owasp-esapi-ruby 0.30.0

data/spec/validator/float_rule_spec.rb

@@ -0,0 +1,31 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Validator
+      describe FloatRule do
+
+        it "should validate 4.3214 as valid within range of -10 to 10" do
+          rule = Owasp::Esapi::Validator::FloatRule.new("test",nil,-10,10)
+          rule.valid?("","4.3214").should be_true
+        end
+
+        it "should fail to validate -1 for range of 0 to 100" do
+          rule = Owasp::Esapi::Validator::FloatRule.new("test",nil,0,100)
+          rule.valid?("","-1").should be_false
+        end
+
+        it "should not validate 1e-6 as valid within range of -999999999 to 999999999" do
+          rule = Owasp::Esapi::Validator::FloatRule.new("test",nil,-999999999,999999999)
+          rule.valid?("","1e-6").should be_true
+        end
+
+        it "should raise an error when a non string is passed in" do
+          rule = Owasp::Esapi::Validator::FloatRule.new("test",nil,0,300)
+          lambda{ rule.valid("","#{Float::INFINITY}") }.should raise_error(ValidationException)
+        end
+
+      end
+    end
+  end
+end

data/spec/validator/integer_rule_spec.rb

@@ -0,0 +1,51 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Validator
+      describe IntegerRule do
+
+        it "should validate 89745 as valid within range of 0 to 1000000" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,0,10000000)
+          rule.valid?("","89745").should be_true
+        end
+
+        it "should fail to validate -1 for range of 0 to 100" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,0,100)
+          rule.valid?("","-1").should be_false
+        end
+
+        it "should validate 0x100 as valid within range of 0 to 300" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,0,300)
+          rule.valid("","0x100").should == 256
+        end
+
+        it "should raise an error when a non string is passed in" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,0,300)
+          lambda{ rule.valid("",100) }.should raise_error(TypeError)
+        end
+
+        it "should validate 0100 as an octal and with range for 0 to 65" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,0,65)
+          rule.valid("","0100").should == 64
+        end
+
+        it "should validate a bit string 0b0001 as 1 within range of 0 to 2" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,0,2)
+          rule.valid("","0b0001").should == 1
+        end
+
+        it "should fail to validate testme as a number within any range" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,0,2)
+          rule.valid?("","testme").should be_false
+        end
+
+        it "should validate -1 within range of -5 t0 5" do
+          rule = Owasp::Esapi::Validator::IntegerRule.new("test",nil,-5,5)
+          rule.valid?("","-1").should be_true
+        end
+
+      end
+    end
+  end
+end

data/spec/validator/string_rule_spec.rb

@@ -0,0 +1,103 @@
+require File.expand_path(File.dirname(__FILE__) + '../../spec_helper')
+
+module Owasp
+  module Esapi
+    module Validator
+      describe StringRule do
+        let(:rule) {Owasp::Esapi::Validator::StringRule.new("test")}
+        # We will reset teh rule before every test so previous white/blacklist entries dont affect the other
+        # test begin executed
+        before(:all) { @@rule = Owasp::Esapi::Validator::StringRule.new("test")}
+
+        describe "Pattern rules" do
+          it "should fail to add a nil white list rule" do
+            lambda { rule.add_whitelist(nil)}.should raise_error(ArgumentError)
+          end
+
+          it "should fail with an invalid regex" do
+            lambda { rule.add_whitelist("_][0}[")}.should raise_error(RegexpError)
+          end
+
+          it "should fail to add a nil black list rule" do
+            lambda { rule.add_blacklist(nil)}.should raise_error(ArgumentError)
+          end
+
+          it "should fail with an invalid regex" do
+            lambda { rule.add_blacklist("_][0}[")}.should raise_error(RegexpError)
+          end
+
+          it "should reject beg<script>end with blacklist pattern ^.*(<|>).*" do
+            beg = "beg <script> end"
+            rule.valid("",beg).should == beg
+            rule.add_blacklist("^.*(<|>).*")
+            lambda { rule.valid("",beg)}.should raise_error(Owasp::Esapi::ValidationException)
+            rule.valid("","beg script end").should == "beg script end"
+          end
+
+          it "should accept Magnum44 with whitelist ^[a-zA-Z]*" do
+            gun = "Magnum44"
+            rule.valid("",gun).should == gun
+            rule.add_whitelist("^[a-zA-Z]*")
+            lambda { rule.valid("",gun)}.should raise_error(Owasp::Esapi::ValidationException)
+            rule.valid("","MagnumPI").should == "MagnumPI"
+          end
+
+          it "should match ^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ with sal.scotto@gmail.com" do
+            rule.add_whitelist("^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$")
+            rule.valid?("Email test","sal.scotto@gmail.com").should be_true
+          end
+
+        end
+
+        describe "Length rules" do
+          [
+            "12",
+            "123456",
+            "ABCDEFGHIJKL"
+          ].each do |input|
+            it "should check valid length for #{input} with min 2 max 12" do
+              rule.min = 2
+              rule.max = 12
+              rule.valid?("",input).should be_true
+            end
+          end
+
+          [
+            "1",
+            "ABCDEFGHIJKLM"
+          ].each do |input|
+            it "should check invalid lengths for #{input} with min2 max 12" do
+              rule.min = 2
+              rule.max = 12
+              rule.valid?("",input).should be_false
+            end
+          end
+
+          it "should add error for invalid lengths" do
+            list =  Owasp::Esapi::Validator::ValidatorErrorList.new
+            rule.min = 2
+            rule.max = 12
+            rule.validate("","1234567890",list)
+            list.errors.should be_empty
+            rule.validate("",nil,list)
+            list.errors.should have_exactly(1).items
+          end
+        end
+
+        describe "Null Rules" do
+          it "should allow nil for valid? when set to allow_nil" do
+            rule.allow_nil = true
+            rule.valid?("",nil).should be_true
+          end
+
+          it "should not allow nil for valid? when allow_nil is false" do
+            rule.valid?("",nil).should be_false
+          end
+
+        end
+
+
+      end
+    end
+  end
+end

