rails-angular-xss 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (41) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +5 -0
  3. data/.travis.yml +11 -0
  4. data/LICENSE +22 -0
  5. data/README.md +55 -0
  6. data/Rakefile +55 -0
  7. data/angular_xss.gemspec +21 -0
  8. data/lib/rails-angular-xss.rb +1 -0
  9. data/lib/rails/angular-xss.rb +28 -0
  10. data/lib/rails/angular-xss/version.rb +5 -0
  11. data/spec/rails-4.2/.rspec +2 -0
  12. data/spec/rails-4.2/Gemfile +8 -0
  13. data/spec/rails-4.2/Gemfile.lock +140 -0
  14. data/spec/rails-4.2/Rakefile +10 -0
  15. data/spec/rails-4.2/app_root/.gitignore +4 -0
  16. data/spec/rails-4.2/app_root/config/application.rb +34 -0
  17. data/spec/rails-4.2/app_root/config/boot.rb +13 -0
  18. data/spec/rails-4.2/app_root/config/database.yml +4 -0
  19. data/spec/rails-4.2/app_root/config/environment.rb +5 -0
  20. data/spec/rails-4.2/app_root/config/environments/test.rb +35 -0
  21. data/spec/rails-4.2/app_root/config/initializers/backtrace_silencers.rb +7 -0
  22. data/spec/rails-4.2/app_root/config/initializers/inflections.rb +10 -0
  23. data/spec/rails-4.2/app_root/config/initializers/mime_types.rb +5 -0
  24. data/spec/rails-4.2/app_root/config/initializers/secret_token.rb +7 -0
  25. data/spec/rails-4.2/app_root/config/initializers/session_store.rb +8 -0
  26. data/spec/rails-4.2/app_root/config/routes.rb +3 -0
  27. data/spec/rails-4.2/app_root/lib/tasks/.gitkeep +0 -0
  28. data/spec/rails-4.2/app_root/log/.gitkeep +0 -0
  29. data/spec/rails-4.2/app_root/script/rails +6 -0
  30. data/spec/rails-4.2/rcov.opts +2 -0
  31. data/spec/rails-4.2/spec/spec_helper.rb +27 -0
  32. data/spec/shared/app_root/app/controllers/application_controller.rb +2 -0
  33. data/spec/shared/app_root/app/helpers/application_helper.rb +3 -0
  34. data/spec/shared/app_root/app/models/.gitkeep +0 -0
  35. data/spec/shared/app_root/app/views/test/_test_erb.erb +22 -0
  36. data/spec/shared/app_root/config/database.yml +4 -0
  37. data/spec/shared/app_root/db/migrate/.gitkeep +0 -0
  38. data/spec/shared/support/engine_preventing_angular_xss.rb +42 -0
  39. data/spec/shared/tests/erb_spec.rb +7 -0
  40. data/spec/shared/tests/safe_buffer_spec.rb +9 -0
  41. metadata +136 -0
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: bcd0f11ee1591adf59aa843bcacfa2d59852f04d
4
+ data.tar.gz: 7c2ce0a62786dcc9bee4af032ae90d67ae479581
5
+ SHA512:
6
+ metadata.gz: cfb3985aa9f153fb40bee4d3acfd31da3244e131c6c155904156402d5f1298742d6bb3f6250828118bb9f4b2fbdc38507cd735965674429c01b79bd936c78ae1
7
+ data.tar.gz: 12479dffdaa8af83c6e2532c994cfad10b568daaf0c487ba4a11ea24b6ee77479a9f68db2d3c605c5983e4c1e4022d6524ce2bd31e37af6615871af7a59c25de
@@ -0,0 +1,5 @@
1
+ doc
2
+ pkg
3
+ *.gem
4
+ .idea
5
+ spec/*/log/*
@@ -0,0 +1,11 @@
1
+ language: ruby
2
+ rvm:
3
+ - 2.1
4
+ - 2.2
5
+ services:
6
+ - mysql
7
+ script: rake travis:run
8
+ branches:
9
+ only:
10
+ - master
11
+
data/LICENSE ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2013 Henning Koch
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,55 @@
1
+ rails-angular-xss [![Build Status](https://travis-ci.org/opf/rails-angular-xss.png?branch=master)](https://travis-ci.org/opf/rails-angular-xss)
2
+ ===========
3
+
4
+ When rendering AngularJS templates with a server-side templating engine like ERB it is easy to introduce XSS vulnerabilities.
