owasp-esapi-ruby 0.30.0

data/lib/validator/zipcode.rb

@@ -0,0 +1,27 @@
+require 'validator/generic_validator'
+
+module Owasp
+  module Esapi
+    module Validator
+      
+      # This is a validator class for zip codes.
+      class Zipcode < GenericValidator
+      
+        ITALIAN_ZIPCODE = "^\\d{5}$"
+        US_ZIPCODE = "^\\d{5}(\\-\\d{4})?$"
+        
+        # Creates a new Zipcode validator.
+        # @param custom_regex if you don't find your locale zip code regular expression, you can provide a 
+        # very custom one
+        def initialize(options = nil)
+          # Matcher is tuned to match a valid US ZIP CODE, that means either 5 numbers, or 5 numbers, 
+          # plus a dash, then 4 more numbers.
+          @matcher = US_ZIPCODE
+          @matcher = options["custom_regex"] unless (options.nil? || ! options.has_key?("custom_regex"))
+          super(@matcher)
+        end
+        
+      end
+    end
+  end
+end

data/spec/codec/css_codec_spec.rb

@@ -0,0 +1,61 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe CssCodec do
+        let (:codec) { Owasp::Esapi::Codec::CssCodec.new }
+
+        it "should encode my '<' as \\3c" do
+          m = codec.encode([],"<")
+          m.should == '\\3c '
+        end
+
+        it "should decode \\abcdefg and replace the invliad code point" do
+          s = "\\abcdefg"
+          codec.decode(s).should == "\uFFFDg"
+        end
+        it "should encode 0x100 as \\100" do
+          s = 0x100.chr(Encoding::UTF_8)
+          m = codec.encode([],s[0])
+          m.should == "\\100 "
+        end
+
+        it "should decode '\\<' to '<'" do
+          m = codec.decode("\\<")
+          m.should == "<"
+        end
+
+        it "should decode '\\41xyz' to Axyz" do
+          m = codec.decode("\\41xyz")
+          m.should == "Axyz"
+        end
+
+        it "should decode '\\000041abc' to 'Aabc'" do
+          m = codec.decode("\\000041abc")
+          m.should == "Aabc"
+        end
+
+        it "should decode '\\41 abc' to 'Aabc'" do
+          m = codec.decode("\\41 abc")
+          m.should == "Aabc"
+        end
+
+        it "should decode 'abc\\\nxyz' to 'abcxyz'" do
+          m = codec.decode("abc\\\nxyz")
+          m.should == "abcxyz"
+        end
+
+        it "should decode 'abc\\\r\nxyz' to 'abcxyz'" do
+          m = codec.decode("abc\\\r\nxyz")
+          m.should == "abcxyz"
+        end
+
+        it "should decode \\3c as <" do
+          codec.decode("\\3c").should == "<"
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/html_codec_spec.rb

