owasp-esapi-ruby 0.30.0

data/lib/codec/xml_codec.rb

@@ -0,0 +1,173 @@
+# Implementation of the Codec interface for XML entity encoding.
+# This differes from HTML entity encoding in that only the following
+# named entities are predefined:
+# * lt
+# * gt
+# * amp
+# * apos
+# * quot
+#
+# However, the XML Specification 1.0 states in section 4.6 "Predefined
+# Entities" that these should still be declared for interoperability
+# purposes. As such, encoding in this class will not use them.
+#
+# It's also worth noting that unlike the HTMLEntityCodec, a trailing
+# semicolon is required and all valid codepoints are accepted.
+#
+# Note that it is a REALLY bad idea to use this for decoding as an XML
+# document can declare arbitrary entities that this Codec has no way
+# of knowing about. Decoding is included for completeness but it's use
+# is not recommended. Use a XML parser instead!
+
+module Owasp
+  module Esapi
+    module Codec
+      class XmlCodec < BaseCodec
+
+        def initialize
+          @longest_key = 0
+          @lookup_map = {}
+          ENTITY_MAP.each_key do |k|
+            if k.size > @longest_key
+              @longest_key += 1
+            end
+            @lookup_map[k.downcase] = k
+          end
+        end
+
+        # Encodes a Character using XML entities as necessary.
+        def encode_char(immune,input)
+          return input if immune.include?(input)
+          return input if input =~ /[a-zA-Z0-9\\t ]/
+          return "&#x#{hex(input)};"
+        end
+
+        # Returns the decoded version of the character starting at index, or
+        # nil if no decoding is possible.
+        def decode_char(input)
+          input.mark
+          result = nil
+          # check first
+          first = input.next
+          return nil if first.nil?
+          return first unless first == "&"
+          # check second
+          second = input.next
+          if second == "#"
+            result = numeric_entity(input)
+          elsif second =~ /[a-zA-Z]/
+            input.push(second)
+            result = named_entity(input)
+          else
+            input.push(second)
+            return nil
+          end
+
+          if result.nil?
+            input.reset
+          end
+          result
+        end
+
+        def numeric_entity(input) #:nodoc:
+          first = input.peek
+          return nil if first.nil?
+          if first.downcase.eql?("x")
+            input.next
+            return parse_hex(input)
+          end
+          return parse_number(input)
+        end
+
+        #  parse the hex value back to its decimal value
+        def parse_hex(input) #:nodoc:
+          result = ''
+          while input.next?
+            c = input.peek
+            if "0123456789ABCDEFabcdef".include?(c)
+              result << c
+              input.next
+            elsif c == ";"
+              input.next
+              break
+            else
+              return nil
+            end
+          end
+          begin
+            i = result.hex
+            return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+          rescue Exception => e
+          end
+          nil
+        end
+
+        #  parse a number out of the encoded value
+        def parse_number(input) #:nodoc:
+          result = ''
+          missing_semi = true
+          while input.next?
+            c = input.peek
+            if c =~ /\d/
+              result << c
+              input.next
+            elsif c == ';'
+              input.next
+              break;
+            elsif not c =~ /\d/
+              return nil
+            else
+              break;
+            end
+          end
+
+          begin
+            i = result.to_i
+            return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+          rescue Exception => e
+          end
+          nil
+        end
+
+        #  extract the named entity fromt he input
+        # we convert the entity to the real character i.e. &amp; becoems &
+        def named_entity(input) #:nodoc:
+          possible = ''
+          len = min(input.remainder.size,@longest_key+1)
+          found_key = false
+          last_possible = ''
+          for i in 0..len do
+            possible << input.next if input.next?
+            # we have to find the longest match
+            # so we dont find sub values
+            if @lookup_map[possible.downcase]
+              last_possible = @lookup_map[possible.downcase]
+            end
+          end
+          # no matches found return
+          return nil if last_possible.empty?
+          return nil unless possible.include?(";")
+          # reset the input and plow through
+          input.reset
+          for i in 0..last_possible.size
+            input.next if input.next?
+          end
+          possible = ENTITY_MAP[last_possible]
+          input.next # consume the ;
+          return possible unless possible.empty?
+          return nil
+        end
+
+        # Entity maps
+        ENTITY_MAP = {
+          "lt" => "<",
+          "gt" => ">",
+          "amp" => "&",
+          "apos" => "\'",
+          "quot" => "\""
+        }
+
+      end
+    end
+  end
+end