5
+ These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`).
6
+
7
+ This gem patches ERB/rails_xss so AngularJS interpolation symbols are auto-escaped in unsafe strings.
8
+ And by auto-escaped we mean replacing `{{` with ` {{ DOUBLE_LEFT_CURLY_BRACE }}`. To leave AngularJS interpolation marks unescaped, mark the string as `html_safe`.
9
+
10
+ **This is an unsatisfactory hack.**
11
+ A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
12
+
13
+ Requirements
14
+ ------------
15
+
16
+ * Rails 4.2
17
+
18
+
19
+ Installation
20
+ ------------
21
+
22
+ 0. Read the code so you know what you're getting into.
23
+
24
+ 1. Put this into your Gemfile
25
+
26
+ gem 'angular_xss'
27
+
28
+ 2. Run `bundle install`.
29
+
30
+ 4. **Important:** Add `$rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{'` to your Angular app initialization.
31
+
32
+ 5. Run your test suite to find the places that broke.
33
+
34
+ 6. Mark any string that is allowed to contain Angular expressions as `#html_safe`.
35
+
36
+ How it works
37
+ ------------
38
+
39
+ This gem patches ERB.Util HTML_ESCAPE constants to replace *any* occurence of the string `{{` with the replacement ``{{ DOUBLE_LEFT_CURLY_BRACE }}`. This will be interpolated by Angular, **and assuming you've followed step 4. above**, Angular returns the interpolated string `{{`.
40
+
41
+ This allows users to actually use `{{` without it being transformed by some invisible spaces, unicode characaters that *look like* a curly bracket and so on.
42
+
43
+
44
+ Development
45
+ -----------
46
+
47
+ - Fork the repository.
48
+ - Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
49
+ - Send a pull request.
50
+
51
+
52
+ Credits
53
+ -------
54
+
55
+ [Henning Koch](mailto:henning.koch@makandra.de) from [makandra](http://makandra.com/).
@@ -0,0 +1,55 @@
1
+ require 'rake'
2
+ require 'bundler/gem_tasks'
3
+
4
+ desc 'Default: Run all specs.'
5
+ task :default => 'all:spec'
6
+
7
+
8
+ namespace :travis do
9
+ desc 'Run tests on Travis CI'
10
+ task :run => ['all:bundle:install', 'all:spec']
11
+ end
12
+
13
+ namespace :all do
14
+
15
+ desc "Run specs on all spec apps"
16
+ task :spec do
17
+ success = true
18
+ for_each_directory_of('spec/**/Rakefile') do |directory|
19
+ env = "SPEC=../../#{ENV['SPEC']} " if ENV['SPEC']
20
+ success &= system("cd #{directory} && #{env} bundle exec rake spec")
21
+ end
22
+ fail "Tests failed" unless success
23
+ end
24
+
25
+ namespace :bundle do
26
+
27
+ desc "Bundle all spec apps"
28
+ task :install do
29
+ for_each_directory_of('spec/**/Gemfile') do |directory|
30
+ Bundler.with_clean_env do
31
+ system("cd #{directory} && bundle install")
32
+ end
33
+ end
34
+ end
35
+
