owasp-esapi-ruby 0.30.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (56) hide show
  1. data/.document +5 -0
  2. data/AUTHORS +5 -0
  3. data/ChangeLog +69 -0
  4. data/ISSUES +0 -0
  5. data/LICENSE +24 -0
  6. data/README +51 -0
  7. data/Rakefile +63 -0
  8. data/VERSION +1 -0
  9. data/lib/codec/base_codec.rb +99 -0
  10. data/lib/codec/css_codec.rb +101 -0
  11. data/lib/codec/encoder.rb +330 -0
  12. data/lib/codec/html_codec.rb +424 -0
  13. data/lib/codec/javascript_codec.rb +119 -0
  14. data/lib/codec/mysql_codec.rb +131 -0
  15. data/lib/codec/oracle_codec.rb +46 -0
  16. data/lib/codec/os_codec.rb +78 -0
  17. data/lib/codec/percent_codec.rb +53 -0
  18. data/lib/codec/pushable_string.rb +114 -0
  19. data/lib/codec/vbscript_codec.rb +64 -0
  20. data/lib/codec/xml_codec.rb +173 -0
  21. data/lib/esapi.rb +68 -0
  22. data/lib/exceptions.rb +37 -0
  23. data/lib/executor.rb +20 -0
  24. data/lib/owasp-esapi-ruby.rb +13 -0
  25. data/lib/sanitizer/xss.rb +59 -0
  26. data/lib/validator/base_rule.rb +90 -0
  27. data/lib/validator/date_rule.rb +92 -0
  28. data/lib/validator/email.rb +29 -0
  29. data/lib/validator/float_rule.rb +76 -0
  30. data/lib/validator/generic_validator.rb +26 -0
  31. data/lib/validator/integer_rule.rb +61 -0
  32. data/lib/validator/string_rule.rb +146 -0
  33. data/lib/validator/validator_error_list.rb +48 -0
  34. data/lib/validator/zipcode.rb +27 -0
  35. data/spec/codec/css_codec_spec.rb +61 -0
  36. data/spec/codec/html_codec_spec.rb +87 -0
  37. data/spec/codec/javascript_codec_spec.rb +45 -0
  38. data/spec/codec/mysql_codec_spec.rb +44 -0
  39. data/spec/codec/oracle_codec_spec.rb +23 -0
  40. data/spec/codec/os_codec_spec.rb +51 -0
  41. data/spec/codec/percent_codec_spec.rb +34 -0
  42. data/spec/codec/vbcript_codec_spec.rb +23 -0
  43. data/spec/codec/xml_codec_spec.rb +83 -0
  44. data/spec/owasp_esapi_encoder_spec.rb +226 -0
  45. data/spec/owasp_esapi_executor_spec.rb +9 -0
  46. data/spec/owasp_esapi_ruby_email_validator_spec.rb +39 -0
  47. data/spec/owasp_esapi_ruby_xss_sanitizer_spec.rb +66 -0
  48. data/spec/owasp_esapi_ruby_zipcode_validator_spec.rb +42 -0
  49. data/spec/spec_helper.rb +10 -0
  50. data/spec/validator/base_rule_spec.rb +29 -0
  51. data/spec/validator/date_rule_spec.rb +40 -0
  52. data/spec/validator/float_rule_spec.rb +31 -0
  53. data/spec/validator/integer_rule_spec.rb +51 -0
  54. data/spec/validator/string_rule_spec.rb +103 -0
  55. data/spec/validator_skeleton.rb +150 -0
  56. metadata +235 -0
data/spec/owasp_esapi_encoder_spec.rb ADDED
@@ -0,0 +1,226 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ describe Encoder do
6
+ # Setup some encoders
7
+ let (:encoder) { Owasp::Esapi.encoder }
8
+ let (:jsencoder) {Owasp::Esapi::Encoder.new([Owasp::Esapi::Codec::JavascriptCodec.new])}
9
+ let (:cssencoder) {Owasp::Esapi::Encoder.new([Owasp::Esapi::Codec::CssCodec.new])}
10
+
11
+ # HTML and Percent Codec tests
12
+ # Generate dynamic canonicalization tests
13
+ {
14
+ "%25F"=> "%F",
15
+ "%3c"=> "<",
16
+ "%3C"=> "<",
17
+ "%X1"=> "%X1",
18
+ "&#60"=> "<",
19
+ "&#060"=> "<",
20
+ "&#0060"=> "<",
21
+ "&#000060"=>"<",
22
+ "&#0000060"=>"<",
23
+ "&#60;"=> "<",
24
+ "&#060;"=> "<",
25
+ "&#0060;"=> "<",
26
+ "&#000060;"=> "<",
27
+ "&#0000060;"=> "<",
28
+ "&#x3c"=> "<",
29
+ "&#x03c"=> "<",
30
+ "&#x0003c"=> "<",
31
