owasp-esapi-ruby 0.30.0

data/lib/codec/html_codec.rb

@@ -0,0 +1,424 @@
+# Implementation of the Codec interface for HTML entity encoding.
+module Owasp
+  module Esapi
+    module Codec
+      class HtmlCodec < BaseCodec
+        def initialize
+          @longest_key = 0
+          @lookup_map = {}
+          ENTITY_MAP.each_key do |k|
+            if k.size > @longest_key
+              @longest_key += 1
+            end
+            @lookup_map[k.downcase] = k
+          end
+        end
+
+        #  Encodes a Character for safe use in an HTML entity field.
+        def encode_char(immune, input)
+          c = input
+          return input if immune.include?(input)
+          # check for alpha numeric
+          hex = hex(input)
+          return input if hex.nil?
+          # check to see if we need to replace an entity
+          if ( c.ord <= 0x1f and c != '\t' and c != '\n' and c != '\r' ) || ( c.ord >= 0x7f and c.ord <= 0x9f )
+            hex = REPLACEMENT_HEX
+            c = REPLACEMENT_CHAR
+          end
+          # find the entity name if its possible
+          ENTITY_MAP.each_pair do |k,v|
+            return "&#{k};" if v == c.ord
+          end
+          #encode as a hex value
+          "&#x#{hex};"
+        end
+
+        # Returns the decoded version of the character starting at index, or
+        # nil if no decoding is possible.
+        # Formats all are legal both with and without semi-colon, upper/lower case:
+        # * &#dddd;
+        # * &#xhhhh;
+        # * &name;
+        def decode_char(input)
+          # mark the input
+          input.mark
+          first = input.next
+          if first.nil?
+            input.reset
+            return nil
+          end
+
+          # this isnt an encoded char
+          if first != '&'
+            input.reset
+            return nil
+          end
+
+          # test for numeric encodings
+          second = input.next
+          if second.nil?
+            input.reset
+            return nil
+          end
+          if second == '#'
+            c = numeric_entity(input)
+            return c unless c.nil?
+          elsif second =~ /[a-zA-Z]/
+            input.push(second)
+            c = named_entity(input)
+            return c unless c.nil?
+          end
+          input.reset
+          return nil
+        end
+
+        # check to see if the input is a numeric entity
+        def numeric_entity(input) #:nodoc:
+          first = input.peek
+          return nil if first.nil?
+          if first.downcase.eql?("x")
+            input.next
+            return parse_hex(input)
+          end
+          return parse_number(input)
+        end
+
+        # check to see if the input is a named entity
+        def named_entity(input)#:nodoc:
+          possible = ''
+          len = min(input.remainder.size,@longest_key)
+          if input.peek?("&")
+            input.next
+          end
+          found_key = false
+          last_possible = ''
+          for i in 0..len do
+            possible << input.next if input.next?
+            # we have to find the longest match
+            # so we dont find sub values
+            if @lookup_map[possible.downcase]
+              last_possible = @lookup_map[possible.downcase]
+            end
+          end
+          # no matches found return
+          return nil if last_possible.empty?
+          # reset the input and plow through
+          input.reset
+          for i in 0..last_possible.size
+            input.next
+          end
+          possible = ENTITY_MAP[last_possible]
+          input.next if input.peek?(';')
+          possible.chr(Encoding::UTF_8)
+        end
+        # parse a number int he stream
+        def parse_number(input)#:nodoc:
+          result = ''
+          while input.next?
+            c = input.peek
+            if c =~ /\d/
+              result << c
+              input.next
+            elsif c == ';'
+              input.next
+              break;
+            else
+              break;
+            end
+          end
+
+          begin
+            i = result.to_i
+            return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+          rescue Exception => e
+          end
+          nil
+        end
+        # parse a hex value in the stream
+        def parse_hex(input)#:nodoc:
+          result = ''
+          while input.next?
