rack-libinjection 0.1.0

data/ext/libinjection/vendor/libinjection/.vendored

@@ -0,0 +1,5 @@
+# rack-libinjection vendor manifest. Do not edit by hand. Regenerate with: ruby script/vendor_libs.rb
+libinjection_version=4.0.0
+libinjection_url=https://codeload.github.com/libinjection/libinjection/tar.gz/v4.0.0?dummy=/
+libinjection_archive_sha256=a69d27e3d98608df89203c4e1c00c034fe0f8c723017e4088ab53ce3ff5a9129
+libinjection_tree_sha256=de73d6fdaa9b51970142c74941031a058491d5c883bb1eca9faa8bf9f874703b

data/ext/libinjection/vendor/libinjection/COPYING

@@ -0,0 +1,33 @@
+Copyright (c) 2012-2016, Nick Galbreath
+Copyright (c) 2017-2024, libinjection Contributors
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+https://github.com/libinjection/libinjection
+http://opensource.org/licenses/BSD-3-Clause

data/ext/libinjection/vendor/libinjection/MIGRATION.md

@@ -0,0 +1,393 @@
+# Migration Guide: libinjection v3.x to v4.0
+
+This guide helps you migrate from libinjection v3.x to v4.0, which introduces a breaking API change in error handling.
+
+## Overview of Changes
+
+Version 4.0 introduces a new error handling model that **prevents process termination** on parser errors. Instead of calling `abort()` when encountering invalid parser states, the library now returns an error code that your application can handle gracefully.
+
+## What Changed
+
+### Return Type Change
+
+All detection functions now return `injection_result_t` enum instead of `int`:
+
+```c
+typedef enum injection_result_t {
+    LIBINJECTION_RESULT_FALSE = 0,   // No injection detected (benign input)
+    LIBINJECTION_RESULT_TRUE = 1,    // Injection detected
+    LIBINJECTION_RESULT_ERROR = -1   // Parser error (invalid state)
+} injection_result_t;
+```
+
+### Affected Functions
+
+- `libinjection_xss()`
+- `libinjection_sqli()`
+- `libinjection_is_xss()`
+- `libinjection_h5_next()`
+
+### New Header File
+
+Include the new error header:
+```c
+#include "libinjection_error.h"  // New in v4.0
+```
+
+## Migration Strategies
+
+### Strategy 1: Full Migration (Recommended)
+
+Update your code to explicitly check all three return values:
+
+**Before (v3.x):**
+```c
+#include "libinjection.h"
+#include "libinjection_sqli.h"
+
+int check_input(const char *input) {
+    struct libinjection_sqli_state state;
+    char fingerprint[8];
+    int result;
+    
+    libinjection_sqli_init(&state, input, strlen(input), FLAG_NONE);
+    result = libinjection_is_sqli(&state);
+    
+    if (result) {
+        log("SQLi detected: %s", state.fingerprint);
+        return 1;  // Block request
+    }
+    
+    return 0;  // Allow request
+}
+```
+
+**After (v4.0):**
+```c
+#include "libinjection.h"
+#include "libinjection_error.h"
+#include "libinjection_sqli.h"
+
+int check_input(const char *input) {
+    struct libinjection_sqli_state state;
+    char fingerprint[8];
+    injection_result_t result;
+    
+    libinjection_sqli_init(&state, input, strlen(input), FLAG_NONE);
+    result = libinjection_is_sqli(&state);
+    
+    if (result == LIBINJECTION_RESULT_ERROR) {
+        log_error("Parser error - treating as suspicious");
+        return 1;  // Block on error (fail-safe)
+    } else if (result == LIBINJECTION_RESULT_TRUE) {
+        log("SQLi detected: %s", state.fingerprint);
+        return 1;  // Block request
+    }
+    
+    return 0;  // Allow request
+}
+```
+
+### Strategy 2: Minimal Migration (Quick Fix)
+
+For quick migration with minimal code changes, treat errors as detections:
+
+```c
+injection_result_t result;
+
+result = libinjection_sqli(input, len, fingerprint);
+
+// Treat error as detection (fail-safe approach)
+if (result == LIBINJECTION_RESULT_TRUE || result == LIBINJECTION_RESULT_ERROR) {
+    // Block request
+    return 1;
+}
+
+return 0;  // Allow only if LIBINJECTION_RESULT_FALSE
+```
+
+### Strategy 3: Backward Compatible Check
+
+If you need to maintain compatibility during transition:
+
+```c
+injection_result_t result;
+
+result = libinjection_xss(input, len);
+
+// Old style: simple truthy check still works for detection
+// but won't distinguish error from injection
+if (result) {
+    // Handles both LIBINJECTION_RESULT_TRUE and LIBINJECTION_RESULT_ERROR (since -1 is truthy)
+    return 1;
+}
+
+return 0;
+```
+
+**Warning:** This approach treats errors as benign input when checking `!result`, which is unsafe.
