        if content[-1] == ?\n
+    content.chop!
+    out.push(content)
+    out.cr
+        else
+    out.push(content)
+        end
+      when '<%='
+              # NOTE: Changed lines
+        out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
+              # NOTE: End changed lines
+      when '<%#'
+        # out.push("# #{content.dump}")
+      end
+      scanner.stag = nil
+      content = ''
+    when '%%>'
+      content << '%>'
+    else
+      content << token
+    end
+  end
+      end
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      out.close
+      out.script
+    end
+  end
+
+  def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
+    @safe_level = safe_level
+    compiler = XSSProtectedERB::Compiler.new(trim_mode)
+    set_eoutvar(compiler, eoutvar)
+    @src = compiler.compile(str)
+    @filename = nil
+  end
+end
+
+module ActionView
+  class Base
+    private
+      def create_template_source(extension, template, render_symbol, locals)
+        if template_requires_setup?(extension)
+          body = case extension.to_sym
+            when :rxml, :builder
+              content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
+              "#{content_type_handler}.content_type ||= Mime::XML\n" +
+              "xml = Builder::XmlMarkup.new(:indent => 2)\n" +
+              template +
+              "\nxml.target!\n"
+            when :rjs
+              "controller.response.content_type ||= Mime::JS\n" +
+              "update_page do |page|\n#{template}\nend"
+          end
+        # NOTE: Changed lines
+        elsif extension.to_sym == :rhtml
+          body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
+        # NOTE: End changed lines
+        else
+          body = ERB.new(template, nil, @@erb_trim_mode).src
+        end
+
+        @@template_args[render_symbol] ||= {}
+        locals_keys = @@template_args[render_symbol].keys | locals
+        @@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
+
+        locals_code = ""
+        locals_keys.each do |key|
+          locals_code << "#{key} = local_assigns[:#{key}]\n"
+        end
+
+        "def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
+      end
+  end
+end

data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb

@@ -0,0 +1,42 @@
+raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
+
+module Haml
+  class Engine
+    def push_script(text, flattened)
+      unless options[:suppress_eval]
+        push_silent("haml_temp = #{text}", true)
+        push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
+        out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
+        if @block_opened
+          push_and_tabulate([:loud, out])
+        else
+          @precompiled << out
+        end
+      end
+    end
+
+    def build_attributes(attributes = {})
+      # We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to &apos;
+      # making ' as attribute quote not workable
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+
+  class Buffer
+    def build_attributes(attributes = {})
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+end

data/vendor/xss-shield/lib/xss_shield/safe_string.rb

@@ -0,0 +1,47 @@
+class SafeString < String
+  def to_s
+    self
+  end
+  def to_s_xss_protected
+    self
+  end
+end
+
+class String
+  def mark_as_xss_protected
+    SafeString.new(self)
+  end
+end
+
+class NilClass
+  def mark_as_xss_protected
+    self
+  end
+end
+
+# ERB::Util.h and (include ERB::Util; h) are different methods
+module ERB::Util
+  class <<self
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+  end
+  
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+end
+
+class Object
+  def to_s_xss_protected
+    ERB::Util.h(to_s).mark_as_xss_protected
+  end
+end
+
+class Array
+  def join_xss_protected(sep="")
+    map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
+  end
+end

data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb

@@ -0,0 +1,40 @@
+class Module
+  def mark_helpers_as_xss_protected(*ms)
+    ms.each do |m|
+      begin
+        instance_method("#{m}_with_xss_protection")
+      rescue NameError
+        define_method :"#{m}_with_xss_protection" do |*args|
+          send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
+        end
+        alias_method_chain m, :xss_protection
+      end
+    end
+  end
+end
+
+class ActionView::Base
+  mark_helpers_as_xss_protected :javascript_include_tag,
+                                :stylesheet_link_tag,
+                                :render,
+                                :text_field_tag,
+                                :submit_tag,
+                                :radio_button,
+                                :text_area,
+                                :auto_discovery_link_tag,
+                                :image_tag
+
+  def link_to_with_xss_protection(text, *args)
+    link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :link_to, :xss_protection
+
+  def button_to_with_xss_protection(text, *args)
+    button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :button_to, :xss_protection
+end
+
+module ActionView::Helpers::FormHelper
+  mark_helpers_as_xss_protected :text_field, :check_box
+end

data/vendor/xss-shield/test/test_actionview_integration.rb

@@ -0,0 +1,40 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestActionViewIntegration < Test::Unit::TestCase
+  def assert_renders(expected, input, extension)
+    base = ActionView::Base.new
+    actual = base.render_template(extension, input, "foo.#{extension}")
+    assert_equal expected, actual
+  end
+
+  def test_erb
+    assert_renders <<OUT, <<IN, :erb
+A & B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+
+  def test_rhtml
+    assert_renders <<OUT, <<IN, :rhtml
+A &amp; B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+ 
+  def test_haml
+    assert_renders <<OUT, <<IN, :haml
+A &amp; B
+A & B
+OUT
+= "A & B"
+= "A & B".mark_as_xss_protected
+IN
+  end
+end

