qti 0.7.8 → 0.7.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1897287f2eb2b6af316a0f7c81112e50fe2e8d43
-  data.tar.gz: 41cc16c9d6928833b10c963a17f181eb9d5f2361
+  metadata.gz: bd980a1e89fbf6817329ae29519f4e266e889906
+  data.tar.gz: f4a2d4935a246d9a07987240059f0c2ca9b03e16
 SHA512:
-  metadata.gz: f3a3945bbe3401cb3cfc512bbcefc301a3cd4983e9b2d6da4a9b9ac4e851bce71fa76e5c0be1c45f416eed89c196802e62794c9af5923f8194a5d28a6c3f9f2a
-  data.tar.gz: dca959a4115b19ab11172438045b8f973511b92b1fa7c19767887f004ff655bbba00b03b7ba4f22796bc123dd3aa5b45a8e2aa4133c0cb60698ba15ca9448e17
+  metadata.gz: 66cc18a1302da5dab058a48613df70bb52f6c4211a1ce37dde549844e1fe31931ef3228f8ef74a07044202728efe57f96ec537f8de878338ed72e2acdc7c98c7
+  data.tar.gz: 39b9f7df2da0f51188766863bfd3e2589f8cd907459689b1b797e7439af46d112eec5d58d2c9ae9270f450c9bcddb295bccfe1c88baf34935132bf5a8eaaae7b

data/lib/qti.rb

@@ -2,10 +2,16 @@ require 'find'
 
 module Qti
   class Importer
+    attr_reader :package_root
+
     def initialize(path)
       Find.find(path) do |subdir|
-        @path = subdir if subdir =~ /imsmanifest.xml/
+        if subdir =~ /imsmanifest.xml\z/
+          @path = subdir
+          break
+        end
       end
+      @package_root = File.dirname(@path)
     end
 
     def import_manifest
@@ -20,9 +26,9 @@ module Qti
 
     def version_agnostic_test_object(assessment_test_file)
       if @manifest.qti_1_href
-        Qti::V1::Models::Assessment.from_path!(assessment_test_file)
+        Qti::V1::Models::Assessment.from_path!(assessment_test_file, @package_root)
       else
-        Qti::V2::Models::AssessmentTest.from_path!(assessment_test_file)
+        Qti::V2::Models::AssessmentTest.from_path!(assessment_test_file, @package_root)
       end
     end
 
@@ -38,9 +44,9 @@ module Qti
 
     def create_assessment_item(assessment_item_ref)
       if @manifest.qti_1_href
-        Qti::V1::Models::AssessmentItem.new(assessment_item_ref)
+        Qti::V1::Models::AssessmentItem.new(assessment_item_ref, @package_root)
       else
-        Qti::V2::Models::AssessmentItem.from_path!(assessment_item_ref)
+        Qti::V2::Models::AssessmentItem.from_path!(assessment_item_ref, @package_root)
       end
     end
   end

data/lib/qti/models/base.rb

@@ -1,5 +1,6 @@
 require 'nokogiri'
 require 'sanitize'
+require 'pathname'
 
 module Qti
   class ParseError < StandardError; end
@@ -8,7 +9,7 @@ module Qti
 
   module Models
     class Base
-      attr_reader :doc
+      attr_reader :doc, :path, :package_root
 
       ELEMENTS_REMAP = {
         'prompt' => 'div',
@@ -40,12 +41,13 @@ module Qti
         Sanitize::Config::RELAXED.merge transformers: remap_unknown_tags_transformer
       end
 
-      def self.from_path!(path)
-        new(path: path)
+      def self.from_path!(path, package_root = nil)
+        new(path: path, package_root: package_root)
       end
 
-      def initialize(path: nil)
+      def initialize(path:, package_root: nil)
         @path = path
+        set_package_root(package_root || File.dirname(path))
         @doc = parse_xml(File.read(path))
         raise ArgumentError unless @doc
       end
@@ -63,19 +65,26 @@ module Qti
       end
 
       def parse_xml(xml_string)
-        Nokogiri.XML(xml_string, &:noblanks)
+        Nokogiri.XML(xml_string, @path.to_s, &:noblanks)
       end
 