36
+ desc "Update all gems, or a list of gem given by the GEM environment variable"
37
+ task :update do
38
+ for_each_directory_of('spec/**/Gemfile') do |directory|
39
+ Bundler.with_clean_env do
40
+ system("cd #{directory} && bundle update #{ENV['GEM']}")
41
+ end
42
+ end
43
+ end
44
+
45
+ end
46
+
47
+ end
48
+
49
+ def for_each_directory_of(path, &block)
50
+ Dir[path].sort.each do |rakefile|
51
+ directory = File.dirname(rakefile)
52
+ puts '', "\033[44m#{directory}\033[0m", ''
53
+ block.call(directory)
54
+ end
55
+ end
@@ -0,0 +1,21 @@
1
+ # encoding: UTF-8
2
+ $:.push File.expand_path("../lib", __FILE__)
3
+ require "rails/angular-xss/version"
4
+
5
+ Gem::Specification.new do |s|
6
+ s.name = 'rails-angular-xss'
7
+ s.version = Rails::AngularXss::VERSION
8
+ s.authors = ["Oliver Günther", "Henning Koch"]
9
+ s.email = 'o.guenther@openproject.com'
10
+ s.homepage = 'https://github.com/opf/rails-angular-xss'
11
+ s.summary = 'Patches rails_xss so AngularJS interpolations are auto-escaped in unsafe strings.' \
12
+ 'Forked from https://github.com/makandra/angular_xss to remove HAML dependency'
13
+ s.description = s.summary
14
+ s.license = 'MIT'
15
+
16
+ s.files = `git ls-files`.split($\)
17
+ s.test_files = s.files.grep(%r{^spec/})
18
+ s.require_paths = ["lib"]
19
+
20
+ s.add_runtime_dependency 'rails', '>= 4.2.0', '< 5.0'
21
+ end
@@ -0,0 +1 @@
1
+ require 'rails/angular-xss'
@@ -0,0 +1,28 @@
1
+ require 'erb'
2
+
3
+ module Rails
4
+ module AngularXSS
5
+
6
+ def self.redef_without_warning(const, value, expected: nil)
7
+ old_value = ERB::Util.const_get(const)
8
+ if expected && old_value != expected
9
+ raise "Trying to patch constant #{const}, but expected values have changed." \
10
+ "#{old_value} != #{expected}"
11
+ end
12
+
13
+ ERB::Util.send(:remove_const, const)
14
+ ERB::Util.send(:const_set, const, value)
15
+ end
16
+
17
+ redef_without_warning 'HTML_ESCAPE',
18
+ ERB::Util::HTML_ESCAPE.merge('{{' => '{{ DOUBLE_LEFT_CURLY_BRACE }}')
19
+
20
+ redef_without_warning 'HTML_ESCAPE_REGEXP',
21
+ /[&"'><]|\{\{/,
22
+ expected: /[&"'><]/
23
+
24
+ redef_without_warning 'HTML_ESCAPE_ONCE_REGEXP',
25
+ /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)|\{\{/,
26
+ expected: /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
27
+ end
28
+ end
@@ -0,0 +1,5 @@
1
+ module Rails
2
+ module AngularXss
3
+ VERSION = '0.1.0'
4
+ end
5
+ end
@@ -0,0 +1,2 @@
1
+ --colour
2
+ --format progress
@@ -0,0 +1,8 @@
1
+ source 'http://rubygems.org'
2
+
3
+ gem 'sqlite3'
4
+ gem 'rails', '~>4.2'
5
+ gem 'rspec'
6
+ gem 'rspec-rails'
7
+ gem 'rspec_candy'
8
+ gem 'rails-angular-xss', :path => '../..'
@@ -0,0 +1,140 @@
1
+ PATH
2
+ remote: ../..
