emk-safe_erb 0.1.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2006 Shinya Kasatani
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,37 @@
+= Safe ERB
+
+== Overview
+
+Safe ERB lets you make sure that the string written by "<%= %>" in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using "h" method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.
+
+The check is done using "tainted?" method in Object class which is a standard feature provided by Ruby - the string is "tainted" when it is read from IO. When ERB::Util#h method is called, this plugin "untaints" the string, and when "<%= %>" is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.
+
+== About this version of Safe ERB
+
+This fork of Safe ERB has been modified to work with Mephisto under Rails 2.2.  It may work with other Rails applications.  Patches are welcome!
+
+== Installation
+
+Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed.
+
+This version of Safe ERB has been tested with Mephisto under Rails 2.2.  It has been tested with SQLite3, and there's a decent chance it should work with PostgreSQL and MySQL (and any other database which properly taints the data returned from the database).
+
+== Details
+
+The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies.
+
+The returned values from the following methods become untainted:
+
+- ERB::Util#h
+- ActionView::Helpers::TagHelper#escape
+- ActionView::Helpers::TextHelper#strip_tags
+
+Also, you can always untaint any string manually by calling "untaint" method (standard Ruby feature).
+
+Several ActionView helpers have also been modified to untaint their return values.  This is a temporary measure to get things working with Mephisto. See the source for details.
+
+== Contact
+
+The orignal safe_erb plugin was written by Shinya Kasatani <kasatani at gmail.com>.
+
+This forked version was written by Eric Kidd, based on work by Matthew Bass.

data/Rakefile

@@ -0,0 +1,63 @@
+require 'rubygems'
+require 'rubygems/specification'
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+require 'rake/gempackagetask'
+
+GEM = "safe_erb"
+GEM_VERSION = "0.1.0"
+SUMMARY = "Automatically detect improperty-escaped text in ERB templates"
+AUTHORS = ["Shinya Kasatani", "Matthew Bass", "Eric Kidd"]
+EMAIL = "git@randomhacks.net"
+HOMEPAGE = "http://github.com/emk/safe_erb/tree/master"
+
+spec = Gem::Specification.new do |s|
+  s.name = GEM
+  s.version = GEM_VERSION
+  s.platform = Gem::Platform::RUBY
+  s.summary = SUMMARY
+  s.require_paths = ['lib']
+  s.files = FileList['{lib,rails,test}/**/*.rb', '[A-Z]*'].to_a
+  
+  s.authors = AUTHORS
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+
+  s.rubyforge_project = GEM # GitHub bug, gem isn't being build when this miss
+end
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the safe_erb plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the safe_erb plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'SafeERB'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+ 
+desc "Install the gem locally"
+task :install => [:package] do
+  sh %{sudo gem install pkg/#{GEM}-#{GEM_VERSION}}
+end
+ 
+desc "Create a gemspec file"
+task :make_spec do
+  File.open("#{GEM}.gemspec", "w") do |file|
+    file.puts spec.to_ruby
+  end
+end

data/lib/safe_erb/action_view_extensions.rb

@@ -0,0 +1,20 @@
+module ActionView
+  module TemplateHandlers
+    class ERB < TemplateHandler
+      def compile_with_safe_erb(template)
+        # This helps make new-style ActionMailer text templates do the
+        # right thing automatically.  We will probably want to extend this
+        # to other kinds of templates eventually.
+        if template.filename.to_s =~ /\.text\.plain\.erb$/
+          ::ERB.without_checking_tainted do
+            compile_without_safe_erb template
+          end
+        else
+          compile_without_safe_erb template
+        end
+      end
+
+      alias_method_chain :compile, :safe_erb
+    end
+  end
+end