+ "&#x000003c"=> "<",
32
+ "&#x00000003c"=> "<",
33
+ "&#x3c;"=> "<",
34
+ "&#x03c;"=> "<",
35
+ "&#x003c;"=> "<",
36
+ "&#x00003c;"=> "<",
37
+ "&#x0000003c;"=> "<",
38
+ "&#X03c"=> "<",
39
+ "&#X3c"=> "<",
40
+ "&#X0003c"=> "<",
41
+ "&#X000003c"=> "<",
42
+ "&#X00000003c"=> "<",
43
+ "&#x3C"=> "<",
44
+ "&#x03C"=> "<",
45
+ "&#x0003C"=> "<",
46
+ "&#x000003C"=> "<",
47
+ "&#x00000003C"=> "<",
48
+ "&#X3C"=> "<",
49
+ "&#X03C"=> "<",
50
+ "&#X0003C"=> "<",
51
+ "&#X000003C"=> "<",
52
+ "&#X00000003C"=> "<",
53
+ "&lt"=> "<",
54
+ "&LT"=> "<",
55
+ "&Lt"=> "<",
56
+ "&lT"=> "<",
57
+ "&lt;"=> "<",
58
+ "&LT;"=> "<",
59
+ "&Lt;"=> "<",
60
+ "&lT;"=> "<",
61
+ "&#37;"=> "%",
62
+ "&#37"=> "%",
63
+ "&#37b"=> "%b",
64
+ "%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E"=> "<script>alert(\"hello\");</script>",
65
+ "%3Cscript&#x3E;alert%28%22hello&#34%29%3B%3C%2Fscript%3E"=> "<script>alert(\"hello\");</script>",
66
+ }.each_pair do |k,v|
67
+ it "should canonicalize #{k} to #{v}" do
68
+ begin
69
+ encoder.canonicalize(k.dup).should == v
70
+ rescue IntrustionException =>e
71
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
72
+ end
73
+ end
74
+ end
75
+
76
+ # Javascript dynamic canonicilzation tests
77
+ {
78
+ "\\0"=> "\0",
79
+ "\\b"=> "\b",
80
+ "\\t"=> "\t",
81
+ "\\n"=> "\n",
82
+ "\\v"=> "\v",
83
+ "\\f"=> "\f",
84
+ "\\r"=> "\r",
85
+ "\\'"=> "\'",
86
+ "\\\""=> "\"",
87
+ "\\\\"=> "\\",
88
+ "\\<"=> "<",
89
+ }.each_pair do |k,v|
90
+ it "should canonicalize javascript #{k} to #{v}" do
91
+ begin
92
+ jsencoder.canonicalize(k.dup).should == v
93
+ rescue IntrustionException =>e
94
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
95
+ end
96
+ end
97
+ end
98
+ # CSS dynamic canonicalization tests
99
+ {
100
+ "\\3c"=> "<",
101
+ "\\03c"=> "<",
102
+ "\\003c"=> "<",
103
+ "\\0003c"=> "<",
104
+ "\\00003c"=> "<",
105
+ "\\3C"=> "<",
106
+ "\\03C"=> "<",
107
+ "\\003C"=> "<",
108
+ "\\0003C"=> "<",
109
+ "\\00003C"=> "<",
110
+ }.each_pair do |k,v|
111
+ it "should canonicalize CSS #{k} to #{v}" do
112
+ begin
113
+ cssencoder.canonicalize(k.dup).should == v
114
+ rescue IntrustionException =>e
115
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
116
+ end
117
+ end
118
+ end
119
+ # Sanitize
120
+ it "should sanitize input exceptions" do
121
+ # test null value
122
+ encoder.canonicalize(nil).should == nil
123
+ # test exception paths
124
+ encoder.sanitize("%25",true).should == '%'
125
+ encoder.sanitize("%25",false).should == '%'
126
+ end
127
+
128
+ # Dynamic double canonicalization tests
129
+ {
130
+ "&#x26;lt&#59"=> "<",# double entity
131
+ "%255c"=> "\\", # double percent
132
+ "%2525"=> "%" , #double percent
133
+ "%26lt%3b"=> "<", #double percent
134
+ "%253c"=> "<",
135
+ "%26lt%3b"=> "<",
136
+ "&#x25;26"=> "&",
137
+ "%%33%63"=> "<",
138
+ "%%33c"=> "<",
139
+ "%3%63"=> "<",
140
+ "&&#108;t;"=> "<",
141
+ "&%6ct;"=> "<",
142
+ "%&#x33;c"=> "<",
143
+ "%25 %2526 %26#X3c;script&#x3e; &#37;3Cscript%25252525253e"=> "% & <script> <script>",
144
+ "%26lt; %26lt; &#X25;3c &#x25;3c %2526lt%253B %2526lt%253B %2526lt%253B"=> "< < < < < < <",
145
+ "%253Cscript"=> "<script",
146
+ "&#37;3Cscript"=> "<script",
147
+ }.each_pair do |k,v|
148
+ it "should properly handle #{k} with double canonicalization and return #{v}" do
149
+ begin
150
+ encoder.sanitize(k.dup,false).should == v