+            c = input.peek
+            if "0123456789ABCDEFabcdef".include?(c)
+              result << c
+              input.next
+            elsif c == ";"
+              input.next
+              break
+            else
+              break
+            end
+          end
+          begin
+            i = result.hex
+            return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+          rescue Exception => e
+          end
+          nil
+        end
+
+        # Replacement const hex
+        REPLACEMENT_HEX = "fffd"
+        # Replacement const char
+        REPLACEMENT_CHAR = '\ufffd'
+
+        # Map of entities to numeric codes
+        ENTITY_MAP = {
+          'Aacute' => 193,
+          'aacute' => 225,
+          'Acirc' => 194,
+          'acirc' => 226,
+          'acute' => 180,
+          'AElig' => 198,
+          'aelig' => 230,
+          'Agrave' => 192,
+          'agrave' => 224,
+          'alefsym' => 8501,
+          'Alpha' => 913,
+          'alpha' => 945,
+          'amp' => 38,
+          'and' => 8743,
+          'ang' => 8736,
+          'Aring' => 197,
+          'aring' => 229,
+          'asymp' => 8776,
+          'Atilde' => 195,
+          'atilde' => 227,
+          'Auml' => 196,
+          'auml' => 228,
+          'bdquo' => 8222,
+          'Beta' => 914,
+          'beta' => 946,
+          'brvbar' => 166,
+          'bull' => 8226,
+          'cap' => 8745,
+          'Ccedil' => 199,
+          'ccedil' => 231,
+          'cedil' => 184,
+          'cent' => 162,
+          'Chi' => 935,
+          'chi' => 967,
+          'circ' => 710,
+          'clubs' => 9827,
+          'cong' => 8773,
+          'copy' => 169,
+          'crarr' => 8629,
+          'cup' => 8746,
+          'curren' => 164,
+          'Dagger' => 8225,
+          'dagger' => 8224,
+          'dArr' => 8659,
+          'darr' => 8595,
+          'deg' => 176,
+          'Delta' => 916,
+          'delta' => 948,
+          'diams' => 9830,
+          'divide' => 247,
+          'Eacute' => 201,
+          'eacute' => 233,
+          'Ecirc' => 202,
+          'ecirc' => 234,
+          'Egrave' => 200,
+          'egrave' => 232,
+          'empty' => 8709,
+          'emsp' => 8195,
+          'ensp' => 8194,
+          'Epsilon' => 917,
+          'epsilon' => 949,
+          'equiv' => 8801,
+          'Eta' => 919,
+          'eta' => 951,
+          'ETH' => 208,
+          'eth' => 240,
+          'Euml' => 203,
+          'euml' => 235,
+          'euro' => 8364,
+          'exist' => 8707,
+          'fnof' => 402,
+          'forall' => 8704,
+          'frac12' => 189,
+          'frac14' => 188,
+          'frac34' => 190,
+          'frasl' => 8260,
+          'Gamma' => 915,
+          'gamma' => 947,
+          'ge' => 8805,
+          'gt' => 62,
+          'hArr' => 8660,
+          'harr' => 8596,
+          'hearts' => 9829,
+          'hellip' => 8230,
+          'Iacute' => 205,
+          'iacute' => 237,
+          'Icirc' => 206,
+          'icirc' => 238,
+          'iexcl' => 161,
+          'Igrave' => 204,
+          'igrave' => 236,
+          'image' => 8465,
+          'infin' => 8734,
+          'int' => 8747,
+          'Iota' => 921,
+          'iota' => 953,
+          'iquest' => 191,
+          'isin' => 8712,
+          'Iuml' => 207,
+          'iuml' => 239,
+          'Kappa' => 922,
+          'kappa' => 954,
+          'Lambda' => 923,
+          'lambda' => 955,
+          'lang' => 9001,
+          'laquo' => 171,
+          'lArr' => 8656,
+          'larr' => 8592,
+          'lceil' => 8968,
+          'ldquo' => 8220,
+          'le' => 8804,
+          'lfloor' => 8970,
+          'lowast' => 8727,
+          'loz' => 9674,
+          'lrm' => 8206,
+          'lsaquo' => 8249,
+          'lsquo' => 8216,
+          'lt' => 60,
+          'macr' => 175,
+          'mdash' => 8212,
+          'micro' => 181,
+          'middot' => 183,
+          'minus' => 8722,