data/lib/safe_erb/common.rb

@@ -0,0 +1,51 @@
+# SafeERB
+
+require 'erb'
+require 'action_controller'
+require 'action_view'
+
+class ActionController::Base
+  # Object#taint is set when the request comes from FastCGI or WEBrick,
+  # but it is not set in Mongrel and also functional / integration testing
+  # so we'll set it anyways in the filter
+  before_filter :taint_request
+  
+  def render_with_taint_logic(*args, &blk)
+    if @skip_checking_tainted
+      ERB.without_checking_tainted do
+        render_without_taint_logic(*args, &blk)
+      end
+    else
+      render_without_taint_logic(*args, &blk)
+    end
+  end
+
+  alias_method_chain :render, :taint_logic
+
+  private
+  
+  def taint_hash(hash)
+    hash.each do |k, v|
+      case v
+      when String
+        v.taint
+      when Hash
+        taint_hash(v)
+      end
+    end
+  end
+  
+  def taint_request
+    taint_hash(params)
+    cookies.each do |k, v|
+      v.taint
+    end
+  end
+end
+
+class String
+  def concat_unless_tainted(str)
+    raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted?
+    concat(str)
+  end
+end

data/lib/safe_erb/erb_extensions.rb

@@ -0,0 +1,52 @@
+class ERB
+  # Should we check for tainted values when building ERB templates?
+  def self.check_tainted?
+    value = Thread.current[:safe_erb_check_tainted]
+    value.nil? ? true : value
+  end
+
+  # Turn ERB taint-checking on and off.
+  def self.check_tainted= value
+    Thread.current[:safe_erb_check_tainted] = value
+  end
+
+  # Skip taint checks within the specified block.
+  def self.without_checking_tainted #:yield:
+    saved_value = ERB.check_tainted?
+    ERB.check_tainted = false
+    begin
+      yield
+    ensure
+      ERB.check_tainted = saved_value
+    end
+  end
+  
+  alias_method :original_set_eoutvar, :set_eoutvar
+  
+  def set_eoutvar(compiler, eoutvar = '_erbout')
+    original_set_eoutvar(compiler, eoutvar)
+    if ERB.check_tainted?
+      if compiler.respond_to?(:insert_cmd)
+        compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted"
+      else
+        compiler.put_cmd = "#{eoutvar}.concat_unless_tainted"
+      end
+    end
+  end
+  
+  module Util
+    alias_method :html_escape_without_untaint, :html_escape
+    
+    def html_escape(s)
+      h = html_escape_without_untaint(s)
+      h.untaint
+      h
+    end
+    
+    alias_method :h, :html_escape
+    
+    module_function :h
+    module_function :html_escape
+    module_function :html_escape_without_untaint
+  end
+end

data/lib/safe_erb/rails_1.rb

@@ -0,0 +1,11 @@
+# Rails 1.x dependent code (tested on 1.2.6)
+
+module ActionView::Helpers::TextHelper
+  alias_method :strip_tags_without_untaint, :strip_tags
+  
+  def strip_tags(html)
+    str = strip_tags_without_untaint(html)
+    str.untaint
+    str
+  end
+end

data/lib/safe_erb/rails_2.rb

@@ -0,0 +1,11 @@
+# Rails 2.0 dependent code (tested on 2.0.2)
+
+module ActionView::Helpers::SanitizeHelper
+  def strip_tags_with_untaint(html)
+    str = strip_tags_without_untaint(html)
+    str.untaint
+    str
+  end
+
+  alias_method_chain :strip_tags, :untaint
+end

data/lib/safe_erb/sqlite3_fix.rb

@@ -0,0 +1,18 @@
+module SQLite3
+  class ResultSet
+    # Add taint to data returned from SQLite3 database.  This is based on a
+    # patch by Koji Shimada:
+    # http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045
+    def next_with_tainting
+      row = next_without_tainting
+      case row
+      when Hash
+        row.each {|key, value| value.taint }
+      when Array
+        row.each {|column| column.taint }
+      end
+      row
+    end
+    alias_method_chain :next, :tainting
+  end
+end

data/lib/safe_erb/tag_helper.rb

@@ -0,0 +1,29 @@
+module ActionView
+  module Helpers
+    module TagHelper
+      def escape_once_with_untaint(html)
+        escape_once_without_untaint(html).untaint
+      end
+      
+      alias_method_chain :escape_once, :untaint
+    end
+
+    module DateHelper
+      # TODO - This is almost certainly too aggressive, and it will need to
+      # be fine-tuned.
+      def datetime_select_with_untaint(*args)
+        datetime_select_without_untaint(*args).untaint
+      end
+      alias_method_chain :datetime_select, :untaint
+    end
+
+    module ActiveRecordHelper
+      # TODO - This is almost certainly too aggressive, and it will need to
+      # be fine-tuned.
+      def error_messages_for_with_untaint(*args)
+        error_messages_for_without_untaint(*args).untaint
+      end
+      alias_method_chain :error_messages_for, :untaint
+    end
+  end
+end