151
+ rescue IntrustionException =>e
152
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
153
+ end
154
+ end
155
+ end
156
+
157
+ # Css Encoder
158
+ it "should css encode nil as nil" do
159
+ encoder.encode_for_css(nil).should == nil
160
+ end
161
+
162
+ it "should css encode <script> as '\\3cscript\\3e" do
163
+ encoder.encode_for_css("<script>").should == "\\3c script\\3e "
164
+ end
165
+
166
+ it "should css encode punction properly" do
167
+ result = encoder.encode_for_css("!@$%()=+{}[]")
168
+ result.should == "\\21 \\40 \\24 \\25 \\28 \\29 \\3d \\2b \\7b \\7d \\5b \\5d "
169
+ end
170
+
171
+ # HTML Encoder
172
+ {
173
+ "<script>" => "&lt;script&gt;",
174
+ "&lt;script&gt;"=>"&amp;lt&#x3b;script&amp;gt&#x3b;",
175
+ "!@$%()=+{}[]" => "&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;",
176
+ ",.-_ " => ",.-_ ",
177
+ "dir&" => "dir&amp;",
178
+ "one&two" => "one&amp;two",
179
+ }.each_pair do |k,v|
180
+ it "should encode HTML #{k} as #{v}" do
181
+ encoder.encode_for_html(k).should == v
182
+ end
183
+ end
184
+
185
+ # HTML Attribute
186
+ {
187
+ "<script>" => "&lt;script&gt;",
188
+ "&lt;script&gt;"=>"&amp;lt&#x3b;script&amp;gt&#x3b;",
189
+ " !@$%()=+{}[]" => "&#x20;&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;",
190
+ }.each_pair do |k,v|
191
+ it "should encode html attribute #{k} as #{v}" do
192
+ encoder.encode_for_html_attr(k).should == v
193
+ end
194
+ end
195
+
196
+ # JS Encoder
197
+ it "should hs encode nil as nil" do
198
+ encoder.encode_for_javascript(nil).should == nil
199
+ end
200
+
201
+ it "should js encode special characers" do
202
+ encoder.encode_for_javascript("!@$%()=+{}[]").should == "\\x21\\x40\\x24\\x25\\x28\\x29\\x3D\\x2B\\x7B\\x7D\\x5B\\x5D"
203
+ end
204
+ it "should js encode ',.-_ '" do
205
+ encoder.encode_for_javascript(",.-_ ").should == ",.\\x2D_\\x20"
206
+ end
207
+ it "should js encode a script tag" do
208
+ encoder.encode_for_javascript("<script>").should == "\\x3Cscript\\x3E"
209
+ end
210
+
211
+ # Vb script encoder
212
+ {
213
+ "<script>" => "chrw(60)&\"script\"&chrw(62)",
214
+ "x !@$%()=+{}[]" => "x\"&chrw(32)&chrw(33)&chrw(64)&chrw(36)&chrw(37)&chrw(40)&chrw(41)&chrw(61)&chrw(43)&chrw(123)&chrw(125)&chrw(91)&chrw(93)",
215
+ "alert('ESAPI test!')" => "alert\"&chrw(40)&chrw(39)&\"ESAPI\"&chrw(32)&\"test\"&chrw(33)&chrw(39)&chrw(41)",
216
+ "sal.scotto@gmail.com" => "sal.scotto\"&chrw(64)&\"gmail.com",
217
+ "test <> test" => "test\"&chrw(32)&chrw(60)&chrw(62)&chrw(32)&\"test"
218
+ }.each_pair do |k,v|
219
+ it "should encode vbscript #{k} as #{v}" do
220
+ encoder.encode_for_vbscript(k).should == v
221
+ end
222
+ end
223
+
224
+ end
225
+ end
226
+ end
data/spec/owasp_esapi_executor_spec.rb ADDED
@@ -0,0 +1,9 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ describe Executor do
6
+ it "execute a command and get output"
7
+ end
8
+ end
9
+ end
data/spec/owasp_esapi_ruby_email_validator_spec.rb ADDED
@@ -0,0 +1,39 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe Email do
7
+ let(:validator) {Owasp::Esapi::Validator::Email.new}
8
+
9
+ it "should discard invalid email addresses" do
10
+ validator.valid?("this is not an email address").should == false
11
+ end
12
+
13
+ it "should discard invalid email addresses" do
14
+ validator.valid?("12313.it").should == false
15
+ end
16
+
17
+ it "should discard invalid email addresses" do