data/lib/esapi.rb

@@ -0,0 +1,68 @@
+#
+# Class loading mechanism, we use this to create new instances of objects based
+# on config data. This allows a user to set their own config for instance to use thier
+# own implmentation of a given class. ClassLoader based on Rails constantize
+#
+class ClassLoader
+  def self.load_class(class_name)
+    # we are using ruby 1.9.2 as a requirement, so we can use the inheritance
+    # of const_get to find our object. if mis-spelled it will raise a NameError
+    names = class_name.split("::")
+    klass = Object
+    names.each do |name|
+      klass = klass.const_get(name)
+    end
+    klass.new
+  end
+end
+
+# Owasp root modules
+module Owasp
+  # Configuration class
+  class Configuration
+    attr_accessor :logger, :encoder
+    # Is intrustion detectione nabled?
+    def ids?
+      return true
+    end
+    # Get the encoder class anem
+    def get_encoder_class
+
+    end
+  end
+  # Logging class stub
+  class Logger
+    def warn(msg)
+      #puts "WARNING: #{msg}"
+    end
+  end
+  # Esapi Root module
+  module Esapi
+
+    # seutp ESAPI
+    def self.setup
+      @config ||= Configuration.new
+      yield @config if block_given?
+      process_config(@config)
+    end
+
+    # Get the security configuration context
+    def self.security_config
+      @security ||= Configuration.new
+    end
+    # Get the configured logger
+    def self.logger
+      @logger ||= Logger.new
+    end
+    # Get the configured encoded
+    def self.encoder
+      @encoder ||= ClassLoader.load_class("Owasp::Esapi::Encoder")
+    end
+
+    private
+    # Process the config data to setup esapi
+    def self.process_config(conf)
+    end
+
+  end
+end

data/lib/exceptions.rb

@@ -0,0 +1,37 @@
+# Various exception used by Esapi
+module Owasp
+  module Esapi
+
+    # Base Exception class for SecurityExceptions
+    class EnterpriseSecurityException < Exception
+      attr :log_message
+      def initialize(user_msg, log_msg)
+        super(user_msg)
+        @log_message = log_msg
+      end
+    end
+
+    # Exception throw if there is an error during Executor processing
+    class ExecutorException < EnterpriseSecurityException
+    end
+
+    # Intrustion detection exception to be logged
+    class IntrustionException < Exception
+      attr :log_message
+      def initialize(user_message,log_message)
+        super(user_message)
+        @log_message = log_message
+      end
+    end
+
+    # ValidatorException used in the rule sets
+    class ValidationException < EnterpriseSecurityException
+      attr :context
+      def initialize(user_msg,log_msg,context)
+        super(user_msg,log_msg)
+        @context = context
+      end
+    end
+
+  end
+end

data/lib/executor.rb

@@ -0,0 +1,20 @@
+# Executor implmentation
+#
+# Provide a safe execute command, that wll ensure paths and args are escaped properly
+# and check for expansions of the command
+#
+
+module Owasp
+  module Esapi
+    # Executor class
+    class Executor
+
+      # Wrapper for Process#spawn
+      # it sanitizes the parames and validates paths before execution
+      def execute_command(cmd,params,working_dir,codec,redirect_error)
+        cmd_path = File.expand_path(cmd)
+
+      end
+    end
+  end
+end

data/lib/owasp-esapi-ruby.rb

@@ -0,0 +1,13 @@
+require 'esapi'
+require 'exceptions'
+require 'sanitizer/xss'
+require 'validator/zipcode'
+require 'validator/email'
+require 'codec/encoder'
+require 'validator/validator_error_list'
+require 'validator/base_rule'
+require 'validator/string_rule'
+require 'validator/date_rule'
+require 'validator/integer_rule'
+require 'validator/float_rule'
+require 'executor'

