owasp-esapi-ruby 0.30.0

data/lib/codec/mysql_codec.rb

@@ -0,0 +1,131 @@
+#
+# Codec to provide for MySQL string support
+# http://mirror.yandex.ru/mirrors/ftp.mysql.com/doc/refman/5.0/en/string-syntax.html for details
+module Owasp
+  module Esapi
+    module Codec
+      class MySQLCodec < BaseCodec
+        MYSQL_MODE = 0 # MySQL standard mode
+        ANSI_MODE  = 1; # ANSI escape mode
+
+        #  create a mysql codec.
+        # mode must be either MYSQL_MODE or ANSI_MODE
+        # The mode sets wether to use ansi mode in mysql or not
+        # defaults to MYSQL_MODE
+        def initialize(mode = 0)
+          if mode < MYSQL_MODE or mode > ANSI_MODE
+            raise RangeError.new()
+          end
+          @mode = mode
+        end
+
+        #  Returns quote-encoded *character*
+        def encode_char(immune,input)
+          return input if immune.include?(input)
+          hex = hex(input)
+          return input if hex.nil?
+          return to_ansi(input) if @mode == ANSI_MODE
+          return to_mysql(input) if @mode == MYSQL_MODE
+        end
+
+        # Returns the decoded version of the character starting at index, or
+        # nil if no decoding is possible.
+        #
+        # Formats all are legal (case sensitive)
+        #   In ANSI_MODE '' decodes to '
+        #   In MYSQL_MODE \x decodes to x (or a small list of specials)
+        def decode_char(input)
+          return from_ansi(input) if @mode == ANSI_MODE
+          return from_mysql(input) if @mode == MYSQL_MODE
+        end
+
+        #  encode ' only
+        def to_ansi(input) #:nodoc:
+          return "\'\'" if input == "\'"
+          input
+        end
+
+        #  encode for NO_BACKLASH_MODE
+        def to_mysql(input) # :nodoc:
+          c = input.ord
+          return "\\0" if c == 0x00
+          return "\\b" if c == 0x08
+          return "\\t" if c == 0x09
+          return "\\n" if c == 0x0a
+          return "\\r" if c == 0x0d
+          return "\\Z" if c == 0x1a
+          return "\\\"" if c == 0x22
+          return "\\%" if c == 0x25
+          return "\\'" if c == 0x27
+          return "\\\\" if c == 0x5c
+          return "\\_" if c == 0x5f
+          "\\#{input}"
+        end
+
+        #  decode a char with ansi only compliane i.e. apostrohpe only
+        def from_ansi(input) # :nodoc:
+          input.mark
+          first = input.next
+
+          # check first char
+          if first.nil?
+            input.reset
+            return nil
+          end
+
+          unless first == "\'"
+            input.reset
+            return nil
+          end
+
+          # check second char
+          second = input.next
+          if second.nil?
+            input.reset
+            return nil
+          end
+
+          # if second isnt an encoded char return nil
+          unless second == "\'"
+            input.reset
+            return nil
+          end
+          "\'"
+        end
+
+        #  decode a char using mysql NO_BACKSLAH_QUOTE rules
+        def from_mysql(input) # :nodoc:
+          input.mark
+          # check first
+          first = input.next
+          if first.nil?
+            input.reset
+            return nil
+          end
+
+          # check second
+          second = input.next
+          if second.nil?
+            input.reset
+            return nil
+          end
+
+          return 0x00.chr if second == "0"
+          return 0x08.chr if second == "b"
+          return 0x08.chr if second == "t"
+          return 0x0a.chr if second == "n"
+          return 0x0d.chr if second == "r"
+          return 0x1a.chr if second == "z"
+          return 0x22.chr if second == "\""
+          return 0x25.chr if second == "%"
+          return 0x27.chr if second == "\'"
+          return 0x5c.chr if second == "\\"
+          return 0x5f.chr if second == "_"
+          # not an escape
+          second
+        end
+
+      end
+    end
+  end
+end