+          'Mu' => 924,
+          'mu' => 956,
+          'nabla' => 8711,
+          'nbsp' => 160,
+          'ndash' => 8211,
+          'ne' => 8800,
+          'ni' => 8715,
+          'not' => 172,
+          'notin' => 8713,
+          'nsub' => 8836,
+          'Ntilde' => 209,
+          'ntilde' => 241,
+          'Nu' => 925,
+          'nu' => 957,
+          'Oacute' => 211,
+          'oacute' => 243,
+          'Ocirc' => 212,
+          'ocirc' => 244,
+          'OElig' => 338,
+          'oelig' => 339,
+          'Ograve' => 210,
+          'ograve' => 242,
+          'oline' => 8254,
+          'Omega' => 937,
+          'omega' => 969,
+          'Omicron' => 927,
+          'omicron' => 959,
+          'oplus' => 8853,
+          'or' => 8744,
+          'ordf' => 170,
+          'ordm' => 186,
+          'Oslash' => 216,
+          'oslash' => 248,
+          'Otilde' => 213,
+          'otilde' => 245,
+          'otimes' => 8855,
+          'Ouml' => 214,
+          'ouml' => 246,
+          'para' => 182,
+          'part' => 8706,
+          'permil' => 8240,
+          'perp' => 8869,
+          'Phi' => 934,
+          'phi' => 966,
+          'Pi' => 928,
+          'pi' => 960,
+          'piv' => 982,
+          'plusmn' => 177,
+          'pound' => 163,
+          'Prime' => 8243,
+          'prime' => 8242,
+          'prod' => 8719,
+          'prop' => 8733,
+          'Psi' => 936,
+          'psi' => 968,
+          'quot' => 34,
+          'radic' => 8730,
+          'rang' => 9002,
+          'raquo' => 187,
+          'rArr' => 8658,
+          'rarr' => 8594,
+          'rceil' => 8969,
+          'rdquo' => 8221,
+          'real' => 8476,
+          'reg' => 174,
+          'rfloor' => 8971,
+          'Rho' => 929,
+          'rho' => 961,
+          'rlm' => 8207,
+          'rsaquo' => 8250,
+          'rsquo' => 8217,
+          'sbquo' => 8218,
+          'Scaron' => 352,
+          'scaron' => 353,
+          'sdot' => 8901,
+          'sect' => 167,
+          'shy' => 173,
+          'Sigma' => 931,
+          'sigma' => 963,
+          'sigmaf' => 962,
+          'sim' => 8764,
+          'spades' => 9824,
+          'sub' => 8834,
+          'sube' => 8838,
+          'sum' => 8721,
+          'sup' => 8835,
+          'sup1' => 185,
+          'sup2' => 178,
+          'sup3' => 179,
+          'supe' => 8839,
+          'szlig' => 223,
+          'Tau' => 932,
+          'tau' => 964,
+          'there4' => 8756,
+          'Theta' => 920,
+          'theta' => 952,
+          'thetasym' => 977,
+          'thinsp' => 8201,
+          'THORN' => 222,
+          'thorn' => 254,
+          'tilde' => 732,
+          'times' => 215,
+          'trade' => 8482,
+          'Uacute' => 218,
+          'uacute' => 250,
+          'uArr' => 8657,
+          'uarr' => 8593,
+          'Ucirc' => 219,
+          'ucirc' => 251,
+          'Ugrave' => 217,
+          'ugrave' => 249,
+          'uml' => 168,
+          'upsih' => 978,
+          'Upsilon' => 933,
+          'upsilon' => 965,
+          'Uuml' => 220,
+          'uuml' => 252,
+          'weierp' => 8472,
+          'Xi' => 926,
+          'xi' => 958,
+          'Yacute' => 221,
+          'yacute' => 253,
+          'yen' => 165,
+          'Yuml' => 376,
+          'yuml' => 255,
+          'Zeta' => 918,
+          'zeta' => 950,
+          'zwj' => 8205,
+          'zwnj' => 8204
+        }
+      end
+    end
+  end
+end

data/lib/codec/javascript_codec.rb

@@ -0,0 +1,119 @@
+module Owasp
+  module Esapi
+    module Codec
+      class JavascriptCodec < BaseCodec
+
+        # Returns backslash encoded numeric format. Does not use backslash character escapes
+        # such as, \" or \' as these may cause parsing problems. For example, if a javascript
+        # attribute, such as onmouseover, contains a \" that will close the entire attribute and
+        # allow an attacker to inject another script attribute.