3
+ specs:
4
+ rails-angular-xss (0.1.0)
5
+ rails (>= 4.2.0, < 5.0)
6
+
7
+ GEM
8
+ remote: http://rubygems.org/
9
+ specs:
10
+ actionmailer (4.2.1)
11
+ actionpack (= 4.2.1)
12
+ actionview (= 4.2.1)
13
+ activejob (= 4.2.1)
14
+ mail (~> 2.5, >= 2.5.4)
15
+ rails-dom-testing (~> 1.0, >= 1.0.5)
16
+ actionpack (4.2.1)
17
+ actionview (= 4.2.1)
18
+ activesupport (= 4.2.1)
19
+ rack (~> 1.6)
20
+ rack-test (~> 0.6.2)
21
+ rails-dom-testing (~> 1.0, >= 1.0.5)
22
+ rails-html-sanitizer (~> 1.0, >= 1.0.1)
23
+ actionview (4.2.1)
24
+ activesupport (= 4.2.1)
25
+ builder (~> 3.1)
26
+ erubis (~> 2.7.0)
27
+ rails-dom-testing (~> 1.0, >= 1.0.5)
28
+ rails-html-sanitizer (~> 1.0, >= 1.0.1)
29
+ activejob (4.2.1)
30
+ activesupport (= 4.2.1)
31
+ globalid (>= 0.3.0)
32
+ activemodel (4.2.1)
33
+ activesupport (= 4.2.1)
34
+ builder (~> 3.1)
35
+ activerecord (4.2.1)
36
+ activemodel (= 4.2.1)
37
+ activesupport (= 4.2.1)
38
+ arel (~> 6.0)
39
+ activesupport (4.2.1)
40
+ i18n (~> 0.7)
41
+ json (~> 1.7, >= 1.7.7)
42
+ minitest (~> 5.1)
43
+ thread_safe (~> 0.3, >= 0.3.4)
44
+ tzinfo (~> 1.1)
45
+ arel (6.0.0)
46
+ builder (3.2.2)
47
+ diff-lcs (1.2.5)
48
+ erubis (2.7.0)
49
+ globalid (0.3.5)
50
+ activesupport (>= 4.1.0)
51
+ i18n (0.7.0)
52
+ json (1.8.2)
53
+ loofah (2.0.1)
54
+ nokogiri (>= 1.5.9)
55
+ mail (2.6.3)
56
+ mime-types (>= 1.16, < 3)
57
+ mime-types (2.4.3)
58
+ mini_portile (0.6.2)
59
+ minitest (5.6.0)
60
+ nokogiri (1.6.6.2)
61
+ mini_portile (~> 0.6.0)
62
+ rack (1.6.0)
63
+ rack-test (0.6.3)
64
+ rack (>= 1.0)
65
+ rails (4.2.1)
66
+ actionmailer (= 4.2.1)
67
+ actionpack (= 4.2.1)
68
+ actionview (= 4.2.1)
69
+ activejob (= 4.2.1)
70
+ activemodel (= 4.2.1)
71
+ activerecord (= 4.2.1)
72
+ activesupport (= 4.2.1)
73
+ bundler (>= 1.3.0, < 2.0)
74
+ railties (= 4.2.1)
75
+ sprockets-rails
76
+ rails-deprecated_sanitizer (1.0.3)
77
+ activesupport (>= 4.2.0.alpha)
78
+ rails-dom-testing (1.0.6)
79
+ activesupport (>= 4.2.0.beta, < 5.0)
80
+ nokogiri (~> 1.6.0)
81
+ rails-deprecated_sanitizer (>= 1.0.1)
82
+ rails-html-sanitizer (1.0.2)
83
+ loofah (~> 2.0)
84
+ railties (4.2.1)
85
+ actionpack (= 4.2.1)
86
+ activesupport (= 4.2.1)
87
+ rake (>= 0.8.7)
88
+ thor (>= 0.18.1, < 2.0)
89
+ rake (10.4.2)
90
+ rspec (3.2.0)
91
+ rspec-core (~> 3.2.0)
92
+ rspec-expectations (~> 3.2.0)
93
+ rspec-mocks (~> 3.2.0)
94
+ rspec-core (3.2.3)
95
+ rspec-support (~> 3.2.0)
96
+ rspec-expectations (3.2.1)
97
+ diff-lcs (>= 1.2.0, < 2.0)
98
+ rspec-support (~> 3.2.0)
99
+ rspec-mocks (3.2.1)
100
+ diff-lcs (>= 1.2.0, < 2.0)
101
+ rspec-support (~> 3.2.0)
102
+ rspec-rails (3.2.1)
103
