owasp-esapi-ruby 0.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. data/.document +5 -0
  2. data/AUTHORS +5 -0
  3. data/ChangeLog +69 -0
  4. data/ISSUES +0 -0
  5. data/LICENSE +24 -0
  6. data/README +51 -0
  7. data/Rakefile +63 -0
  8. data/VERSION +1 -0
  9. data/lib/codec/base_codec.rb +99 -0
  10. data/lib/codec/css_codec.rb +101 -0
  11. data/lib/codec/encoder.rb +330 -0
  12. data/lib/codec/html_codec.rb +424 -0
  13. data/lib/codec/javascript_codec.rb +119 -0
  14. data/lib/codec/mysql_codec.rb +131 -0
  15. data/lib/codec/oracle_codec.rb +46 -0
  16. data/lib/codec/os_codec.rb +78 -0
  17. data/lib/codec/percent_codec.rb +53 -0
  18. data/lib/codec/pushable_string.rb +114 -0
  19. data/lib/codec/vbscript_codec.rb +64 -0
  20. data/lib/codec/xml_codec.rb +173 -0
  21. data/lib/esapi.rb +68 -0
  22. data/lib/exceptions.rb +37 -0
  23. data/lib/executor.rb +20 -0
  24. data/lib/owasp-esapi-ruby.rb +13 -0
  25. data/lib/sanitizer/xss.rb +59 -0
  26. data/lib/validator/base_rule.rb +90 -0
  27. data/lib/validator/date_rule.rb +92 -0
  28. data/lib/validator/email.rb +29 -0
  29. data/lib/validator/float_rule.rb +76 -0
  30. data/lib/validator/generic_validator.rb +26 -0
  31. data/lib/validator/integer_rule.rb +61 -0
  32. data/lib/validator/string_rule.rb +146 -0
  33. data/lib/validator/validator_error_list.rb +48 -0
  34. data/lib/validator/zipcode.rb +27 -0
  35. data/spec/codec/css_codec_spec.rb +61 -0
  36. data/spec/codec/html_codec_spec.rb +87 -0
  37. data/spec/codec/javascript_codec_spec.rb +45 -0
  38. data/spec/codec/mysql_codec_spec.rb +44 -0
  39. data/spec/codec/oracle_codec_spec.rb +23 -0
  40. data/spec/codec/os_codec_spec.rb +51 -0
  41. data/spec/codec/percent_codec_spec.rb +34 -0
  42. data/spec/codec/vbcript_codec_spec.rb +23 -0
  43. data/spec/codec/xml_codec_spec.rb +83 -0
  44. data/spec/owasp_esapi_encoder_spec.rb +226 -0
  45. data/spec/owasp_esapi_executor_spec.rb +9 -0
  46. data/spec/owasp_esapi_ruby_email_validator_spec.rb +39 -0
  47. data/spec/owasp_esapi_ruby_xss_sanitizer_spec.rb +66 -0
  48. data/spec/owasp_esapi_ruby_zipcode_validator_spec.rb +42 -0
  49. data/spec/spec_helper.rb +10 -0
  50. data/spec/validator/base_rule_spec.rb +29 -0
  51. data/spec/validator/date_rule_spec.rb +40 -0
  52. data/spec/validator/float_rule_spec.rb +31 -0
  53. data/spec/validator/integer_rule_spec.rb +51 -0
  54. data/spec/validator/string_rule_spec.rb +103 -0
  55. data/spec/validator_skeleton.rb +150 -0
  56. metadata +235 -0
data/spec/owasp_esapi_encoder_spec.rb ADDED
@@ -0,0 +1,226 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ describe Encoder do
6
+ # Setup some encoders
7
+ let (:encoder) { Owasp::Esapi.encoder }
8
+ let (:jsencoder) {Owasp::Esapi::Encoder.new([Owasp::Esapi::Codec::JavascriptCodec.new])}
9
+ let (:cssencoder) {Owasp::Esapi::Encoder.new([Owasp::Esapi::Codec::CssCodec.new])}
10
+
11
+ # HTML and Percent Codec tests
12
+ # Generate dynamic canonicalization tests
13
+ {
14
+ "%25F"=> "%F",
15
+ "%3c"=> "<",
16
+ "%3C"=> "<",
17
+ "%X1"=> "%X1",
18
+ "&#60"=> "<",
19
+ "&#060"=> "<",
20
+ "&#0060"=> "<",
21
+ "&#000060"=>"<",
22
+ "&#0000060"=>"<",
23
+ "&#60;"=> "<",
24
+ "&#060;"=> "<",
25
+ "&#0060;"=> "<",
26
+ "&#000060;"=> "<",
27
+ "&#0000060;"=> "<",
28
+ "&#x3c"=> "<",
29
+ "&#x03c"=> "<",
30
+ "&#x0003c"=> "<",
31
+ "&#x000003c"=> "<",
32
+ "&#x00000003c"=> "<",