@@ -0,0 +1,87 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe HtmlCodec do
+        let (:codec) { Owasp::Esapi::Codec::HtmlCodec.new }
+
+        it "should not change test" do
+          codec.encode([],"test").should == "test"
+        end
+
+        it "should encode < as &lt;" do
+          codec.encode([],"<").should == "&lt;"
+        end
+
+        it "should encode 0x100 as &#x100;" do
+          s = 0x100.chr(Encoding::UTF_8)
+          m = codec.encode([],s[0])
+          m.should == "&#x100;"
+        end
+
+        it "should decode &#x74;&#x65;&#x73;&#x74;! as test!" do
+          codec.decode("&#x74;&#x65;&#x73;&#x74;!").should == "test!"
+        end
+
+        it "should skip &jeff; an invlaid attribute" do
+          codec.decode("&jeff;").should == "&jeff;"
+        end
+
+        # dynamic tests for various inputs to decode
+        {
+          "&amp;" => "&",
+          "&amp;X" => "&X",
+          "&amp" => "&",
+          "&ampX" => "&X",
+          "&lt;" => "<",
+          "&lt;X" => "<X",
+          "&lt" => "<",
+          "&ltX"=> "<X",
+          "&#60" => "<",
+          "&sup2;" => "\u00B2",
+          "&sup2;X" => "\u00B2X",
+          "&sup2" => "\u00B2",
+          "&sup2X" => "\u00B2X",
+          "&sup3;" => "\u00B3",
+          "&sup3;X" => "\u00B3X",
+          "&sup3" => "\u00B3",
+          "&sup3X" => "\u00B3X",
+          "&sup1;" => "\u00B9",
+          "&sup1;X" => "\u00B9X",
+          "&sup1" => "\u00B9",
+          "&sup1X" => "\u00B9X",
+          "&sup;" => "\u2283",
+          "&sup;X" => "\u2283X",
+          "&sup" => "\u2283",
+          "&supX" => "\u2283X",
+          "&supe;" => "\u2287",
+          "&supe;X" => "\u2287X",
+          "&supe" => "\u2287",
+          "&supeX" => "\u2287X",
+          "&pi;" => "\u03C0",
+          "&pi;X" => "\u03C0X",
+          "&pi" => "\u03C0",
+          "&piX" => "\u03C0X",
+          "&piv;" => "\u03D6",
+          "&piv;X" => "\u03D6X",
+          "&piv" => "\u03D6",
+          "&pivX" => "\u03D6X",
+          "&theta;" => "\u03B8",
+          "&theta;X" => "\u03B8X",
+          "&theta" => "\u03B8",
+          "&thetaX" => "\u03B8X",
+          "&thetasym;" => "\u03D1",
+          "&thetasym;X" => "\u03D1X",
+          "&thetasym" => "\u03D1",
+          "&thetasymX" => "\u03D1X",
+        }.each_pair do |k,v|
+          it "should decode #{k} as #{v}" do
+            codec.decode(k).should == v
+          end
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/javascript_codec_spec.rb

@@ -0,0 +1,45 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe JavascriptCodec do
+        let (:codec) { Owasp::Esapi::Codec::JavascriptCodec.new }
+
+        it "should decode \\x3c as <" do
+          codec.decode("\\x3c").should == "<"
+        end
+
+        it "should encode < as \\x3C" do
+          codec.encode([],"<").should == "\\x3C"
+        end
+
+        it "should encode 0x100 as \\u0100" do
+          s = 0x100.chr(Encoding::UTF_8)
+          codec.encode([],s[0]).should == "\\u0100"
+        end
+
+        it "should encode <script> as \\x3Cscript\\x3E" do
+          codec.encode(Owasp::Esapi::Encoder::IMMUNE_JAVASCRIPT,"<script>").should == "\\x3Cscript\\x3E"
+        end
+
+        it "should encoder !@$%()=+{}[] as \\x21\\x40\\x24\\x25\\x28\\x29\\x3D\\x2B\\x7B\\x7D\\x5B\\x5D" do
+          codec.encode(Owasp::Esapi::Encoder::IMMUNE_JAVASCRIPT,"!@$%()=+{}[]").should == "\\x21\\x40\\x24\\x25\\x28\\x29\\x3D\\x2B\\x7B\\x7D\\x5B\\x5D"
+        end
+
+        it "shoudl encode ',.-_ ' as ',.\\x2D_\\x20'" do
+          codec.encode(Owasp::Esapi::Encoder::IMMUNE_JAVASCRIPT,",.-_ ").should == ",.\\x2D_\\x20"
+        end
+
+        it "should decode \\f as \f" do
+          codec.decode("\\f").should == "\f"
+        end
+
+        it "should decode \\b as \b" do
+          codec.decode("\\b").should == "\b"
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/mysql_codec_spec.rb