data/lib/safe_erb.rb

@@ -0,0 +1,16 @@
+# SafeERB
+
+require 'safe_erb/common'
+require 'safe_erb/tag_helper'
+require 'safe_erb/erb_extensions'
+require 'safe_erb/action_view_extensions'
+
+if Rails::VERSION::MAJOR >= 2
+  require 'safe_erb/rails_2'
+else
+  require 'safe_erb/rails_1'
+end
+
+if ActiveRecord::Base.connection.instance_of?(ActiveRecord::ConnectionAdapters::SQLite3Adapter)
+  require 'safe_erb/sqlite3_fix'
+end

data/rails/init.rb

@@ -0,0 +1 @@
+require_dependency 'safe_erb'

data/test/safe_erb_test.rb

@@ -0,0 +1,20 @@
+require File.expand_path(File.dirname(__FILE__) + '/test_helper')
+
+class SafeERBTest < Test::Unit::TestCase
+  def test_non_checking
+    ERB.without_checking_tainted do
+      src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
+      eval(src)
+    end
+  end
+  
+  def test_checking
+    src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
+    assert_raise(RuntimeError) { eval(src) }
+  end
+  
+  def test_checking_non_tainted
+    src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src
+    eval(src)
+  end
+end

data/test/tag_helper_test.rb

@@ -0,0 +1,30 @@
+require File.expand_path(File.dirname(__FILE__) + '/test_helper')
+
+class TagHelperTest < Test::Unit::TestCase
+  include ActionView::Helpers::TagHelper
+  include ActionView::Helpers::DateHelper
+  include ActionView::Helpers::ActiveRecordHelper
+
+  def test_inclusion_in_taghelper
+    assert self.respond_to?(:escape_once_with_untaint)
+    assert self.respond_to?(:escape_once_without_untaint)
+  end
+
+  def test_taghelper_untaints
+    evil_str = "evil knievel".taint
+    assert !escape_once(evil_str).tainted?
+    assert escape_once_without_untaint(evil_str).tainted?
+  end
+
+  Post = Struct.new(:published_at)
+  def post
+    @post ||= Post.new(Time.now.taint)
+  end
+
+  def test_datetime_select_should_untaint
+    assert !datetime_select(:post, :published_at).tainted?
+  end
+
+  # TODO - Add tests for error_messages_for helper.  This is a little
+  # tricky, because we'll need an ActiveRecord::Base instance.
+end

data/test/test_helper.rb

@@ -0,0 +1,9 @@
+module Rails
+  module VERSION
+    MAJOR = 2.1
+  end
+end
+
+require 'rubygems'
+require 'test/unit'
+require 'safe_erb'

metadata

@@ -0,0 +1,69 @@
+--- !ruby/object:Gem::Specification 
+name: emk-safe_erb
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Shinya Kasatani
+- Matthew Bass
+- Eric Kidd
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-12-16 00:00:00 -08:00
+default_executable: 
+dependencies: []
+
+description: 
+email: git@randomhacks.net
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/safe_erb/action_view_extensions.rb
+- lib/safe_erb/common.rb
+- lib/safe_erb/erb_extensions.rb
+- lib/safe_erb/rails_1.rb
+- lib/safe_erb/rails_2.rb
+- lib/safe_erb/sqlite3_fix.rb
+- lib/safe_erb/tag_helper.rb
+- lib/safe_erb.rb
+- rails/init.rb
+- test/safe_erb_test.rb
+- test/tag_helper_test.rb
+- test/test_helper.rb
+- MIT-LICENSE
+- Rakefile
+- README
+has_rdoc: false
+homepage: http://github.com/emk/safe_erb/tree/master
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: safe_erb
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Automatically detect improperty-escaped text in ERB templates
+test_files: []
+