33
+ "&#x3c;"=> "<",
34
+ "&#x03c;"=> "<",
35
+ "&#x003c;"=> "<",
36
+ "&#x00003c;"=> "<",
37
+ "&#x0000003c;"=> "<",
38
+ "&#X03c"=> "<",
39
+ "&#X3c"=> "<",
40
+ "&#X0003c"=> "<",
41
+ "&#X000003c"=> "<",
42
+ "&#X00000003c"=> "<",
43
+ "&#x3C"=> "<",
44
+ "&#x03C"=> "<",
45
+ "&#x0003C"=> "<",
46
+ "&#x000003C"=> "<",
47
+ "&#x00000003C"=> "<",
48
+ "&#X3C"=> "<",
49
+ "&#X03C"=> "<",
50
+ "&#X0003C"=> "<",
51
+ "&#X000003C"=> "<",
52
+ "&#X00000003C"=> "<",
53
+ "&lt"=> "<",
54
+ "&LT"=> "<",
55
+ "&Lt"=> "<",
56
+ "&lT"=> "<",
57
+ "&lt;"=> "<",
58
+ "&LT;"=> "<",
59
+ "&Lt;"=> "<",
60
+ "&lT;"=> "<",
61
+ "&#37;"=> "%",
62
+ "&#37"=> "%",
63
+ "&#37b"=> "%b",
64
+ "%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E"=> "<script>alert(\"hello\");</script>",
65
+ "%3Cscript&#x3E;alert%28%22hello&#34%29%3B%3C%2Fscript%3E"=> "<script>alert(\"hello\");</script>",
66
+ }.each_pair do |k,v|
67
+ it "should canonicalize #{k} to #{v}" do
68
+ begin
69
+ encoder.canonicalize(k.dup).should == v
70
+ rescue IntrustionException =>e
71
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
72
+ end
73
+ end
74
+ end
75
+
76
+ # Javascript dynamic canonicilzation tests
77
+ {
78
+ "\\0"=> "\0",
79
+ "\\b"=> "\b",
80
+ "\\t"=> "\t",
81
+ "\\n"=> "\n",
82
+ "\\v"=> "\v",
83
+ "\\f"=> "\f",
84
+ "\\r"=> "\r",
85
+ "\\'"=> "\'",
86
+ "\\\""=> "\"",
87
+ "\\\\"=> "\\",
88
+ "\\<"=> "<",
89
+ }.each_pair do |k,v|
90
+ it "should canonicalize javascript #{k} to #{v}" do
91
+ begin
92
+ jsencoder.canonicalize(k.dup).should == v
93
+ rescue IntrustionException =>e
94
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
95
+ end
96
+ end
97
+ end
98
+ # CSS dynamic canonicalization tests
99
+ {
100
+ "\\3c"=> "<",
101
+ "\\03c"=> "<",
102
+ "\\003c"=> "<",
103
+ "\\0003c"=> "<",
104
+ "\\00003c"=> "<",
105
+ "\\3C"=> "<",
106
+ "\\03C"=> "<",
107
+ "\\003C"=> "<",
108
+ "\\0003C"=> "<",
109
+ "\\00003C"=> "<",
110
+ }.each_pair do |k,v|
111
+ it "should canonicalize CSS #{k} to #{v}" do
112
+ begin
113
+ cssencoder.canonicalize(k.dup).should == v
114
+ rescue IntrustionException =>e
115
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
116
+ end
117
+ end
118
+ end
119
+ # Sanitize
120
+ it "should sanitize input exceptions" do
121
+ # test null value
122
+ encoder.canonicalize(nil).should == nil
123
+ # test exception paths
124
+ encoder.sanitize("%25",true).should == '%'
125
+ encoder.sanitize("%25",false).should == '%'
126
+ end
127
+
128
+ # Dynamic double canonicalization tests
129
+ {
130
+ "&#x26;lt&#59"=> "<",# double entity
131
+ "%255c"=> "\\", # double percent
132
+ "%2525"=> "%" , #double percent
133
+ "%26lt%3b"=> "<", #double percent
134
+ "%253c"=> "<",
135
+ "%26lt%3b"=> "<",
136
+ "&#x25;26"=> "&",
137
+ "%%33%63"=> "<",
138
+ "%%33c"=> "<",
139
+ "%3%63"=> "<",
140
+ "&&#108;t;"=> "<",
141
+ "&%6ct;"=> "<",
142
+ "%&#x33;c"=> "<",
143
+ "%25 %2526 %26#X3c;script&#x3e; &#37;3Cscript%25252525253e"=> "% & <script> <script>",
144
+ "%26lt; %26lt; &#X25;3c &#x25;3c %2526lt%253B %2526lt%253B %2526lt%253B"=> "< < < < < < <",
145
+ "%253Cscript"=> "<script",
146
+ "&#37;3Cscript"=> "<script",
147
+ }.each_pair do |k,v|
148
+ it "should properly handle #{k} with double canonicalization and return #{v}" do
149
+ begin
150
+ encoder.sanitize(k.dup,false).should == v
151
+ rescue IntrustionException =>e
152