@@ -0,0 +1,44 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe MySQLCodec do
+        let (:ansi_codec) { Owasp::Esapi::Codec::MySQLCodec.new(Owasp::Esapi::Codec::MySQLCodec::ANSI_MODE) }
+        let (:mysql_codec) { Owasp::Esapi::Codec::MySQLCodec.new(Owasp::Esapi::Codec::MySQLCodec::MYSQL_MODE) }
+        let (:big_char) {  }
+
+        it "should encode \' as \'\' in ANSI mode" do
+          ansi_codec.encode([],"\'").should == "\'\'"
+        end
+
+        it "should encode < as \\< in MYSQL mode" do
+          mysql_codec.encode([],"<").should == "\\<"
+        end
+
+        it "should encode 0x100 as \\0x100 in MYSQL mode" do
+          s = 0x100.chr(Encoding::UTF_8)[0]
+          mysql_codec.encode([],s) == "\\#{s}"
+        end
+
+        it "should encode 0x100 as 0x100 in ANSI mode" do
+          s = 0x100.chr(Encoding::UTF_8)[0]
+          ansi_codec.encode([],s) == "#{s}"
+        end
+
+        it "should decode '' as ' in ANSI mode" do
+          ansi_codec.decode("\'\'").should == "\'"
+        end
+
+        it "should decode \\< as < in MYSQL mode" do
+          mysql_codec.decode("\\<").should == "<"
+        end
+
+        it "should fail to create a code with an invalid mode" do
+          lambda { Owasp::Esapi::Codec::MySQLCodec.new(5)}.should raise_error(RangeError)
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/oracle_codec_spec.rb

@@ -0,0 +1,23 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe OracleCodec do
+        let (:codec) { Owasp::Esapi::Codec::OracleCodec.new }
+
+        it "should encode eddie's stuff as eddie''s stuff" do
+          codec.encode([],"eddie's stuff").should == "eddie''s stuff"
+        end
+        it "should encode \' as \'\'" do
+          codec.encode([],"\'").should == "\'\'"
+        end
+
+        it "should decode \'\' as \'" do
+          codec.decode("\'\'").should == "\'"
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/os_codec_spec.rb

@@ -0,0 +1,51 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe OsCodec do
+        let(:unix_codec) {Owasp::Esapi::Codec::OsCodec.new( Owasp::Esapi::Codec::OsCodec::UNIX_HOST)}
+        let(:win_codec) {Owasp::Esapi::Codec::OsCodec.new( Owasp::Esapi::Codec::OsCodec::WINDOWS_HOST)}
+
+        it "should detect the actual host os" do
+          codec = Owasp::Esapi::Codec::OsCodec.new
+          codec.os.should == Owasp::Esapi::Codec::OsCodec::UNIX_HOST
+        end
+
+        it "should decode ^< as < for windows" do
+          win_codec.decode("^<").should == "<"
+        end
+
+        it "should decode \\< as < for unix" do
+          unix_codec.decode("\\<").should == "<"
+        end
+
+        it "should encode c:\\jeff with ^ chars for windows" do
+          win_codec.encode([],"C:\\jeff").should == "C^:^\\jeff"
+        end
+
+        it "should encode dir & foo with ^ chars for windows" do
+          win_codec.encode([],"dir & foo").should == "dir^ ^&^ foo"
+
+        end
+
+        it "should encode c:\\jeff with \\ chars for unix" do
+          unix_codec.encode(Owasp::Esapi::Encoder::CHAR_ALPHANUMERIC,"C:\\jeff").should == "C\\:\\\\jeff"
+        end
+
+        it "should encode dir & foo with \\ chars for unix" do
+          unix_codec.encode([],"dir & foo").should == "dir\\ \\&\\ foo"
+        end
+
+        it "should encode /etc/hosts with \\ chars for unix" do
+          unix_codec.encode(['-'],"/etc/hosts").should == "\\/etc\\/hosts"
+        end
+
+        it "should encode /etc/hosts; ls -l with \\ chars for unix" do
+          unix_codec.encode(['-'],"/etc/hosts; ls -l").should == "\\/etc\\/hosts\\;\\ ls\\ -l"
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/percent_codec_spec.rb