18
+ validator.valid?("thesp0nge_at_owasp_dot_org").should == false
19
+ end
20
+
21
+ it "should discard invalid email addresses" do
22
+ validator.valid?("thesp0 nge@owasp.org").should == false
23
+ end
24
+
25
+ it "should discard invalid email addresses" do
26
+ validator.valid?("thesp0nge@owasp..org").should == false
27
+ end
28
+
29
+ it "should discard invalid email addresses" do
30
+ validator.valid?("thesp0nge@ow asp.org").should == false
31
+ end
32
+
33
+ it "should validate goot email addresses" do
34
+ validator.valid?("thesp0nge@owasp.org").should == true
35
+ end
36
+ end
37
+ end
38
+ end
39
+ end
data/spec/owasp_esapi_ruby_xss_sanitizer_spec.rb ADDED
@@ -0,0 +1,66 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Sanitizer
6
+ describe Xss do
7
+ let(:filter) {Owasp::Esapi::Sanitizer::Xss.new}
8
+
9
+ it "should leave untouched untainted strings" do
10
+ untainted = "This is an unoffensive string"
11
+ output = filter.sanitize(untainted)
12
+ output.should == untainted
13
+ end
14
+
15
+ it "should sanitize the '<' character" do
16
+ false_positive_tainted = "I am a supposed to be a tainted < string"
17
+ output = filter.sanitize(false_positive_tainted)
18
+ output.should == false_positive_tainted.gsub("<", "&lt;")
19
+ end
20
+
21
+ it "should sanitize the '>' character" do
22
+ false_positive_tainted = "I am a supposed to be a tainted > string"
23
+ output = filter.sanitize(false_positive_tainted)
24
+ output.should == false_positive_tainted.gsub(">", "&gt;")
25
+ end
26
+
27
+ it "should sanitize the '&' character" do
28
+ false_positive_tainted = "I am a supposed to be a tainted & string"
29
+ output = filter.sanitize(false_positive_tainted)
30
+ output.should == false_positive_tainted.gsub("&", "&amp;")
31
+ end
32
+
33
+ it "should sanitize the '\"' character" do
34
+ false_positive_tainted = "I am a supposed to be a tainted \" string"
35
+ output = filter.sanitize(false_positive_tainted)
36
+ output.should == false_positive_tainted.gsub("\"", "&quot;")
37
+ end
38
+
39
+ it "should sanitize the '\'' character" do
40
+ false_positive_tainted = "I am a supposed to be a tainted \' string"
41
+ output = filter.sanitize(false_positive_tainted)
42
+ output.should == false_positive_tainted.gsub("\'", "&#x27;")
43
+ end
44
+
45
+ it "should sanitize the '/' character" do
46
+ false_positive_tainted = "I am a supposed to be a tainted / string"
47
+ output = filter.sanitize(false_positive_tainted)
48
+ output.should == false_positive_tainted.gsub("/", "&#x2F;")
49
+ end
50
+
51
+ it "shoud sanitize an injecting up attack pattern" do
52
+ taint = "<script>alert('xss here');</script>"
53
+ output = filter.sanitize(taint)
54
+ output.should == taint.gsub("<", "&lt;").gsub(">", "&gt;").gsub("\'", "&#x27;").gsub("/", "&#x2F;")
55
+ end
56
+
57
+ it "shoud sanitize an injecting up attack pattern" do
58
+ taint = "/><script>alert('xss here');</script>"
59
+ output = filter.sanitize(taint)
60
+ output.should == taint.gsub("<", "&lt;").gsub(">", "&gt;").gsub("\'", "&#x27;").gsub("/", "&#x2F;")
61
+ end
62
+ end
63
+ end
64
+
65
+ end
66
+ end
data/spec/owasp_esapi_ruby_zipcode_validator_spec.rb ADDED
@@ -0,0 +1,42 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe Zipcode do
7
+ let(:validator) {Owasp::Esapi::Validator::Zipcode.new}
8
+
9
+ it "should validate a good US ZIP CODE" do