data/lib/codec/oracle_codec.rb

@@ -0,0 +1,46 @@
+#
+# Codec to provide for Oracle string support
+# see http://oraqa.com/2006/03/20/how-to-escape-single-quotes-in-strings for details
+# This will only prevent SQLinjection in the case of user data being placed within an
+# Oracle quoted string such as select * from table where field = ' USERDATA '
+module Owasp
+  module Esapi
+    module Codec
+      class OracleCodec < BaseCodec
+
+        #  Encodes ' to ''
+        def encode_char(immune,input)
+          return "\'\'" if input == "\'"
+          input
+        end
+
+         # Returns the decoded version of the character starting at index, or
+         # nil if no decoding is possible.
+         #
+         #  Formats all are legal
+         #   '' decodes to '
+         def decode_char(input)
+          # check first *char*
+          input.mark
+          first = input.next
+          if first.nil?
+            input.reset
+            return nil
+          end
+          # if it isnt an encoded string return nil
+          unless first == "\'"
+            input.reset
+            return nil
+          end
+          # if second isnt an encoded marker return nil
+          second = input.next
+          unless second == "\'"
+            input.reset
+            return nil
+          end
+          return "\'"
+        end
+      end
+    end
+  end
+end

data/lib/codec/os_codec.rb

@@ -0,0 +1,78 @@
+require 'rbconfig'
+
+# Operating system codec for escape characters for HOST commands
+# We look at Unix style (max, linux) and Windows style
+module Owasp
+  module Esapi
+    module Codec
+      class OsCodec < BaseCodec
+        # Window Host flag
+        WINDOWS_HOST = :Windows
+        # Unix Host flag
+        UNIX_HOST = :Unix
+
+        # Setup the code, if no os is passed in the codec
+        # will guess the OS based on the ruby host_os variable
+        def initialize(os = nil)
+          @host = nil
+          @escape_char = ''
+          host_os = os
+          if os.nil?
+            host_os = case Config::CONFIG['host_os']
+            when /mswin|windows/i then WINDOWS_HOST
+            when /linux/i then UNIX_HOST
+            when /darwin/i then UNIX_HOST
+            when /sunos|solaris/i then UNIX_HOST
+            else UNIX_HOST
+            end
+          end
+          if host_os == WINDOWS_HOST
+            @host = WINDOWS_HOST
+            @escape_char = '^'
+          elsif host_os == UNIX_HOST
+            @host = UNIX_HOST
+            @escape_char = '\\'
+          end
+        end
+
+        # get the configured OS
+        def os
+          @host
+        end
+
+        # Returns shell encoded character
+        # ^ - for windows
+        # \\ - for unix
+        def encode_char(immune,input)
+          return input if immune.include?(input)
+          return input if hex(input).nil?
+          return "#{@escape_char}#{input}"
+        end
+
+        # Returns the decoded version of the character starting at index, or
+        # nil if no decoding is possible.
+        # <p>
+        # Formats all are legal both upper/lower case:
+        #   ^x - all special characters when configured for WINDOWS
+        #   \\ - all special characters when configured for UNIX
+        def decode_char(input)
+          input.mark
+          first = input.next
+          # check first char
+          if first.nil?
+            input.reset
+            return nil
+          end
+          # if it isnt escape return nil
+          if first != @escape_char
+            input.reset
+            return nil
+          end
+          # get teh escape value
+          return input.next
+        end
+
+      end
+    end
+  end
+end

data/lib/codec/percent_codec.rb

@@ -0,0 +1,53 @@
+# Implementation of the Codec interface for percent encoding (aka URL encoding).
+module Owasp
+  module Esapi
+    module Codec
+      class PercentCodec < BaseCodec
+
+        #  Encode a character for URLs
+        def encode_char(immune,input)
+          return input if input =~ /[a-zA-Z0-9_.-]/
+          # RFC compliance
+          return "+" if input == " "
+          val = ''
+          input.each_byte do |b|
+            val << '%' << b.ord.to_h.upcase
+          end
+          val
+        end
+
+        # Formats all are legal both upper/lower case:
+        # %hh;
+        def decode_char(input)
+          input.mark
+          first = input.next
+          if first.nil?
+            input.reset
+            return nil
+          end
+          # check if this is an encoded character
+          if first != '%'
+            input.reset
+            return nil
+          end
+          # search for 2 hex digits
+          tmp = ''
+          for i in 0..1 do
+            c = input.next_hex
+            tmp << c unless c.nil?
+          end
+          # we found 2, convert to a number
+          if tmp.size == 2
+            i = tmp.hex
+            begin
+              return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+            rescue Exception => e
+            end
+          end
+          input.reset
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/codec/pushable_string.rb