+
+## Migration by Use Case
+
+### Web Application Firewall (WAF)
+
+Recommended approach: **Fail-safe** - block on both detection and error.
+
+```c
+injection_result_t sqli_result = libinjection_sqli(input, len, fp);
+injection_result_t xss_result = libinjection_xss(input, len);
+
+if (sqli_result == LIBINJECTION_RESULT_TRUE || sqli_result == LIBINJECTION_RESULT_ERROR ||
+    xss_result == LIBINJECTION_RESULT_TRUE || xss_result == LIBINJECTION_RESULT_ERROR) {
+    
+    log_security_event(input, sqli_result, xss_result);
+    return HTTP_403_FORBIDDEN;
+}
+
+return HTTP_200_OK;
+```
+
+### Logging/Monitoring System
+
+Recommended approach: **Distinguish** between detection and errors.
+
+```c
+injection_result_t result = libinjection_xss(input, len);
+
+switch (result) {
+    case LIBINJECTION_RESULT_TRUE:
+        log_metric("xss.detected", 1);
+        alert_security_team(input);
+        break;
+    
+    case LIBINJECTION_RESULT_ERROR:
+        log_metric("xss.parser_error", 1);
+        log_error("Parser error on input: %.*s", (int)len, input);
+        // Continue processing - may be benign malformed input
+        break;
+    
+    case LIBINJECTION_RESULT_FALSE:
+        log_metric("xss.clean", 1);
+        break;
+}
+```
+
+### Embedded System
+
+Recommended approach: **Graceful degradation** with error recovery.
+
+```c
+injection_result_t result = libinjection_sqli(input, len, fp);
+
+if (result == LIBINJECTION_RESULT_ERROR) {
+    // Log error but don't block - keep system running
+    error_count++;
+    
+    if (error_count > ERROR_THRESHOLD) {
+        // Too many errors - may indicate attack or bug
+        enter_safe_mode();
+    }
+    
+    return ALLOW;  // Degrade gracefully
+}
+
+return (result == LIBINJECTION_RESULT_TRUE) ? BLOCK : ALLOW;
+```
+
+## Testing Your Migration
+
+### 1. Compile-time Checks
+
+After migration, your code should compile with the new type:
+
+```c
+injection_result_t result;  // Not 'int'
+result = libinjection_xss(input, len);
+```
+
+### 2. Runtime Testing
+
+Test with these scenarios:
+
+```c
+// Normal detection - should return LIBINJECTION_RESULT_TRUE
+libinjection_xss("<script>alert(1)</script>", 28);
+
+// Benign input - should return LIBINJECTION_RESULT_FALSE
+libinjection_xss("hello world", 11);
+
+// Edge cases that might trigger LIBINJECTION_RESULT_ERROR
+libinjection_xss("", 0);  // Empty string
+// Very long inputs, deeply nested structures, etc.
+```
+
+### 3. Error Handling Test
+
+Verify your error handling:
+
+```c
+injection_result_t result = libinjection_xss(test_input, len);
+
+assert(result == LIBINJECTION_RESULT_FALSE || 
+       result == LIBINJECTION_RESULT_TRUE || 
+       result == LIBINJECTION_RESULT_ERROR);  // Only valid values
+
+// Ensure you handle all three cases
+switch (result) {
+    case LIBINJECTION_RESULT_FALSE: /* ... */ break;
+    case LIBINJECTION_RESULT_TRUE:  /* ... */ break;
+    case LIBINJECTION_RESULT_ERROR: /* ... */ break;
+}
+```
+
+## Common Pitfalls
+
+### ❌ Don't: Ignore errors
+
+```c
+// WRONG - error becomes benign
+if (result == LIBINJECTION_RESULT_TRUE) {
+    block();
+}
+// LIBINJECTION_RESULT_ERROR falls through as allowed!