data/vendor/xss-shield/test/test_erb.rb

@@ -0,0 +1,44 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestERB < Test::Unit::TestCase
+  def assert_renders_erb(expected, input, shield=true)
+    erb_class = shield ? XSSProtectedERB : ERB
+
+    actual = eval(erb_class.new(input).src)
+    
+    assert_equal expected, actual
+  end
+  
+  def test_erb_with_shield
+    assert_renders_erb <<OUT, <<IN, true
+Foo &amp;amp; Bar
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+OUT
+<%= "Foo &amp; Bar"  %>
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+  
+  def test_erb_without_shield
+    assert_renders_erb <<OUT, <<IN, false
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo & Bar
+OUT
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar"  %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+end

data/vendor/xss-shield/test/test_haml.rb

@@ -0,0 +1,43 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHaml < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_haml_engine
+    assert_haml_renders <<OUT, <<IN
+A & B
+C &amp; D
+E &amp; F
+G & H
+I &amp; J
+OUT
+A & B
+= "C & D"
+= h("E & F")
+= "G & H".mark_as_xss_protected
+= "I & J".to_s_xss_protected
+IN
+  end
+  
+  def test_attribute_escaping_in_haml
+    @base.instance_eval {
+      @foo = "A < & > ' \" B"
+    }
+    assert_haml_renders <<OUT, <<IN
+<div foo="A &lt; &amp; &gt; ' &quot; B" />
+<div foo="A < & > ' " B" />
+OUT
+%div{:foo => @foo}/
+%div{:foo => @foo.mark_as_xss_protected}/
+IN
+    # Note that '/" explicitly marked as XSS-protected can break validity
+  end
+end

data/vendor/xss-shield/test/test_helpers.rb

@@ -0,0 +1,25 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHelpers < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_link_to
+    assert_haml_renders <<OUT, <<IN
+<a href="/bar">Foo</a>
+<a href="/bar">Foo &amp; Bar</a>
+<a href="/bar">Foo & Bar</a>
+OUT
+= link_to "Foo", "/bar"
+= link_to "Foo & Bar", "/bar"
+= link_to "Foo & Bar".mark_as_xss_protected, "/bar"
+IN
+  end
+end

data/vendor/xss-shield/test/test_safe_string.rb

@@ -0,0 +1,55 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestSafeString < Test::Unit::TestCase
+  def test_safe_string
+    assert_equal "foo", "foo".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected
+    assert_equal "foo &amp;amp; bar", "foo &amp; bar".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected.to_s_xss_protected
+    assert_equal "foo &amp; bar", h("foo & bar").to_s_xss_protected
+    assert_equal "foo &amp;amp; bar", h(h("foo & bar"))
+    
+    assert_not_equal "foo".mark_as_xss_protected.object_id, "foo".mark_as_xss_protected.object_id
+    x = "foo & bar".mark_as_xss_protected
+    assert_equal x.mark_as_xss_protected, x
+    # Not sure if this makes sense
+    assert_not_equal x.mark_as_xss_protected.object_id, x.object_id
+
+    assert_equal x.to_s, x
+    assert_equal x.to_s.object_id, x.object_id
+  end
+  
+  def test_nonstring_objects
+    assert_equal "15", 15.to_s_xss_protected
+    assert_equal SafeString, 15.to_s_xss_protected.class
+  end
+  
+  def test_nil
+    assert_equal "", nil.to_s_xss_protected
+    assert_equal SafeString, nil.to_s_xss_protected.class
+    assert_equal nil, nil.mark_as_xss_protected
+  end
+  
+  def test_join
+    assert_equal "", [].join_xss_protected
+    assert_equal "", [].join_xss_protected(",")
+    assert_equal "a", ["a"].join_xss_protected
+    assert_equal "a", ["a"].join_xss_protected(",")
+    assert_equal "ab", ["a", "b"].join_xss_protected
+    assert_equal "a,b", ["a", "b"].join_xss_protected(",")
+
+    assert_equal "a&amp;b", ["a", "b"].join_xss_protected("&")
+    assert_equal "a&amp;amp;b", ["a", "b"].join_xss_protected("&amp;")
+    assert_equal "a&amp;b", ["a", "b"].join_xss_protected("&amp;".mark_as_xss_protected)
+
+    assert_equal "&lt;&amp;&gt;", ["<", ">"].join_xss_protected("&")
+    assert_equal "&lt;&amp;amp;&gt;", ["<", ">"].join_xss_protected("&amp;")
+    assert_equal "&lt;&amp;&gt;", ["<", ">"].join_xss_protected("&amp;".mark_as_xss_protected)
+
+    assert_equal "< &amp; &gt;", ["<".mark_as_xss_protected, ">"].join_xss_protected(" & ")
+    assert_equal "&lt; &amp; >", ["<", ">".mark_as_xss_protected].join_xss_protected(" & ")
+    assert_equal "&lt; & &gt;", ["<", ">"].join_xss_protected(" & ".mark_as_xss_protected)
+  end
+end