data/spec/validator_skeleton.rb

@@ -0,0 +1,150 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+##############
+#
+#  Validator Rspec
+# Validation checks that a given input is valid, as as part of the request
+# canicolize the input f requested to check if an item is not only valid but also return the valid input
+# validator, under the covers should use the codec configuration to process underlying encodings
+# example:
+# given input string my<script%20alert('test')%20/>value
+# it canicalization is requested should be first decoded
+# so the input becomes my<script alert('test')/>value BEFORE any validation tests are processed
+# This more generic method means it can be applied to ANY input and doesnt require specific sub classing
+# to handle different classes of string. We apply rules equally on all input going into the application
+# contining the example
+#  Owasp::Esapi::Validator.get_valid_input(context,input,type,maxlen,allowNull,canonicalize)
+# would raise a ValidatorError or IntrustionError
+# IntrustionError in this case could be generated by the value encoder during canonicalization
+
+module Owasp
+  module Esapi
+    module Validator
+      describe Validator do
+        let(:validator) { Owasp::Esapi::Validator}
+        let(:allow_null) { false }
+        it "should load my validator rules" do
+          Owasp::Esapi.load_config("path to my config")
+          validator.rule_set.include?("Project.Safe.String")
+        end
+
+        # Valid dates are dates that can be
+        # interrupted as real date numbers
+        it "should validate my date" do
+          date = '2010-13-02'
+          validator.get_valid_date("Date input #{date}",date,format,allow_null)
+          validator.is_valid_date("Date input #{date}",date,format,allow_null)
+        end
+
+        # Valid credit card is any card number that passes
+        # the check digit check
+        it "should validate my credit card number" do
+          amex = '378282246310005'
+          mc = '5105105105105100'
+          visa = '4111111111111111'
+          validator.get_valid_credit_card("Credit card #{credit}",amex,allow_null)
+          validator.is_valid_credit_card("Credit card #{credit}",vis,allow_null)
+        end
+
+        # Validates the request contains the required parameters for a given request
+        # and any optional ones indicated
+        it "should validate my http request parameters" do
+          parms = { :name => :required, :date=>:required, :age=>:optional}
+          input = { :name=>"joe",:age=>"15",:date=>'2010-03-11'}
+          validator.is_valid_http_params("HTTP Request check #{parms}",parms,input,allow_null)
+          validator.get_valid_http_params("HTTP Request check #{parms}",parms,input,allow_null)
+        end
+
+        # escape and properly encode a URI and be safe of css
+        it "should validate my uri" do
+          uri = "http://www.google.com/my/path"
+          validator.is_valid_uri("URI check #{uri}",uri,allow_null)
+          validator.get_valid_uri("URI check #{uri}",uri,allow_null)
+        end
+
+        # Should be safe html that is free of scripts/css/attributes/urls/dom manipulation
+        it "should validate my html is safe" do
+          html = "<head><body>test</body></html>"
+          max_len = 50
+          validator.is_safe_html("HTML",html,max_len,allow_null)
+          validator.get_safe_html("HTML",html,max_len,allow_null)
+        end
+
+        # validte a path on the host
+        it "should validate my directory path" do
+          path = "/my/path"
+          root = "/my"
+          validator.is_valid_directory("PATH",path,root,allow_null)
+          validator.get_valid_directory("PATH",path,root,allow_null)
+        end
+
+        # validate the filename os valid
+        it "should validate my filename" do
+          file = "myfile"
+          validator.is_valid_filename("File name #{file}",file,allow_null)
+          validator.get_valid_filename("File name #{file}",file,allow_null)
+        end
+
+        # validate a number in between a min and max
+        it "should validate my number" do
+          number = 1.0
+          min = 0
+          max = 100
+          validator.is_valid_number("Number #{number}",number,min,max,allow_null)
+          validator.get_valid_number("Number #{number}",number,min,max_allow_null)