-      def remap_href_path(href, source_path)
-        return href unless href
-        # Attempts to map to a file path relative href if href doesn't exist
-        # Returns original href if that file doesn't exist
-        if File.exist?(href)
-          href
+      def remap_href_path(href)
+        return nil unless href
+        path = File.join(File.dirname(@path), href)
+        if @package_root.nil?
+          raise Qti::ParseError, "Potentially unsafe href '#{href}'" if href.split('/').include?('..')
         else
-          new_path = File.join(File.dirname(source_path), href)
-          File.exist?(new_path) ? new_path : href
+          raise Qti::ParseError, "Unsafe href '#{href}'" unless Pathname.new(path).cleanpath.to_s.start_with?(@package_root)
         end
+        path
+      end
+
+      protected
+
+      def set_package_root(package_root)
+        @package_root = package_root
+        return unless @package_root
+        @package_root = Pathname.new(@package_root).cleanpath.to_s + '/'
       end
     end
   end

data/lib/qti/models/manifest.rb

@@ -5,7 +5,7 @@ module Qti
     class Manifest < Qti::Models::Base
       def assessment_test_href
         href = qti_1_href.nil? ? qti_2_x_href : qti_1_href
-        remap_href_path(href, @path)
+        remap_href_path(href)
       end
 
       def qti_1_href

data/lib/qti/v1/models/assessment_item.rb

@@ -7,8 +7,10 @@ module Qti
       class AssessmentItem < Qti::V1::Models::Base
         attr_reader :doc
 
-        def initialize(item)
+        def initialize(item, package_root = nil)
           @doc = item
+          @path = item.document.url
+          set_package_root(package_root)
         end
 
         def item_body

data/lib/qti/v1/models/choices/fill_blank_choice.rb

@@ -17,7 +17,7 @@ module Qti
           def item_body
             @item_body ||= begin
               node = @node.dup
-              node.content.squish
+              sanitize_content!(node.content.squish)
             end
           end
         end

data/lib/qti/v1/models/choices/logical_identifier_choice.rb

@@ -16,7 +16,7 @@ module Qti
           def item_body
             @item_body ||= begin
               node = @node.dup
-              node.content.strip.gsub(/\s+/, ' ')
+              sanitize_content!(node.content.strip.gsub(/\s+/, ' '))
             end
           end
         end

data/lib/qti/v1/models/interactions/match_interaction.rb

@@ -17,7 +17,7 @@ module Qti
 
           def questions
             node.xpath('.//xmlns:response_lid').map do |lid_node|
-              item_body = lid_node.at_xpath('.//xmlns:mattext').text
+              item_body = sanitize_content!(lid_node.at_xpath('.//xmlns:mattext').text)
               { id: lid_node.attributes['ident'].value, itemBody: item_body }
             end
           end

data/lib/qti/v2/models/assessment_test.rb

@@ -12,7 +12,7 @@ module Qti
           # Return the xml files we should be parsing
           @assessment_item_reference_hrefs ||= begin
             @doc.xpath('//xmlns:assessmentItemRef/@href').map(&:content).map do |href|
-              remap_href_path(href, @path)
+              remap_href_path(href)
             end
           end
         end

data/lib/qti/v2/models/choices/gap_match_choice.rb

@@ -18,7 +18,7 @@ module Qti
             @item_body ||= begin
               node = @node.dup
               node.children.filter(PROHIBITED_NODE_NAMES).each(&:unlink)
-              node.content.strip.gsub(/\s+/, ' ')
+              sanitize_content!(node.content.strip.gsub(/\s+/, ' '))
             end
           end
         end

data/lib/qti/v2/models/choices/simple_choice.rb

@@ -19,7 +19,7 @@ module Qti
             @item_body ||= begin
               node = @node.dup
               node.children.filter(PROHIBITED_NODE_NAMES).map(&:unlink)
-              node.content.strip.gsub(/\s+/, ' ')
+              sanitize_content!(node.content.strip.gsub(/\s+/, ' '))
             end
           end
         end

data/spec/lib/qti/models/base_spec.rb

@@ -45,26 +45,47 @@ describe Qti::Models::Base do
     end
 
     describe '#remap_href_path' do
-      let(:href) { 'hi.xml' }
-      let(:base_path) { 'hello/bob.xml' }
-      let(:remapped_path) { File.join(File.dirname(base_path), href) }
-      let(:subject) { loaded_class.remap_href_path(href, base_path) }
-
-      it 'passes the original path if it exists' do
-        allow(File).to receive(:exist?).with(href).and_return(true)
-        expect(subject).to eq href
+      it 'constructs a path relative to the basename of the source' do
+        expect(loaded_class.remap_href_path('hi.xml')).to eq 'spec/fixtures/test_qti_2.2/hi.xml'
       end
 