+ actionpack (>= 3.0, < 4.3)
104
+ activesupport (>= 3.0, < 4.3)
105
+ railties (>= 3.0, < 4.3)
106
+ rspec-core (~> 3.2.0)
107
+ rspec-expectations (~> 3.2.0)
108
+ rspec-mocks (~> 3.2.0)
109
+ rspec-support (~> 3.2.0)
110
+ rspec-support (3.2.2)
111
+ rspec_candy (0.4.0)
112
+ rspec
113
+ sneaky-save
114
+ sneaky-save (0.1.0)
115
+ activerecord (>= 3.2.0)
116
+ sprockets (3.0.1)
117
+ rack (~> 1.0)
118
+ sprockets-rails (2.2.4)
119
+ actionpack (>= 3.0)
120
+ activesupport (>= 3.0)
121
+ sprockets (>= 2.8, < 4.0)
122
+ sqlite3 (1.3.10)
123
+ thor (0.19.1)
124
+ thread_safe (0.3.5)
125
+ tzinfo (1.2.2)
126
+ thread_safe (~> 0.1)
127
+
128
+ PLATFORMS
129
+ ruby
130
+
131
+ DEPENDENCIES
132
+ rails (~> 4.2)
133
+ rails-angular-xss!
134
+ rspec
135
+ rspec-rails
136
+ rspec_candy
137
+ sqlite3
138
+
139
+ BUNDLED WITH
140
+ 1.11.2
@@ -0,0 +1,10 @@
1
+ require 'rake'
2
+ require 'rspec/core/rake_task'
3
+
4
+ desc 'Default: Run all specs for a specific rails version.'
5
+ task :default => :spec
6
+
7
+ desc "Run all specs for a specific rails version"
8
+ RSpec::Core::RakeTask.new(:spec) do |t|
9
+ t.pattern = defined?(SPEC) ? SPEC : ['**/*_spec.rb', '../shared/**/*_spec.rb']
10
+ end
@@ -0,0 +1,4 @@
1
+ .bundle
2
+ db/*.sqlite3
3
+ log/*.log
4
+ tmp/**/*
@@ -0,0 +1,34 @@
1
+ require File.expand_path('../boot', __FILE__)
2
+
3
+ require 'rails/all'
4
+
5
+ # If you have a Gemfile, require the gems listed there, including any gems
6
+ # you've limited to :test, :development, or :production.
7
+ Bundler.require(:default, Rails.env) if defined?(Bundler)
8
+
9
+
10
+ module SpecApp
11
+ class Application < Rails::Application
12
+ config.encoding = "utf-8"
13
+
14
+ config.cache_classes = true
15
+ config.whiny_nils = true
16
+
17
+ config.eager_load = false
18
+
19
+ config.consider_all_requests_local = true
20
+ config.action_controller.perform_caching = false
21
+
22
+ config.action_dispatch.show_exceptions = false
23
+
24
+ config.action_controller.allow_forgery_protection = false
25
+
26
+ config.action_mailer.delivery_method = :test
27
+
28
+ config.active_support.deprecation = :stderr
29
+
30
+ config.root = File.expand_path('../..', __FILE__)
31
+
32
+ # railties.plugins << Rails::Plugin.new(File.expand_path('../../../../..', __FILE__))
33
+ end
34
+ end
@@ -0,0 +1,13 @@
1
+ require 'rubygems'
2
+
3
+ # Set up gems listed in the Gemfile.
4
+ gemfile = File.expand_path('../../Gemfile', __FILE__)
5
+ begin
6
+ ENV['BUNDLE_GEMFILE'] = gemfile
7
+ require 'bundler'
8
+ Bundler.setup
9
+ rescue Bundler::GemNotFound => e
10
+ STDERR.puts e.message
11
+ STDERR.puts "Try running `bundle install`."
12
+ exit!