+ # if IDSis on we would throw an intrustion exception, other exceptions are real errors
153
+ end
154
+ end
155
+ end
156
+
157
+ # Css Encoder
158
+ it "should css encode nil as nil" do
159
+ encoder.encode_for_css(nil).should == nil
160
+ end
161
+
162
+ it "should css encode <script> as '\\3cscript\\3e" do
163
+ encoder.encode_for_css("<script>").should == "\\3c script\\3e "
164
+ end
165
+
166
+ it "should css encode punction properly" do
167
+ result = encoder.encode_for_css("!@$%()=+{}[]")
168
+ result.should == "\\21 \\40 \\24 \\25 \\28 \\29 \\3d \\2b \\7b \\7d \\5b \\5d "
169
+ end
170
+
171
+ # HTML Encoder
172
+ {
173
+ "<script>" => "&lt;script&gt;",
174
+ "&lt;script&gt;"=>"&amp;lt&#x3b;script&amp;gt&#x3b;",
175
+ "!@$%()=+{}[]" => "&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;",
176
+ ",.-_ " => ",.-_ ",
177
+ "dir&" => "dir&amp;",
178
+ "one&two" => "one&amp;two",
179
+ }.each_pair do |k,v|
180
+ it "should encode HTML #{k} as #{v}" do
181
+ encoder.encode_for_html(k).should == v
182
+ end
183
+ end
184
+
185
+ # HTML Attribute
186
+ {
187
+ "<script>" => "&lt;script&gt;",
188
+ "&lt;script&gt;"=>"&amp;lt&#x3b;script&amp;gt&#x3b;",
189
+ " !@$%()=+{}[]" => "&#x20;&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;",
190
+ }.each_pair do |k,v|
191
+ it "should encode html attribute #{k} as #{v}" do
192
+ encoder.encode_for_html_attr(k).should == v
193
+ end
194
+ end
195
+
196
+ # JS Encoder
197
+ it "should hs encode nil as nil" do
198
+ encoder.encode_for_javascript(nil).should == nil
199
+ end
200
+
201
+ it "should js encode special characers" do
202
+ encoder.encode_for_javascript("!@$%()=+{}[]").should == "\\x21\\x40\\x24\\x25\\x28\\x29\\x3D\\x2B\\x7B\\x7D\\x5B\\x5D"
203
+ end
204
+ it "should js encode ',.-_ '" do
205
+ encoder.encode_for_javascript(",.-_ ").should == ",.\\x2D_\\x20"
206
+ end
207
+ it "should js encode a script tag" do
208
+ encoder.encode_for_javascript("<script>").should == "\\x3Cscript\\x3E"
209
+ end
210
+
211
+ # Vb script encoder
212
+ {
213
+ "<script>" => "chrw(60)&\"script\"&chrw(62)",
214
+ "x !@$%()=+{}[]" => "x\"&chrw(32)&chrw(33)&chrw(64)&chrw(36)&chrw(37)&chrw(40)&chrw(41)&chrw(61)&chrw(43)&chrw(123)&chrw(125)&chrw(91)&chrw(93)",
215
+ "alert('ESAPI test!')" => "alert\"&chrw(40)&chrw(39)&\"ESAPI\"&chrw(32)&\"test\"&chrw(33)&chrw(39)&chrw(41)",
216
+ "sal.scotto@gmail.com" => "sal.scotto\"&chrw(64)&\"gmail.com",
217
+ "test <> test" => "test\"&chrw(32)&chrw(60)&chrw(62)&chrw(32)&\"test"
218
+ }.each_pair do |k,v|
219
+ it "should encode vbscript #{k} as #{v}" do
220
+ encoder.encode_for_vbscript(k).should == v
221
+ end
222
+ end
223
+
224
+ end
225
+ end
226
+ end
data/spec/owasp_esapi_executor_spec.rb ADDED
@@ -0,0 +1,9 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ describe Executor do
6
+ it "execute a command and get output"
7
+ end
8
+ end
9
+ end
data/spec/owasp_esapi_ruby_email_validator_spec.rb ADDED
@@ -0,0 +1,39 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe Email do
7
+ let(:validator) {Owasp::Esapi::Validator::Email.new}
8
+
9
+ it "should discard invalid email addresses" do
10
+ validator.valid?("this is not an email address").should == false
11
+ end
12
+
13
+ it "should discard invalid email addresses" do
14
+ validator.valid?("12313.it").should == false
15
+ end
16
+
17
+ it "should discard invalid email addresses" do
18