@@ -0,0 +1,34 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+# percent encode aka URL encoding
+module Owasp
+  module Esapi
+    module Codec
+      describe PercentCodec do
+        let (:codec) { Owasp::Esapi::Codec::PercentCodec.new }
+
+        it "should decode %3c as <" do
+          codec.decode("%3c").should == "<"
+        end
+
+        it "should encode < as %3C" do
+          codec.encode([],"<").should == "%3C"
+        end
+
+        it "should encode 0x100 as %C4%80" do
+          s = 0x100.chr(Encoding::UTF_8)
+          codec.encode([],s[0]).should == "%C4%80"
+        end
+
+        it "should decode %25F as %F" do
+          codec.decode("%25F").should == "%F"
+        end
+
+        it "should encode 'Stop!' said Fred as %27Stop%21%27+said+Fred" do
+          codec.encode([],"'Stop!' said Fred").should == "%27Stop%21%27+said+Fred"
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/vbcript_codec_spec.rb

@@ -0,0 +1,23 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe VbScriptCodec do
+        let (:codec) { Owasp::Esapi::Codec::VbScriptCodec.new }
+        it "should encode < as chrw(60)" do
+          codec.encode([],"<").should == "chrw(60)"
+        end
+        it "should encode 0x100 as \\u0100" do
+          s = 0x100.chr(Encoding::UTF_8)
+          codec.encode([],s[0]).should == "chrw(256)"
+        end
+
+        it "should decode '\"<' as <" do
+          codec.decode("\"<").should == "<"
+        end
+
+      end
+    end
+  end
+end

data/spec/codec/xml_codec_spec.rb

@@ -0,0 +1,83 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Codec
+      describe XmlCodec do
+        let (:codec) { Owasp::Esapi::Codec::XmlCodec.new }
+        describe 'XML encoding' do
+          it "should encode nil as nil" do
+            codec.encode([],nil).should == nil
+          end
+
+          it "should encode ' ' as ' '" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XML," ").should == " "
+          end
+
+          it "should encode <script> as &#x3c;script&#x3e;" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XML,"<script>").should == "&#x3c;script&#x3e;"
+          end
+
+          it "should encode ,.-_ as same" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XML,",.-_").should == ",.-_"
+          end
+
+          it "should encode !@$%()=+{}[] as &#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XML,"!@$%()=+{}[]").should == "&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;"
+          end
+
+          it "should encode \u00A3 as &#xa3;" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XML,"\u00A3").should == "&#xa3;"
+          end
+        end
+
+        describe 'Attributes Encoding' do
+          it "should encode ' ' as ' '" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XMLATTR," ").should == " "
+          end
+
+          it "should encode <script> as &#x3c;script&#x3e;" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XMLATTR,"<script>").should == "&#x3c;script&#x3e;"
+          end
+
+          it "should encode ,.-_ as same" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XMLATTR,",.-_").should == ",.-_"
+          end
+
+          it "should encode !@$%()=+{}[] as &#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XMLATTR,"!@$%()=+{}[]").should == "&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;"
+          end
+
+          it "should encode \u00A3 as &#xa3;" do
+            codec.encode(Owasp::Esapi::Encoder::IMMUNE_XMLATTR,"\u00A3").should == "&#xa3;"
+          end
+        end
+
+        describe 'Decoding' do
+          {
+            "AB_YZ" => "AB_YZ",
+            "AB&gt;YZ" => "AB>YZ",
+            "AB&amp;YZ" => "AB&YZ",
+            "AB&quot;YZ" => "AB\"YZ",
+            "AB&apos;YZ" => "AB'YZ",
+            "AB&quot;" => "AB\"",
+            "&quot;YZ" => "\"YZ",
+            "&quot;" => "\"",
+            "AB&quot" => "AB&quot",
+            "&quotYZ" => "&quotYZ",
+            "&quot" => "&quot",
+            "AB&pound;" => "AB&pound;",
+            "&pound;YZ" => "&pound;YZ",
+            "&pound;" => "&pound;",
+            "AB&#64;YZ" => "AB@YZ",
+            "AB&#x40;YZ" => "AB@YZ"
+          }.each_pair do |k,v|
+            it "should decode #{k} as #{v}" do
+              codec.decode(k).should == v
+            end
+          end
+        end
+      end
+    end
+  end
+end