+        def encode_char(immune,input)
+          return input if immune.include?(input)
+          return input if hex(input).nil?
+          temp = hex(input)
+          if temp.hex < 256
+            return "\\x#{'00'[temp.size,2-temp.size]}#{temp.upcase}"
+          end
+          "\\u#{'0000'[temp.size,4-temp.size]}#{temp.upcase}"
+        end
+
+        # Returns the decoded version of the character starting at index, or
+        # null if no decoding is possible.
+        # See http://www.planetpdf.com/codecuts/pdfs/tutorial/jsspec.*pdf*
+        # Formats all are legal both upper/lower case:
+        # *  \\a - special characters
+        # *  \\xHH
+        # *  \\uHHHH
+        # *  \\OOO (1, 2, or 3 digits)
+        def decode_char(input)
+
+          input.mark
+          first = input.next
+          if first.nil?
+            input.reset
+            return nil
+          end
+          # check to see if we are dealing with an encoded char
+          if first!= "\\"
+            input.reset
+            return nil
+          end
+          second = input.next
+          if second.nil?
+            input.reset
+            return nil
+          end
+
+          #Check octal codes
+          return 0x08.chr if second == "b"
+          return 0x09.chr if second == "t"
+          return 0x0a.chr if second == "n"
+          return 0x0b.chr if second == "v"
+          return 0x0c.chr if second == "f"
+          return 0x0d.chr if second == "r"
+          return 0x22.chr if second == "\""
+          return 0x27.chr if second == "\'"
+          return 0x5c.chr if second == "\\"
+          if second.downcase == "x" # Hex encoded value
+            temp = ''
+            for i in 0..1 do
+              c = input.next_hex
+              temp << c unless c.nil?
+              if c.nil?
+                input.reset
+                return nil
+              end
+            end
+            i = temp.hex
+            begin
+              return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+            rescue Exception => e
+              input.reset
+              return nil
+            end
+          elsif second.downcase == "u" # Unicode encoded value
+            temp = ''
+            for i in 0..3 do
+              c = input.next_hex
+              temp << c unless c.nil?
+              if c.nil?
+                input.reset
+                return nil
+              end
+            end
+            i = temp.hex
+            begin
+              return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+            rescue Exception => e
+              input.reset
+              return nil
+            end
+          elsif input.octal?(second) # Octal encoded value
+            temp = second
+            c = input.next
+            unless input.octal?(c)
+              input.push(c)
+            else
+              temp << c
+              c = input.next
+              unless input.octal?(c)
+                input.push(c)
+              else
+                temp << c
+              end
+            end
+            # build a number
+            i = temp.to_i(8)
+            begin
+              return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+            rescue Exception => e
+              input.reset
+              return nil
+            end
+          end
+          second
+        end
+      end
+    end
+  end
+end