+ validator.valid?("thesp0nge_at_owasp_dot_org").should == false
19
+ end
20
+
21
+ it "should discard invalid email addresses" do
22
+ validator.valid?("thesp0 nge@owasp.org").should == false
23
+ end
24
+
25
+ it "should discard invalid email addresses" do
26
+ validator.valid?("thesp0nge@owasp..org").should == false
27
+ end
28
+
29
+ it "should discard invalid email addresses" do
30
+ validator.valid?("thesp0nge@ow asp.org").should == false
31
+ end
32
+
33
+ it "should validate goot email addresses" do
34
+ validator.valid?("thesp0nge@owasp.org").should == true
35
+ end
36
+ end
37
+ end
38
+ end
39
+ end
data/spec/owasp_esapi_ruby_xss_sanitizer_spec.rb ADDED
@@ -0,0 +1,66 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Sanitizer
6
+ describe Xss do
7
+ let(:filter) {Owasp::Esapi::Sanitizer::Xss.new}
8
+
9
+ it "should leave untouched untainted strings" do
10
+ untainted = "This is an unoffensive string"
11
+ output = filter.sanitize(untainted)
12
+ output.should == untainted
13
+ end
14
+
15
+ it "should sanitize the '<' character" do
16
+ false_positive_tainted = "I am a supposed to be a tainted < string"
17
+ output = filter.sanitize(false_positive_tainted)
18
+ output.should == false_positive_tainted.gsub("<", "&lt;")
19
+ end
20
+
21
+ it "should sanitize the '>' character" do
22
+ false_positive_tainted = "I am a supposed to be a tainted > string"
23
+ output = filter.sanitize(false_positive_tainted)
24
+ output.should == false_positive_tainted.gsub(">", "&gt;")
25
+ end
26
+
27
+ it "should sanitize the '&' character" do
28
+ false_positive_tainted = "I am a supposed to be a tainted & string"
29
+ output = filter.sanitize(false_positive_tainted)
30
+ output.should == false_positive_tainted.gsub("&", "&amp;")
31
+ end
32
+
33
+ it "should sanitize the '\"' character" do
34
+ false_positive_tainted = "I am a supposed to be a tainted \" string"
35
+ output = filter.sanitize(false_positive_tainted)
36
+ output.should == false_positive_tainted.gsub("\"", "&quot;")
37
+ end
38
+
39
+ it "should sanitize the '\'' character" do
40
+ false_positive_tainted = "I am a supposed to be a tainted \' string"
41
+ output = filter.sanitize(false_positive_tainted)
42
+ output.should == false_positive_tainted.gsub("\'", "&#x27;")
43
+ end
44
+
45
+ it "should sanitize the '/' character" do
46
+ false_positive_tainted = "I am a supposed to be a tainted / string"
47
+ output = filter.sanitize(false_positive_tainted)
48
+ output.should == false_positive_tainted.gsub("/", "&#x2F;")
49
+ end
50
+
51
+ it "shoud sanitize an injecting up attack pattern" do
52
+ taint = "<script>alert('xss here');</script>"
53
+ output = filter.sanitize(taint)
54
+ output.should == taint.gsub("<", "&lt;").gsub(">", "&gt;").gsub("\'", "&#x27;").gsub("/", "&#x2F;")
55
+ end
56
+
57
+ it "shoud sanitize an injecting up attack pattern" do
58
+ taint = "/><script>alert('xss here');</script>"
59
+ output = filter.sanitize(taint)
60
+ output.should == taint.gsub("<", "&lt;").gsub(">", "&gt;").gsub("\'", "&#x27;").gsub("/", "&#x2F;")
61
+ end
62
+ end
63
+ end
64
+
65
+ end
66
+ end
data/spec/owasp_esapi_ruby_zipcode_validator_spec.rb ADDED
@@ -0,0 +1,42 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe Zipcode do
7
+ let(:validator) {Owasp::Esapi::Validator::Zipcode.new}
8
+
9
+ it "should validate a good US ZIP CODE" do
10
+ validator.valid?("12345").should == true