+        end
+
+        # check the file contents are valid in the expected encoding, check length
+        # run virus scanner
+        it "should validate my file contents" do
+          file = "myFile"
+          mime = "image/*"
+          max_len = 100
+          validator.is_valid_file_contents("File Contents #{file}",file,mime,max_len)
+          validator.get_valid_file_contents("File Contents #{file}",file,mime,max_len)
+        end
+
+        # validate the path, name and contents
+        it "should validate my fle upload" do
+          file = "test"
+          mime = "image/*"
+          max_len = 50
+          validator.is_valid_upload("Upload #{file}",file,mime,max_len,allow_null)
+          validator.get_valid_upload("Upload #{file}",file,mime,max_len,allow_null)
+        end
+
+        # validate the choice is in a given lsit
+        it "should validate my list items" do
+          list = [:a,:b,:c]
+          input = :a
+          validator.is_valid_choice("Choice list",input,list,allow_null)
+          validator.get_valid_choice("Choice list",input,list,allow_null)
+        end
+
+        # validate the input doesnt contain any non printable characters
+        it "should validate my input is printable" do
+          input = "ABCDEFGHIJKLMNOP"
+          max = 50
+          validator.is_valid_printable("Input of some printables",input,max,allow_null)
+          validator.get_valid_printable("Input of some printables",input,max,allow_null)
+        end
+
+        # Validate the redirection URI is properly encoded
+        it "should validate my redirection" do
+          validator.is_valid_redirection("Login redirect",path,allow_null)
+          validator.get_valid_redirection("Login redirect",path,allow_null)
+        end
+
+        # Validate some input based on params
+        it "should validate my input" do
+          input = "bogus"
+          input_type = "InputRule"
+          canonicalize = true
+          max_len = 50
+          validator.is_valid_input("Login user name",input,input_type,max_len,allow_null,canonicalize)
+          validator.get_valid_input("Login user name",input,input_type,max_len,allow_null,canonicalize)
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,235 @@
+--- !ruby/object:Gem::Specification 
+name: owasp-esapi-ruby
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 30
+  - 0
+  version: 0.30.0
+platform: ruby
+authors: 
+- |-
+  Owasp Esapi Ruby core
+  ---------------------
+  
+  * Paolo Perego <thesp0nge@owasp.org>
+  * Sal Scotto <sal.scotto@gmail.com>
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-03-09 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 2
+        - 9
+        version: 1.2.9
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: yard
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: nokogiri
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 4
+        - 4
+        version: 1.4.4
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: nokogiri
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 4
+        - 4
+        version: 1.4.4
+  type: :runtime
+  version_requirements: *id004
+description: "= The Owasp ESAPI Ruby project\n\n\
+  == Introduction\n\n\
+  The Owasp ESAPI Ruby is a port for outstanding release quality Owasp ESAPI\n\
+  project to the Ruby programming language. \n\n\
+  Ruby is now a famous programming language due to its Rails framework developed by David Heinemeier Hansson (http://twitter.com/dhh) that simplify the creation of a web application using a convention over configuration approach to simplify programmers' life.\n\n\
+  Despite Rails diffusion, there are a lot of Web framework out there that allow people to write web apps in Ruby (merb, sinatra, vintage) [http://accidentaltechnologist.com/ruby/10-alternative-ruby-web-frameworks/]. Owasp Esapi Ruby wants to bring all Ruby deevelopers a gem full of Secure APIs they can use whatever the framework they choose.\n\n\
+  == Why supporting only Ruby 1.9.2 and beyond?\n\n\
+  The OWASP Esapi Ruby gem will require at least version 1.9.2 of Ruby interpreter to make sure to have full advantages of the newer language APIs.\n\n\
+  In particular version 1.9.2 introduces radical changes in the following areas:\n\n\
+  === Regular expression engine\n\