10
+ validator.valid?("12345").should == true
11
+ end
12
+
13
+ it "should validate a good US ZIP CODE" do
14
+ validator.valid?("12345-6789").should == true
15
+ end
16
+
17
+ it "should discard a bad US ZIP CODE" do
18
+ validator.valid?("foostring").should == false
19
+ end
20
+
21
+ it "should discard a bad US ZIP CODE" do
22
+ validator.valid?("123-323").should == false
23
+ end
24
+
25
+ it "should validate a good Italian ZIP CODE equivalent" do
26
+ validator.matcher=Owasp::Esapi::Validator::Zipcode::ITALIAN_ZIPCODE
27
+ validator.valid?("20100").should == true
28
+ end
29
+
30
+ it "should discard an invalid Italian ZIP CODE equivalent" do
31
+ validator.matcher=Owasp::Esapi::Validator::Zipcode::ITALIAN_ZIPCODE
32
+ validator.valid?("121").should == false
33
+ end
34
+ it "should discard an invalid Italian ZIP CODE equivalent" do
35
+ validator.matcher=Owasp::Esapi::Validator::Zipcode::ITALIAN_ZIPCODE
36
+ validator.valid?("ipse dixit").should == false
37
+ end
38
+ end
39
+ end
40
+
41
+ end
42
+ end
data/spec/spec_helper.rb ADDED
@@ -0,0 +1,10 @@
1
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
2
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
3
+
4
+ require 'owasp-esapi-ruby'
5
+ require 'rspec'
6
+ require 'rspec/autorun'
7
+
8
+ RSpec.configure do |config|
9
+ config.color_enabled = true
10
+ end
data/spec/validator/base_rule_spec.rb ADDED
@@ -0,0 +1,29 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe BaseRule do
7
+ let(:rule) {Owasp::Esapi::Validator::BaseRule.new("test")}
8
+ it "should remove non whitelist characters" do
9
+ rule.whitelist("12345abcdefghijkmlaaaa","abc").should == "abcaaaa"
10
+ end
11
+
12
+ it "should raise and exception in the base class" do
13
+ lambda {rule.valid("test","input")}.should raise_error(Owasp::Esapi::ValidationException)
14
+ end
15
+
16
+ it "should return false for valid? int eh base rule" do
17
+ rule.valid?("test","input").should be_false
18
+ end
19
+
20
+ it "should has an item in the error list" do
21
+ v = Owasp::Esapi::Validator::ValidatorErrorList.new
22
+ rule.validate("context","input",v)
23
+ v.errors.should_not be_empty
24
+ end
25
+
26
+ end
27
+ end
28
+ end
29
+ end
data/spec/validator/date_rule_spec.rb ADDED
@@ -0,0 +1,40 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe DateRule do
7
+ let(:rule) {Owasp::Esapi::Validator::DateRule.new("test",nil,nil)}
8
+
9
+ it "should validate September 11, 2001 as a valid" do
10
+ rule.valid?("","September 11, 2001").should be_true
11
+ end
12
+
13
+ it "should fail to validate 9-11-2001 as valid with the default format" do
14
+ rule.valid?("","9-11-2001").should be_false
15
+ end
16
+
17
+ it "should fail to validate with a null date" do
18
+ rule.valid?("",nil).should be_false
19
+ end
20
+
21
+ it "should fail to validate with an empty string as the date" do
22
+ rule.valid?("","").should be_false
23
+ end
24
+
25
+ # Try a few different date formats
26
+ {
27
+ "Jan 1, 07 Sun GMT" => "%b %d, %y %Z",
28
+ "31-12-2010" => "%d-%m-%Y",
29
+ "31-1-2010" => "%d-%m-%Y",
30
+ "2010-02-27 15:00" => "%Y-%m-%d %H:%M"
31
+ }.each_pair do |k,v|
32
+ it "should validate #{k} as a valid date with #{v} as the format" do
33
+ rule = Owasp::Esapi::Validator::DateRule.new("test",nil,v)
34
+ rule.valid?("",k).should be_true
35
+ end
36
+ end
37
+ end
38
+ end
39
+ end
40
+ end