11
+ end
12
+
13
+ it "should validate a good US ZIP CODE" do
14
+ validator.valid?("12345-6789").should == true
15
+ end
16
+
17
+ it "should discard a bad US ZIP CODE" do
18
+ validator.valid?("foostring").should == false
19
+ end
20
+
21
+ it "should discard a bad US ZIP CODE" do
22
+ validator.valid?("123-323").should == false
23
+ end
24
+
25
+ it "should validate a good Italian ZIP CODE equivalent" do
26
+ validator.matcher=Owasp::Esapi::Validator::Zipcode::ITALIAN_ZIPCODE
27
+ validator.valid?("20100").should == true
28
+ end
29
+
30
+ it "should discard an invalid Italian ZIP CODE equivalent" do
31
+ validator.matcher=Owasp::Esapi::Validator::Zipcode::ITALIAN_ZIPCODE
32
+ validator.valid?("121").should == false
33
+ end
34
+ it "should discard an invalid Italian ZIP CODE equivalent" do
35
+ validator.matcher=Owasp::Esapi::Validator::Zipcode::ITALIAN_ZIPCODE
36
+ validator.valid?("ipse dixit").should == false
37
+ end
38
+ end
39
+ end
40
+
41
+ end
42
+ end
data/spec/spec_helper.rb ADDED
@@ -0,0 +1,10 @@
1
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
2
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
3
+
4
+ require 'owasp-esapi-ruby'
5
+ require 'rspec'
6
+ require 'rspec/autorun'
7
+
8
+ RSpec.configure do |config|
9
+ config.color_enabled = true
10
+ end
data/spec/validator/base_rule_spec.rb ADDED
@@ -0,0 +1,29 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe BaseRule do
7
+ let(:rule) {Owasp::Esapi::Validator::BaseRule.new("test")}
8
+ it "should remove non whitelist characters" do
9
+ rule.whitelist("12345abcdefghijkmlaaaa","abc").should == "abcaaaa"
10
+ end
11
+
12
+ it "should raise and exception in the base class" do
13
+ lambda {rule.valid("test","input")}.should raise_error(Owasp::Esapi::ValidationException)
14
+ end
15
+
16
+ it "should return false for valid? int eh base rule" do
17
+ rule.valid?("test","input").should be_false
18
+ end
19
+
20
+ it "should has an item in the error list" do
21
+ v = Owasp::Esapi::Validator::ValidatorErrorList.new
22
+ rule.validate("context","input",v)
23
+ v.errors.should_not be_empty
24
+ end
25
+
26
+ end
27
+ end
28
+ end
29
+ end
data/spec/validator/date_rule_spec.rb ADDED
@@ -0,0 +1,40 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
2
+
3
+ module Owasp
4
+ module Esapi
5
+ module Validator
6
+ describe DateRule do
7
+ let(:rule) {Owasp::Esapi::Validator::DateRule.new("test",nil,nil)}
8
+
9
+ it "should validate September 11, 2001 as a valid" do
10
+ rule.valid?("","September 11, 2001").should be_true
11
+ end
12
+
13
+ it "should fail to validate 9-11-2001 as valid with the default format" do
14
+ rule.valid?("","9-11-2001").should be_false
15
+ end
16
+
17
+ it "should fail to validate with a null date" do
18
+ rule.valid?("",nil).should be_false
19
+ end
20
+
21
+ it "should fail to validate with an empty string as the date" do
22
+ rule.valid?("","").should be_false
23
+ end
24
+
25
+ # Try a few different date formats
26
+ {
27
+ "Jan 1, 07 Sun GMT" => "%b %d, %y %Z",
28
+ "31-12-2010" => "%d-%m-%Y",
29
+ "31-1-2010" => "%d-%m-%Y",
30
+ "2010-02-27 15:00" => "%Y-%m-%d %H:%M"
31
+ }.each_pair do |k,v|
32
+ it "should validate #{k} as a valid date with #{v} as the format" do
33
+ rule = Owasp::Esapi::Validator::DateRule.new("test",nil,v)
34
+ rule.valid?("",k).should be_true
35
+ end
36
+ end
37
+ end
38
+ end
39
+ end
40
+ end