+```
+
+### ✅ Do: Explicitly handle errors
+
+```c
+// CORRECT
+if (result == LIBINJECTION_RESULT_ERROR) {
+    handle_error();
+} else if (result == LIBINJECTION_RESULT_TRUE) {
+    block();
+}
+```
+
+### ❌ Don't: Use simple equality for "not detected"
+
+```c
+// WRONG - error will pass this check
+if (result == 0) {  // Only catches LIBINJECTION_RESULT_FALSE
+    allow();
+}
+```
+
+### ✅ Do: Use enum constants
+
+```c
+// CORRECT
+if (result == LIBINJECTION_RESULT_FALSE) {
+    allow();
+}
+```
+
+## Language Bindings
+
+### Python
+
+The enum values are accessible as integers in the Python binding:
+
+```python
+import libinjection
+
+result = libinjection.xss(test_input)
+
+if result == -1:  # LIBINJECTION_RESULT_ERROR
+    handle_error()
+elif result == 1:  # LIBINJECTION_RESULT_TRUE
+    block_request()
+else:  # result == 0, LIBINJECTION_RESULT_FALSE
+    allow_request()
+```
+
+### PHP
+
+```php
+<?php
+$result = libinjection_xss($input);
+
+if ($result === -1) {  // LIBINJECTION_RESULT_ERROR
+    handle_error();
+} elseif ($result === 1) {  // LIBINJECTION_RESULT_TRUE
+    block_request();
+} else {  // $result === 0, LIBINJECTION_RESULT_FALSE
+    allow_request();
+}
+```
+
+### Lua
+
+```lua
+local libinjection = require "libinjection"
+
+local result = libinjection.xss(input)
+
+if result == -1 then  -- LIBINJECTION_RESULT_ERROR
+    handle_error()
+elseif result == 1 then  -- LIBINJECTION_RESULT_TRUE
+    block_request()
+else  -- result == 0, LIBINJECTION_RESULT_FALSE
+    allow_request()
+end
+```
+
+## Why This Change?
+
+### The Problem with v3.x
+
+In v3.x, when the parser encountered an invalid state (e.g., cursor position exceeding string length), it would call `assert()` or `abort()`, immediately terminating your entire process:
+
+```c
+// v3.x behavior (REMOVED in v4.0)
+assert(hs->len >= hs->pos);  // CRASH if violated
+```
+
+This was problematic for:
+- **Web servers**: Malicious input could crash the server
+- **Embedded systems**: Required high availability, no crashes
+- **Production services**: Needed graceful degradation
+
+### The Solution in v4.0
+
+Parser errors now return `LIBINJECTION_RESULT_ERROR` instead of terminating:
+
+```c
+// v4.0 behavior
+if (hs->len < hs->pos) {
+    return LIBINJECTION_RESULT_ERROR;  // Graceful error return
+}
+```
+
+Your application can now:
+- Log the error for debugging
+- Continue running other requests
+- Implement custom error policies
+- Monitor error rates
+
+## Need Help?
+
+- **Issues**: https://github.com/libinjection/libinjection/issues
+- **Pull Request**: https://github.com/libinjection/libinjection/pull/65
+- **Documentation**: See README.md for updated examples
+
+## Checklist
+
+Use this checklist to verify your migration:
+
+- [ ] Updated all `int` return types to `injection_result_t`
+- [ ] Added `#include "libinjection_error.h"`
+- [ ] Explicitly handle `LIBINJECTION_RESULT_ERROR` in all code paths
+- [ ] Updated language binding code (if applicable)
+- [ ] Added tests for error conditions
+- [ ] Verified fail-safe behavior (block on error in security contexts)
+- [ ] Updated logging/monitoring to track error rates
+- [ ] Tested with edge cases (empty strings, very long inputs, etc.)
+- [ ] Reviewed all `if (result)` checks for proper error handling
+- [ ] Updated internal documentation and team guidelines
+
+---
+
+**Version**: 4.0.0  
+**Last Updated**: 2025  
+**Status**: Current
+

data/ext/libinjection/vendor/libinjection/README.md

@@ -0,0 +1,251 @@
+
+<img src="https://raw.githubusercontent.com/libinjection/libinjection/main/misc/libinjection.svg" width="70%">
+
+![CI](https://github.com/libinjection/libinjection/workflows/CI/badge.svg)
+[![license](https://img.shields.io/badge/license-BSD_3--Clause-blue.svg?style=flat)](https://raw.githubusercontent.com/libinjection/libinjection/main/COPYING)
+
+
+SQL / SQLI tokenizer parser analyzer. For
+
+* C and C++
+* [PHP](https://libinjection.client9.com/doc-sqli-php)
+* [Python](https://libinjection.client9.com/doc-sqli-python)
+* [Lua](/lua)
+* [Java](https://github.com/jeonglee/Libinjection) (external port)
+* [LuaJIT/FFI](https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)
+
+See [https://www.client9.com/](https://www.client9.com/)
+for details and presentations.