+  (to be written)\n\n\
+  === UTF-8 support\n\
+  Unicode support in 1.9.2 is much better and provides better support for character set encoding/decoding\n\
+  * All strings have an additional chunk of info attached: Encoding\n\
+  * String#size takes encoding into account \xE2\x80\x93 returns the encoded character count\n\
+  * You can get the raw datasize\n\
+  * Indexed access is by encoded data \xE2\x80\x93 characters, not bytes\n\
+  * You can change encoding by force but it doesn\xE2\x80\x99t convert the data\n\n\
+  === Dates and Time\n\
+  From \"Programming Ruby 1.9\"\n\n\
+  \"As of Ruby 1.9.2, the range of dates that can be represented is no longer limited by the under- lying operating system\xE2\x80\x99s time representation (so there\xE2\x80\x99s no year 2038 problem). As a result, the year passed to the methods gm, local, new, mktime, and utc must now include the century\xE2\x80\x94a year of 90 now represents 90 and not 1990.\"\n\n\
+  == Roadmap\n\n\
+  Please see ChangeLog file. \n\n\
+  == Note on Patches/Pull Requests\n \n\
+  * Fork the project.\n\
+  * Create documentation with rake yard task\n\
+  * Make your feature addition or bug fix.\n\
+  * Add tests for it. This is important so I don't break it in a\n  future version unintentionally.\n\
+  * Commit, do not mess with rakefile, version, or history.\n  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)\n\
+  * Send me a pull request. Bonus points for topic branches.\n\n\
+  == Copyright\n\n\
+  Copyright (c) 2011 the OWASP Foundation. See LICENSE for details.\n"
+email: thesp0nge@owasp.org
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- ChangeLog
+- LICENSE
+- README
+files: 
+- .document
+- AUTHORS
+- ChangeLog
+- ISSUES
+- LICENSE
+- README
+- Rakefile
+- VERSION
+- lib/codec/base_codec.rb
+- lib/codec/css_codec.rb
+- lib/codec/encoder.rb
+- lib/codec/html_codec.rb
+- lib/codec/javascript_codec.rb
+- lib/codec/mysql_codec.rb
+- lib/codec/oracle_codec.rb
+- lib/codec/os_codec.rb
+- lib/codec/percent_codec.rb
+- lib/codec/pushable_string.rb
+- lib/codec/vbscript_codec.rb
+- lib/codec/xml_codec.rb
+- lib/esapi.rb
+- lib/exceptions.rb
+- lib/executor.rb
+- lib/owasp-esapi-ruby.rb
+- lib/sanitizer/xss.rb
+- lib/validator/base_rule.rb
+- lib/validator/date_rule.rb
+- lib/validator/email.rb
+- lib/validator/float_rule.rb
+- lib/validator/generic_validator.rb
+- lib/validator/integer_rule.rb
+- lib/validator/string_rule.rb
+- lib/validator/validator_error_list.rb
+- lib/validator/zipcode.rb
+- spec/codec/css_codec_spec.rb
+- spec/codec/html_codec_spec.rb
+- spec/codec/javascript_codec_spec.rb
+- spec/codec/mysql_codec_spec.rb
+- spec/codec/oracle_codec_spec.rb
+- spec/codec/os_codec_spec.rb
+- spec/codec/percent_codec_spec.rb
+- spec/codec/vbcript_codec_spec.rb
+- spec/codec/xml_codec_spec.rb
+- spec/owasp_esapi_encoder_spec.rb
+- spec/owasp_esapi_executor_spec.rb
+- spec/owasp_esapi_ruby_email_validator_spec.rb
+- spec/owasp_esapi_ruby_xss_sanitizer_spec.rb
+- spec/owasp_esapi_ruby_zipcode_validator_spec.rb
+- spec/spec_helper.rb
+- spec/validator/base_rule_spec.rb
+- spec/validator/date_rule_spec.rb
+- spec/validator/float_rule_spec.rb
+- spec/validator/integer_rule_spec.rb
+- spec/validator/string_rule_spec.rb
+- spec/validator_skeleton.rb
+has_rdoc: true
+homepage: http://github.com/thesp0nge/owasp-esapi-ruby
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 1
+      - 9
+      - 2
+      version: 1.9.2
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Owasp Enterprise Security APIs for Ruby language
+test_files: 
+- spec/codec/css_codec_spec.rb
+- spec/codec/html_codec_spec.rb
+- spec/codec/javascript_codec_spec.rb
+- spec/codec/mysql_codec_spec.rb
+- spec/codec/oracle_codec_spec.rb
+- spec/codec/os_codec_spec.rb
+- spec/codec/percent_codec_spec.rb
+- spec/codec/vbcript_codec_spec.rb
+- spec/codec/xml_codec_spec.rb
+- spec/owasp_esapi_encoder_spec.rb
+- spec/owasp_esapi_executor_spec.rb
+- spec/owasp_esapi_ruby_email_validator_spec.rb
+- spec/owasp_esapi_ruby_xss_sanitizer_spec.rb
+- spec/owasp_esapi_ruby_zipcode_validator_spec.rb
+- spec/spec_helper.rb
+- spec/validator/base_rule_spec.rb
+- spec/validator/date_rule_spec.rb
+- spec/validator/float_rule_spec.rb
+- spec/validator/integer_rule_spec.rb
+- spec/validator/string_rule_spec.rb
+- spec/validator_skeleton.rb