-      it 'passes the original path when the remapped path doesn\'t exist' do
-        allow(File).to receive(:exist?).with(href).and_return(false)
-        allow(File).to receive(:exist?).with(remapped_path).and_return(false)
-        expect(subject).to eq href
+      it 'is not fooled by an absolute href' do
+        expect(loaded_class.remap_href_path('/etc/shadow')).to eq 'spec/fixtures/test_qti_2.2/etc/shadow'
       end
 
-      it 'passes the remapped path if it exists' do
-        allow(File).to receive(:exist?).with(href).and_return(false)
-        allow(File).to receive(:exist?).with(remapped_path).and_return(true)
-        expect(subject).to eq remapped_path
+      it 'uses an implicit package root' do
+        expect {
+          loaded_class.remap_href_path('../sneaky.txt')
+        }.to raise_error(Qti::ParseError)
+      end
+
+      context "with explicit package root" do
+        let(:package_root) { File.join('spec', 'fixtures', 'test_qti_2.2') }
+        let(:item_path) { File.join(package_root, 'true-false', 'true-false.xml') }
+        let(:item) { described_class.from_path!(item_path, package_root) }
+
+        it 'allows safe .. hrefs' do
+          expect {
+            item.remap_href_path('../okay.txt')
+          }.not_to raise_error
+        end
+
+        it 'rejects attempts to escape the package' do
+          expect {
+            item.remap_href_path('../../bad.txt')
+          }.to raise_error(Qti::ParseError)
+        end
+      end
+
+      context "with nil package root" do
+        let(:item_path) { File.join('spec', 'fixtures', 'test_qti_2.2', 'true-false', 'true-false.xml') }
+        let(:item) { described_class.from_path!(item_path, nil) }
+
+        it 'rejects .. hrefs' do
+          expect {
+            item.remap_href_path('../no_longer_okay.txt')
+          }.to raise_error(Qti::ParseError)
+        end
       end
     end
   end

data/spec/lib/qti_spec.rb

@@ -9,6 +9,10 @@ describe Qti::Importer do
     it 'loads an xml file' do
       expect { importer }.to_not raise_error
     end
+
+    it 'sets the package root properly' do
+      expect(importer.package_root).to eq file_path
+    end
   end
 
   shared_examples_for 'unsupported QTI version' do
@@ -33,6 +37,13 @@ describe Qti::Importer do
         answer_arity = assessment_items.map { |item| item.scoring_data_structs.count }
         expect(answer_arity).to eq [1, 1, 4, 1, 1]
       end
+
+      it 'sets the path and package root properly' do
+        importer.test_object
+        item = importer.create_assessment_item(importer.assessment_item_refs.first)
+        expect(item.path).to eq file_path + '/quiz.xml'
+        expect(item.package_root).to eq file_path + '/'
+      end
     end
 
     context 'canvas generated' do
@@ -51,5 +62,15 @@ describe Qti::Importer do
 
     include_examples 'initialize'
     include_examples 'unsupported QTI version'
+
+    describe '#create_assessment_item' do
+      it 'sets the path and package root properly' do
+        importer.test_object
+        ref = importer.assessment_item_refs.first
+        item = importer.create_assessment_item(ref)
+        expect(item.path).to eq ref
+        expect(item.package_root).to eq file_path + '/'
+      end
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: qti
 version: !ruby/object:Gem::Version
-  version: 0.7.8
+  version: 0.7.9
 platform: ruby
 authors:
 - Hannah Bottalla
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-09 00:00:00.000000000 Z
+date: 2017-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -488,7 +488,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: QTI 1.2 and 2.1 import and export models