+
+Simple example:
+
+```c
+#include <stdio.h>
+#include <strings.h>
+#include <errno.h>
+#include "libinjection.h"
+#include "libinjection_sqli.h"
+
+int main(int argc, const char* argv[])
+{
+    struct libinjection_sqli_state state;
+    injection_result_t result;
+
+    const char* input = argv[1];
+    size_t slen = strlen(input);
+
+    /* in real-world, you would url-decode the input, etc */
+
+    libinjection_sqli_init(&state, input, slen, FLAG_NONE);
+    result = libinjection_is_sqli(&state);
+    
+    if (result == LIBINJECTION_RESULT_ERROR) {
+        fprintf(stderr, "error: parser encountered an error\n");
+        return 2;
+    } else if (result == LIBINJECTION_RESULT_TRUE) {
+        fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
+        return 1;
+    }
+    
+    /* LIBINJECTION_RESULT_FALSE - no SQLi detected */
+    return 0;
+}
+```
+
+```
+$ gcc -Wall -Wextra examples.c libinjection_sqli.c
+$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
+sqli detected with fingerprint of 's&1UE'
+```
+
+More advanced samples:
+
+* [sqli_cli.c](/src/sqli_cli.c)
+* [reader.c](/src/reader.c)
+* [fptool](/src/fptool.c)
+
+VERSION INFORMATION
+===================
+
+See [CHANGELOG](CHANGELOG.md) for details.
+
+Versions are listed as "major.minor.point"
+
+Major are significant changes to the API and/or fingerprint format.
+Applications will need recompiling and/or refactoring.
+
+Minor are C code changes.  These may include
+ * logical change to detect or suppress
+ * optimization changes
+ * code refactoring
+
+Point releases are purely data changes.  These may be safely applied.
+
+ERROR HANDLING
+==============
+
+As of version 4.0.0, libinjection uses an `injection_result_t` enum for return values instead of `int`:
+
+```c
+typedef enum injection_result_t {
+    LIBINJECTION_RESULT_FALSE = 0,   // No injection detected (benign input)
+    LIBINJECTION_RESULT_TRUE = 1,    // Injection detected
+    LIBINJECTION_RESULT_ERROR = -1   // Parser error (invalid state)
+} injection_result_t;
+```
+
+**Important:** Prior to v4.0.0, libinjection would call `abort()` and terminate the process when encountering parser errors. Now it returns `LIBINJECTION_RESULT_ERROR` instead, allowing your application to handle errors gracefully.
+
+**Backward Compatibility:** The enum values `LIBINJECTION_RESULT_FALSE` (0) and `LIBINJECTION_RESULT_TRUE` (1) maintain backward compatibility with code that checks for true/false values. However, applications should be updated to handle `LIBINJECTION_RESULT_ERROR` (-1) to prevent treating parser errors as benign input.
+
+**Migration:** See [MIGRATION.md](MIGRATION.md) for guidance on updating existing code.
+
+QUALITY AND DIAGNOSITICS
+========================
+
+The continuous integration results at GitHub tests the following:
+
+- [x] build and unit-tests under GCC
+- [x] build and unit-tests under Clang
+- [x] static analysis using [clang static analyzer](http://clang-analyzer.llvm.org)
+- [x] static analysis using [cppcheck](https://github.com/danmar/cppcheck)
+- [x] checks for memory errors using [valgrind](http://valgrind.org/)
+
+LICENSE
+=============
+
+Copyright (c) 2012-2016, Nick Galbreath
+Copyright (c) 2017-2024, libinjection Contributors
+
+Licensed under the standard [BSD 3-Clause](http://opensource.org/licenses/BSD-3-Clause) open source
+license.  See [COPYING](/COPYING) for details.