13
+ end if File.exist?(gemfile)
@@ -0,0 +1,4 @@
1
+ test:
2
+ adapter: sqlite3
3
+ database: ":memory:"
4
+ verbosity: quiet
@@ -0,0 +1,5 @@
1
+ # Load the rails application
2
+ require File.expand_path('../application', __FILE__)
3
+
4
+ # Initialize the rails application
5
+ SpecApp::Application.initialize!
@@ -0,0 +1,35 @@
1
+ SpecApp::Application.configure do
2
+ # Settings specified here will take precedence over those in config/application.rb
3
+
4
+ # The test environment is used exclusively to run your application's
5
+ # test suite. You never need to work with it otherwise. Remember that
6
+ # your test database is "scratch space" for the test suite and is wiped
7
+ # and recreated between test runs. Don't rely on the data there!
8
+ config.cache_classes = true
9
+
10
+ # Log error messages when you accidentally call methods on nil.
11
+ config.whiny_nils = true
12
+
13
+ # Show full error reports and disable caching
14
+ config.consider_all_requests_local = true
15
+ config.action_controller.perform_caching = false
16
+
17
+ # Raise exceptions instead of rendering exception templates
18
+ config.action_dispatch.show_exceptions = false
19
+
20
+ # Disable request forgery protection in test environment
21
+ config.action_controller.allow_forgery_protection = false
22
+
23
+ # Tell Action Mailer not to deliver emails to the real world.
24
+ # The :test delivery method accumulates sent emails in the
25
+ # ActionMailer::Base.deliveries array.
26
+ config.action_mailer.delivery_method = :test
27
+
28
+ # Use SQL instead of Active Record's schema dumper when creating the test database.
29
+ # This is necessary if your schema can't be completely dumped by the schema dumper,
30
+ # like if you have constraints or database-specific column types
31
+ # config.active_record.schema_format = :sql
32
+
33
+ # Print deprecation notices to the stderr
34
+ config.active_support.deprecation = :stderr
35
+ end
@@ -0,0 +1,7 @@
1
+ # Be sure to restart your server when you modify this file.
2
+
3
+ # You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
4
+ # Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
5
+
6
+ # You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
7
+ # Rails.backtrace_cleaner.remove_silencers!
@@ -0,0 +1,10 @@
1
+ # Be sure to restart your server when you modify this file.
2
+
3
+ # Add new inflection rules using the following format
4
+ # (all these examples are active by default):
5
+ # ActiveSupport::Inflector.inflections do |inflect|
6
+ # inflect.plural /^(ox)$/i, '\1en'
7
+ # inflect.singular /^(ox)en/i, '\1'
8
+ # inflect.irregular 'person', 'people'
9
+ # inflect.uncountable %w( fish sheep )
10
+ # end
@@ -0,0 +1,5 @@
1
+ # Be sure to restart your server when you modify this file.
2
+
3
+ # Add new mime types for use in respond_to blocks:
4
+ # Mime::Type.register "text/richtext", :rtf
5
+ # Mime::Type.register_alias "text/html", :iphone
@@ -0,0 +1,7 @@
1
+ # Be sure to restart your server when you modify this file.
2
+
3
+ # Your secret key for verifying the integrity of signed cookies.
4
+ # If you change this key, all old signed cookies will become invalid!
5
+ # Make sure the secret is at least 30 characters and all random,
6
+ # no regular words or you'll be exposed to dictionary attacks.
7
+ SpecApp::Application.config.secret_key_base = 'cb014a08a45243e7143f31e04774c342c1fba329fd594ae1a480d8283b1a851f425dc08044311fb4be6d000b6e6681de7c76d19148419a5ffa0a9f84556d3b33'
@@ -0,0 +1,8 @@
1
+ # Be sure to restart your server when you modify this file.