@@ -0,0 +1,114 @@
+# The pushback string is used by Codecs to allow them to push decoded characters back onto a string
+# for further decoding. This is necessary to detect double-encoding.
+
+module Owasp
+  module Esapi
+    module Codec
+      class PushableString
+        attr :index
+
+        #
+        # Setup a pushable string
+        # stream will setup UTF_8 encoding on the input
+        def initialize(string)
+          @input = string.force_encoding(Encoding::UTF_8)
+          @index = 0
+          @mark = 0
+          @temp = nil
+          @push = nil
+        end
+
+        # Get the next token off of the stream
+        def next
+          unless @push.nil?
+            t = @push
+            @push = nil
+            return t
+          end
+          return nil if @input.nil?
+          return nil if @input.size == 0
+          return nil if @index >= @input.size
+
+          t = @input[@index]
+          @index += 1
+          t
+        end
+
+        #  fetch the next hex token in the string or nil
+        def next_hex
+          c = self.next
+          return nil if c.nil?
+          return c if hex?(c)
+          nil
+        end
+
+        # Fetch the next octal token int eh string or nil
+        def next_octal
+          c = self.next
+          return nil if c.nil?
+          return c if octal?(c)
+          nil
+        end
+
+        #  Check to see if we have another token on the stream
+        def next?
+          !@push.nil? ? true : @input.nil? ? false : @input.empty? ? false : @index >= @input.length ? false : true
+        end
+
+        #  Push a character back onto the string, this is a unread operation
+        def push(c)
+          @push = c
+        end
+
+        #  Peek into teh stream and see if the next character is the one in question
+        def peek?(c)
+          return true if !@push.nil? and @push == c
+          return false if @input.empty?
+          return false if @input.nil?
+          return false if @index >= @input.size
+          @input[@index] == c
+        end
+
+        #  Peek into the stream and fetch teh next character without moving the index
+        def peek
+          return @push if !@push.nil?
+          return nil if @input.nil?
+          return nil if @input.empty?
+          return nil if @index >= @input.size
+          @input[@index]
+        end
+
+        #  Mark the stream for rewind
+        def mark
+          @temp = @push
+          @mark = @index
+        end
+
+        # Check if a given character is a hexadecimal character
+        def hex?(c)
+          return false if c.nil?
+          c =~ /[a-fA-F0-9]/
+        end
+
+        #  Check if a given character is an octal character
+        def octal?(c)
+          return false if c.nil?
+          c =~ /[0-7]/
+        end
+
+        #  Reset the index back to the mark
+        def reset
+          @push = @temp
+          @index = @mark
+        end
+
+        #  Fetch the rest of the string from the current index
+        def remainder
+          t = @input.slice(@index,@input.size-@index)
+          return @push + t unless @push.nil?
+          t
+        end
+      end
+    end
+  end
+end

data/lib/codec/vbscript_codec.rb

@@ -0,0 +1,64 @@
+# Implementation of the Codec interface for 'quote' encoding from VBScript.
+module Owasp
+  module Esapi
+    module Codec
+      class VbScriptCodec < BaseCodec
+
+        # Encode a String so that it can be safely used in a specific context.
+        def encode(immune, input)
+          encoded_string = ''
+          encoding = false
+          inquotes = false
+          encoded_string.encode!(Encoding::UTF_8)
+          i = 0
+          input.encode(Encoding::UTF_8).chars do |c|
+            if Owasp::Esapi::Encoder::CHAR_ALPHANUMERIC.include?(c) or immune.include?(c)
+              encoded_string << "&" if encoding and i > 0
+              encoded_string << "\"" if !inquotes and i > 0
+              encoded_string << c
+              inquotes = true
+              encoding = false
+            else
+              encoded_string << "\"" if inquotes and i < input.size
+              encoded_string << "&" if i > 0
+              encoded_string << encode_char(immune,c)
+              inquotes = false
+              encoding = true
+            end
+            i += 1
+          end
+          encoded_string
+        end
+        # Returns quote-encoded character
+        def encode_char(immune,input)
+          return input if immune.include?(input)
+          hex = hex(input)
+          return input if hex.nil?
+          return "chrw(#{input.ord})"
+        end
+
+        # Returns the decoded version of the character starting at index, or
+        # nil if no decoding is possible.
+        #
+        # Formats all are legal both upper/lower case:
+        # "x - all special characters
+        # " + chr(x) + "  - not supported
+
+        def decode_char(input)
+          input.mark();
+          first = input.next
+          if first.nil?
+            input.reset
+            return nil;
+          end
+          # if this is not an encoded character, return null
+          if first != "\""
+            input.reset
+            return nil
+          end
+          input.next
+        end
+      end
+    end
+  end
+end