data/lib/sanitizer/xss.rb

@@ -0,0 +1,59 @@
+module Owasp
+  module Esapi
+    module Sanitizer
+        
+      # This is the Cross site scripting sanitizer class.
+      # {http://bit.ly/AJVmn The XSS Cheat sheet at Owasp site}
+      class Xss
+          
+        attr_accessor :smart
+        # Creates a new sanitizer
+        # @param [Boolean], smart.
+        #     A boolean that says if sanitizer can blindly escape all 'dangerous' characters 
+        #     in their html entity or rather if it should try to guess if the string needs 
+        #     sanitizing is a xss attack vector or not and then let the string to pass by.
+        def initialize(smart=false)
+          self.smart= smart
+        end
+          
+        # Todo, we should really investigate if dangerous chars have to be trimmed or substituted.
+        # I'm (Paolo) choosing substitute right now... we'll change it later.
+        # @param [String], tainted. The string needs to be sanitized
+        # @return [String] the input string sanitized equivalent 
+        def sanitize(tainted)
+          untainted = tainted
+            
+          untainted = rule1_sanitize(tainted)
+            
+          # Start - RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
+          # End - RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
+            
+          # Start - RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
+          # End - RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
+            
+          # Start - RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
+          # End - RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
+          
+          untainted
+        end
+        private
+          def rule1_sanitize(taint) 
+            untainted = taint
+            # Start - RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
+
+            # This *must* be the first substitution, otherwise it will substitute also & characters in 
+            # valid HTML entities
+            untainted = untainted.gsub("&", "&")
+            untainted = untainted.gsub("<", "&lt;")
+            untainted = untainted.gsub(">", "&gt;")
+            untainted = untainted.gsub("\"", "&quot;")
+            untainted = untainted.gsub("\'", "&#x27;")
+            untainted = untainted.gsub("/", "&#x2F;")
+
+            # End - RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
+            untainted
+          end
+      end
+    end
+  end
+end

data/lib/validator/base_rule.rb

@@ -0,0 +1,90 @@
+# Expand Integer to add Min and Max values
+class Integer #:nodoc:
+  N_BYTES = [42].pack('i').size
+  N_BITS = N_BYTES * 8
+  MAX = 2 ** (N_BITS - 2) - 1
+  MIN = -MAX - 1
+end
+
+module Owasp
+  module Esapi
+    module Validator
+
+      # A ValidationRule performs syntax and possibly semantic validation of a single
+      # piece of data from an untrusted source.
+      class BaseRule
+        attr_accessor :encoder, :name, :allow_nil
+        def initialize(name,encoder=nil)
+          @name = name
+          @encoder = encoder
+          @encoder = Owasp::Esapi.encoder if @encoder.nil?
+          @allow_nil = false
+        end
+
+        # return true if the input passes validation
+        def valid?(context,input)
+          valid = false
+          begin
+            valid(context,input)
+            valid = true
+          rescue Exception =>e
+          end
+          valid
+        end
+
+        # Parse the input, calling the valid method
+        # if an exception if thrown it will be added
+        # to the ValidatorErrorList object. This method allows for multiple rules to be executed
+        # and collect all the errors that were invoked along the way.
+        def validate(context,input, errors=nil)
+          valid = nil
+          begin
+            valid = valid(context,input)
+          rescue ValidationException => e
+            errors<< e unless errors.nil?
+          end
+          input
+        end
+
+        # Parse the input, raise exceptions if validation fails
+        # sub classes need to implment this method as the base class will always raise an
+        # exception
+        def valid(context,input)
+          raise Owasp::Esapi::ValidationException.new(input,input,context)
+        end
+
+        # Try to call get *valid*, then call sanitize, finally return a default value
+        def safe(context,string)
+          valid = nil
+          begin
+            valid = valid(context,input)
+          rescue ValidationException => e
+            return sanitize(context,input)
+          end
+          return valid
+        end
+
+        # The method is similar to getSafe except that it returns a
+        # harmless object that <b>may or may not have any similarity to the original
+        # input (in some cases you may not care)</b>. In most cases this should be the
+        # same as the getSafe method only instead of throwing an exception, return
+        # some default value. Subclasses should implment this method
+        def sanitize(context,input)
+          input
+        end
+
+        # Removes characters that aren't in the whitelist from the input String.
+        # chars is expected to be string
+        def whitelist(input,list)
+          rc = ''
+          input.chars do |c|
+            rc << c if list.include?(c)
+          end
+          rc
+        end
+
+      end
+
+    end
+  end
+end