2
+
3
+ SpecApp::Application.config.session_store :cookie_store, :key => '_app_root_session'
4
+
5
+ # Use the database for sessions instead of the cookie-based default,
6
+ # which shouldn't be used to store highly confidential information
7
+ # (create the session table with "rails generate session_migration")
8
+ # SpecApp::Application.config.session_store :active_record_store
@@ -0,0 +1,3 @@
1
+ SpecApp::Application.routes.draw do
2
+ get ':controller(/:action(/:id(.:format)))'
3
+ end
File without changes
@@ -0,0 +1,6 @@
1
+ #!/usr/bin/env ruby1.8
2
+ # This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
3
+
4
+ APP_PATH = File.expand_path('../../config/application', __FILE__)
5
+ require File.expand_path('../../config/boot', __FILE__)
6
+ require 'rails/commands'
@@ -0,0 +1,2 @@
1
+ --exclude "spec/*,gems/*"
2
+ --rails
@@ -0,0 +1,27 @@
1
+ $: << File.join(File.dirname(__FILE__), "/../../lib" )
2
+
3
+ ENV['RAILS_ENV'] = 'test'
4
+ ENV['RAILS_ROOT'] = 'app_root'
5
+
6
+ # Load the Rails environment and testing framework
7
+ require "#{File.dirname(__FILE__)}/../app_root/config/environment"
8
+ require 'rspec/rails'
9
+ Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
10
+ require 'rspec_candy/all'
11
+
12
+ # Run the migrations
13
+ print "\033[30m" # dark gray text
14
+ ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate")
15
+ print "\033[0m"
16
+
17
+ RSpec.configure do |config|
18
+ config.use_transactional_fixtures = true
19
+ config.use_instantiated_fixtures = false
20
+
21
+ config.mock_with :rspec do |c|
22
+ c.syntax = [:should, :expect]
23
+ end
24
+ config.expect_with :rspec do |c|
25
+ c.syntax = [:should, :expect]
26
+ end
27
+ end
@@ -0,0 +1,2 @@
1
+ class ApplicationController < ActionController::Base
2
+ end
@@ -0,0 +1,3 @@
1
+ module ApplicationHelper
2
+
3
+ end
@@ -0,0 +1,22 @@
1
+ <%= "{{unsafe}}" %>
2
+ <%= "{{safe}}".html_safe %>
3
+
4
+ {{safe}}
5
+
6
+ <div foo="{{safe}}" bar="<%= '{{unsafe}}' %>">
7
+ {{safe}}
8
+ </div>
9
+
10
+ <%= content_tag(:span, '{{unsafe}}') %>
11
+ <%= content_tag(:span, '{{safe}}'.html_safe) %>
12
+
13
+ <%= '{&lcub;unsafe}}' %>
14
+ <%= '{&lbrace;unsafe}}' %>
15
+ <%= '{&#x7b;unsafe}}' %>
16
+ <%= '{&#X7B;unsafe}}' %>
17
+ <%= '{&#x000007b;unsafe}}' %>
18
+ <%= '{&#x000000000007b;unsafe}}' %>
19
+ <%= '{&#123;unsafe}}' %>
20
+ <%= '{&#000000123;unsafe}}' %>
21
+ <%= '{&#0000000000000123;unsafe}}' %>
22
+ <%= '&lcub;&#x7b;unsafe}}' %>
@@ -0,0 +1,4 @@
1
+ test:
2
+ adapter: sqlite3
3
+ database: ":memory:"
4
+ verbosity: quiet
@@ -0,0 +1,42 @@
1
+ shared_examples_for 'engine preventing Angular XSS' do
2
+
3
+ let(:engine) { respond_to?(:view) ? view : template }
4
+
5
+ let(:html) { engine.render(partial) }
6
+
7
+ it 'escapes Angular interpolation marks in unsafe strings' do
8
+ html.should_not include('{{unsafe}}')
9
+ html.should include('{{ DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
10
+ end
11
+
12
+ it 'recognizes the many ways to express an opening curly brace in HTML' do
13
+
14
+ html.should include("{{ DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