+
+## BUILD TARGETS
+
+Some of the previous help runners have been merged into the Makefile. E.g.:
+
+* run-clang-asan.sh -> `make clan-asan`
+* make-ci.sh -> `make ci`
+
+### Building and Installing Libraries
+
+The autotools build system uses **libtool**, which places built libraries in the `src/.libs/` directory (not directly in `src/` like older versions).
+
+**Basic build:**
+```bash
+./autogen.sh
+./configure
+make
+
+# Built libraries are located at:
+# - src/.libs/libinjection.a (static library)
+# - src/.libs/libinjection.so (Linux shared) or src/.libs/libinjection.dylib (macOS shared)
+```
+
+**Building static libraries:**
+```bash
+./configure --enable-static
+make
+find . -name "*.a"
+# Output: ./src/.libs/libinjection.a
+```
+
+**Installing to a specific location:**
+```bash
+./configure --prefix=/path/to/install
+make
+make install
+
+# This installs:
+# - Headers: /path/to/install/include/libinjection*.h
+# - Libraries: /path/to/install/lib/libinjection.{a,so,dylib}
+# - pkg-config: /path/to/install/lib/pkgconfig/libinjection.pc
+```
+
+**Linking against libinjection:**
+
+Option 1 - Link against installed library (via pkg-config):
+```bash
+./configure --prefix=/usr/local
+make install
+gcc myapp.c $(pkg-config --cflags --libs libinjection)
+```
+
+Option 2 - Link against build tree without installing:
+```bash
+gcc myapp.c -I/path/to/libinjection/src -L/path/to/libinjection/src/.libs -linjection
+```
+
+Option 3 - Static linking from build tree:
+```bash
+gcc myapp.c -I/path/to/libinjection/src /path/to/libinjection/src/.libs/libinjection.a
+```
+
+### Migrating from Older Versions (client9/libinjection)
+
+If you're upgrading from the old Makefile-based build system where `libinjection.a` was in `src/`, note that libraries are now in `src/.libs/`.
+
+**Update your build scripts:**
+
+For Makefiles:
+```makefile
+LIBINJECTION_DIR = ../libinjection
+CFLAGS += -I$(LIBINJECTION_DIR)/src
+LDFLAGS += -L$(LIBINJECTION_DIR)/src/.libs -linjection
+```
+
+For CMake:
+```cmake
+target_include_directories(myapp PRIVATE ../libinjection/src)
+target_link_directories(myapp PRIVATE ../libinjection/src/.libs)
+target_link_libraries(myapp injection)
+```
+
+If your build system requires libraries in a specific location:
+```bash
+./configure && make
+cp src/.libs/libinjection.a /desired/location/
+```
+
+For more information, see:
+- GNU Libtool documentation: https://www.gnu.org/software/libtool/manual/html_node/Linking-libraries.html
+- GitHub issue #54
+
+### Static Analysis
+
+If you run `make cppcheck` you will see this warning printed:
+```
+nofile:0 information missingIncludeSystem Cppcheck cannot find all the include files (use --check-config for details)
+```
+You can safely ignore it as it is just saying that standard include files are being ignored (which is the recommended option):
+```
+example1.c:1:0: information: Include file: <stdio.h> not found. Please note: Cppcheck does not need standard library headers to get proper results. [missingIncludeSystem]
+```
+
+EMBEDDING
+=============
+
+The [src](/src)
+directory contains everything, but you only need to copy the following
+into your source tree:
+
+* [src/libinjection.h](/src/libinjection.h)
+* [src/libinjection_error.h](/src/libinjection_error.h)
+* [src/libinjection_sqli.h](/src/libinjection_sqli.h)
+* [src/libinjection_sqli.c](/src/libinjection_sqli.c)
+* [src/libinjection_sqli_data.h](/src/libinjection_sqli_data.h)
+* [COPYING](/COPYING)
+
+For XSS detection, also copy:
+
+* [src/libinjection_xss.h](/src/libinjection_xss.h)
+* [src/libinjection_xss.c](/src/libinjection_xss.c)
+* [src/libinjection_html5.h](/src/libinjection_html5.h)
+* [src/libinjection_html5.c](/src/libinjection_html5.c)
+
+The source includes a default version string (`"4.0.0"`).
+You can override this at build time, for example by defining `LIBINJECTION_VERSION`:
+
+```
+CFLAGS="-DLIBINJECTION_VERSION=\"4.0.0-custom\""
+```