puppet-validator 0.0.6 → 0.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3a8844ff2f61370de5412e932959747fa2f6c0a5
-  data.tar.gz: d9737a5ccd70a93cdcc4505d50fb5806b6a6d317
+  metadata.gz: c3dc256dd81faa824703173a618ee04e5744afa2
+  data.tar.gz: 6beb62e29d7b8b49bb2441b0e9414cdae0dd3760
 SHA512:
-  metadata.gz: d9dbbae1c479485c6d4fb67d1a25567187c432092f6753ac1a7e51fd0adc07020c7c0a2151300e5f1deb3a5116b4b0b374614096507ae0e2addb72cb0f54d13e
-  data.tar.gz: 9d6833e36e27f4dc18d60ef31234a35251cb9bec346a01876933905c8da44c1baa469ddb26906ac7db6ae6bc6a4fbd13128d51e65b5857ddd0f4dd8892045581
+  metadata.gz: 9270323f2c725c7389883ca0f2c180132b4074b9fee02401b9a64a0bae35fd9e2bc2753b1700aecc3b0e3b1fcc564b6e15f06107e146c30d96683fc07fbfc646
+  data.tar.gz: 728b48f8044fe6e9703212eeb79a997543e1b49d339da39887f810598e4aba28a735bd5f107497422e1f1b5355489dd7acd05a710122ea9bceaca6a4d0c3e86c

data/README.md

@@ -259,3 +259,9 @@ A simple `systemd` init script might look something like:
 
 Customize the command line as needed. You might include a `--theme` or `--port`
 argument, or you might provide the full path to an `rvm` installed gem.
+
+### Bookmarklet
+
+If you just want to validate Puppet code you see on a website, follow the
+instructions on http://binford2k.com/content/2016/06/puppetlinter-dot-com
+

data/lib/puppet-validator.rb

@@ -5,6 +5,9 @@ require 'puppet'
 require 'puppet/parser'
 require 'puppet-lint'
 
+require 'nokogiri'
+require 'cgi'
+
 # something like 3,000 lines of code
 MAXSIZE = 100000
 CONTEXT = 3
@@ -13,9 +16,17 @@ class PuppetValidator < Sinatra::Base
   set :logging, true
   set :strict, true
 
-  before {
+  enable :sessions
+
+  before do
     env["rack.logger"] = settings.logger if settings.logger
-  }
+
+    session[:csrf] ||= SecureRandom.hex(32)
+    response.set_cookie 'authenticity_token', {
+      :value   => session[:csrf],
+      :expires => Time.now + (60 * 60 * 24),
+    }
+  end
 
   def initialize(app=nil)
     super(app)
@@ -68,6 +79,15 @@ class PuppetValidator < Sinatra::Base
     logger.info "Validating code from #{request.ip}."
     logger.debug "validating #{request.ip}: #{params['code']}"
 
+    halt 403, 'Request validation failed.' unless safe?
+
+    frag = Nokogiri::HTML.fragment(params['code'])
+    unless frag.elements.empty?
+      logger.warn 'HTML code found in validation string'
+      frag.elements.each { |elem| logger.debug "HTML: #{elem.to_s}" }
+      params['code'] = CGI.escapeHTML(params['code'])
+    end
+
     if request.body.size <= MAXSIZE
       result = validate params['code']
       lint   = lint(params['code'], params['checks']) if params['lint'] == 'on'
@@ -109,6 +129,15 @@ class PuppetValidator < Sinatra::Base
 
   helpers do
 
+    def safe?
+      if session[:csrf] == params['_csrf'] && session[:csrf] == request.cookies['authenticity_token']
+        true
+      else
+        logger.warn 'CSRF attempt detected.'
+        false
+      end
+    end
+
     def validate(data)
       begin
         Puppet.settings[:app_management] = true if Gem::Version.new(Puppet.version) >= Gem::Version.new('4.3.2')

data/public/scripts.js

@@ -53,7 +53,7 @@ function popup(title, text, url) {
       buttons: {
           Ok: function () {
               $(this).dialog("close");
-              $("#dlg").remove();
+              $("#popup").remove();
           }
       }
   });

data/views/index.erb

@@ -10,6 +10,7 @@
   <h1>Puppet Code Validator</h1>
   <p>Paste Puppet code into the following textbox and check it for validity.</p>
   <form action="/validate" method="post">
+    <input name="_csrf", type="hidden" value="<%= session[:csrf] %>" />
     <div class="entry">
       <textarea name="code" id="code" cols="65" rows="25"></textarea>
       <input type="submit" value="Validate" id="validate">

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet-validator
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.0.7
 platform: ruby
 authors:
 - Ben Ford
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-29 00:00:00.000000000 Z
+date: 2017-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -58,6 +58,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.5
 description: |2
       Puppet Validator is a simple web service that accepts arbitrary code submissions and
       validates it the way `puppet parser validate` would. It can optionally also
@@ -68,13 +88,11 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- README.md
 - LICENSE
-- config.ru
+- README.md
 - bin/puppet-validator
+- config.ru
 - lib/puppet-validator.rb
-- views/index.erb
-- views/result.erb
 - public/gist.png
 - public/info.png
 - public/prism-default.css
@@ -82,8 +100,11 @@ files:
 - public/scripts.js
 - public/styles.css
 - public/testing.html
+- views/index.erb
+- views/result.erb
 homepage: https://github.com/puppetlabs/puppet-validator/
-licenses: []
+licenses:
+- Apache-2.0
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -101,7 +122,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14.1
+rubygems_version: 2.6.10
 signing_key: 
 specification_version: 4
 summary: Puppet code validator as a service