emk-safe_erb 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Rakefile +1 -1
- data/lib/safe_erb/action_view_extensions.rb +12 -14
- data/lib/safe_erb/common.rb +6 -0
- data/lib/safe_erb/erb_extensions.rb +12 -1
- data/test/safe_erb_test.rb +25 -6
- metadata +2 -2
data/Rakefile
CHANGED
|
@@ -6,7 +6,7 @@ require 'rake/rdoctask'
|
|
|
6
6
|
require 'rake/gempackagetask'
|
|
7
7
|
|
|
8
8
|
GEM = "safe_erb"
|
|
9
|
-
GEM_VERSION = "0.1.
|
|
9
|
+
GEM_VERSION = "0.1.2"
|
|
10
10
|
SUMMARY = "Automatically detect improperty-escaped text in ERB templates"
|
|
11
11
|
AUTHORS = ["Shinya Kasatani", "Matthew Bass", "Eric Kidd"]
|
|
12
12
|
EMAIL = "git@randomhacks.net"
|
|
@@ -1,20 +1,18 @@
|
|
|
1
1
|
module ActionView
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
else
|
|
13
|
-
compile_without_safe_erb template
|
|
2
|
+
Renderable.class_eval do
|
|
3
|
+
def compiled_source_with_safe_erb
|
|
4
|
+
# This helps make new-style ActionMailer text templates do the
|
|
5
|
+
# right thing automatically. We will probably want to extend this
|
|
6
|
+
# to other kinds of templates eventually.
|
|
7
|
+
if filename.to_s =~ /\.text\.plain\.erb\z/
|
|
8
|
+
compiled_source_without_safe_erb
|
|
9
|
+
else
|
|
10
|
+
::ERB.with_checking_tainted do
|
|
11
|
+
compiled_source_without_safe_erb
|
|
14
12
|
end
|
|
15
13
|
end
|
|
16
|
-
|
|
17
|
-
alias_method_chain :compile, :safe_erb
|
|
18
14
|
end
|
|
15
|
+
|
|
16
|
+
alias_method_chain :compiled_source, :safe_erb
|
|
19
17
|
end
|
|
20
18
|
end
|
data/lib/safe_erb/common.rb
CHANGED
|
@@ -4,6 +4,12 @@ require 'erb'
|
|
|
4
4
|
require 'action_controller'
|
|
5
5
|
require 'action_view'
|
|
6
6
|
|
|
7
|
+
# TODO - RAILS_ROOT is improperly escaped in the standard error template
|
|
8
|
+
# that you see in development mode. We need to fix this in Edge Rails
|
|
9
|
+
# if it hasn't been fixed already. Since it isn't under the control of
|
|
10
|
+
# remote users, we're just going to go ahead and untaint it for now.
|
|
11
|
+
RAILS_ROOT.untaint if defined?(RAILS_ROOT)
|
|
12
|
+
|
|
7
13
|
class ActionController::Base
|
|
8
14
|
# Object#taint is set when the request comes from FastCGI or WEBrick,
|
|
9
15
|
# but it is not set in Mongrel and also functional / integration testing
|
|
@@ -2,7 +2,7 @@ class ERB
|
|
|
2
2
|
# Should we check for tainted values when building ERB templates?
|
|
3
3
|
def self.check_tainted?
|
|
4
4
|
value = Thread.current[:safe_erb_check_tainted]
|
|
5
|
-
value.nil? ?
|
|
5
|
+
value.nil? ? false : value
|
|
6
6
|
end
|
|
7
7
|
|
|
8
8
|
# Turn ERB taint-checking on and off.
|
|
@@ -10,6 +10,17 @@ class ERB
|
|
|
10
10
|
Thread.current[:safe_erb_check_tainted] = value
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
+
# Enable taint checks within the specified block.
|
|
14
|
+
def self.with_checking_tainted #:yield:
|
|
15
|
+
saved_value = ERB.check_tainted?
|
|
16
|
+
ERB.check_tainted = true
|
|
17
|
+
begin
|
|
18
|
+
yield
|
|
19
|
+
ensure
|
|
20
|
+
ERB.check_tainted = saved_value
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
13
24
|
# Skip taint checks within the specified block.
|
|
14
25
|
def self.without_checking_tainted #:yield:
|
|
15
26
|
saved_value = ERB.check_tainted?
|
data/test/safe_erb_test.rb
CHANGED
|
@@ -2,19 +2,38 @@ require File.expand_path(File.dirname(__FILE__) + '/test_helper')
|
|
|
2
2
|
|
|
3
3
|
class SafeERBTest < Test::Unit::TestCase
|
|
4
4
|
def test_non_checking
|
|
5
|
-
ERB.
|
|
6
|
-
|
|
7
|
-
eval(src)
|
|
8
|
-
end
|
|
5
|
+
src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
|
|
6
|
+
eval(src)
|
|
9
7
|
end
|
|
10
8
|
|
|
11
9
|
def test_checking
|
|
12
|
-
|
|
13
|
-
|
|
10
|
+
ERB.with_checking_tainted do
|
|
11
|
+
src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src
|
|
12
|
+
assert_raise(RuntimeError) { eval(src) }
|
|
13
|
+
end
|
|
14
14
|
end
|
|
15
15
|
|
|
16
16
|
def test_checking_non_tainted
|
|
17
17
|
src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src
|
|
18
18
|
eval(src)
|
|
19
19
|
end
|
|
20
|
+
|
|
21
|
+
def use_template file
|
|
22
|
+
path = File.join(File.dirname(__FILE__), file)
|
|
23
|
+
@template = ActionView::Template.new(path)
|
|
24
|
+
@view = ActionView::Base.new
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def test_should_protect_html_templates
|
|
28
|
+
use_template 'safe_erb_template.html.erb'
|
|
29
|
+
assert_raise ActionView::TemplateError do
|
|
30
|
+
@template.render_template(@view, :var => 'foo'.taint)
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def test_should_not_protect_text_plain_templates
|
|
35
|
+
# This makes some ActionMailer templates work out of the box.
|
|
36
|
+
use_template 'safe_erb_template.text.plain.erb'
|
|
37
|
+
assert_equal "foo\n", @template.render_template(@view, :var => 'foo')
|
|
38
|
+
end
|
|
20
39
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: emk-safe_erb
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Shinya Kasatani
|
|
@@ -11,7 +11,7 @@ autorequire:
|
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
13
|
|
|
14
|
-
date: 2008-12-
|
|
14
|
+
date: 2008-12-20 00:00:00 -08:00
|
|
15
15
|
default_executable:
|
|
16
16
|
dependencies: []
|
|
17
17
|
|