15
+ html.should_not include("{{unsafe}}")
16
+
17
+ braces = [
18
+ '{',
19
+ '&lcub;',
20
+ '&lbrace;',
21
+ '&#x7b;',
22
+ '&#X7B;',
23
+ '&#x000007b;',
24
+ '&#x000000000007b;',
25
+ '&#123;',
26
+ '&#000000123;',
27
+ '&#0000000000000123;'
28
+ ]
29
+
30
+ braces.each do |brace1|
31
+ braces.each do |brace2|
32
+ html.should_not include("#{brace1}#{brace2}unsafe}}")
33
+ end
34
+ end
35
+
36
+ end
37
+
38
+ it 'does not escape Angular interpolation marks in safe strings' do
39
+ html.should include("{{safe}}")
40
+ html.should_not include("{{ DOUBLE_LEFT_CURLY_BRACE }}safe}}")
41
+ end
42
+ end
@@ -0,0 +1,7 @@
1
+ require 'spec_helper'
2
+
3
+ describe 'Angular XSS prevention in ERB', :type => :view do
4
+
5
+ it_should_act_like 'engine preventing Angular XSS', :partial => 'test/test_erb'
6
+
7
+ end
@@ -0,0 +1,9 @@
1
+ require 'spec_helper'
2
+
3
+ describe ActiveSupport::SafeBuffer do
4
+
5
+ it 'still allows concatting nil' do
6
+ expect { subject << nil }.to_not raise_error
7
+ end
8
+
9
+ end
metadata ADDED
@@ -0,0 +1,136 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: rails-angular-xss
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Oliver Günther
8
+ - Henning Koch
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2016-06-18 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: rails
16
+ requirement: !ruby/object:Gem::Requirement
17
+ requirements:
18
+ - - ">="
19
+ - !ruby/object:Gem::Version
20
+ version: 4.2.0
21
+ - - "<"
22
+ - !ruby/object:Gem::Version
23
+ version: '5.0'
24
+ type: :runtime
25
+ prerelease: false
26
+ version_requirements: !ruby/object:Gem::Requirement
27
+ requirements:
28
+ - - ">="
29
+ - !ruby/object:Gem::Version
30
+ version: 4.2.0
31
+ - - "<"
32
+ - !ruby/object:Gem::Version
33
+ version: '5.0'
34
+ description: Patches rails_xss so AngularJS interpolations are auto-escaped in unsafe
35
+ strings.Forked from https://github.com/makandra/angular_xss to remove HAML dependency
36
+ email: o.guenther@openproject.com
37
+ executables: []
38
+ extensions: []
39
+ extra_rdoc_files: []
40
+ files:
41
+ - ".gitignore"
42
+ - ".travis.yml"
43
+ - LICENSE
44
+ - README.md
45
+ - Rakefile
46
+ - angular_xss.gemspec
47
+ - lib/rails-angular-xss.rb
48
+ - lib/rails/angular-xss.rb
49
+ - lib/rails/angular-xss/version.rb
50
+ - spec/rails-4.2/.rspec
51
+ - spec/rails-4.2/Gemfile
52
+ - spec/rails-4.2/Gemfile.lock
53
+ - spec/rails-4.2/Rakefile
54
+ - spec/rails-4.2/app_root/.gitignore
55
+ - spec/rails-4.2/app_root/config/application.rb
56
+ - spec/rails-4.2/app_root/config/boot.rb
57
+ - spec/rails-4.2/app_root/config/database.yml
58
+ - spec/rails-4.2/app_root/config/environment.rb
59
+ - spec/rails-4.2/app_root/config/environments/test.rb
60
+ - spec/rails-4.2/app_root/config/initializers/backtrace_silencers.rb
61
+ - spec/rails-4.2/app_root/config/initializers/inflections.rb
62
+ - spec/rails-4.2/app_root/config/initializers/mime_types.rb
63
+ - spec/rails-4.2/app_root/config/initializers/secret_token.rb
64
+ - spec/rails-4.2/app_root/config/initializers/session_store.rb
65
+ - spec/rails-4.2/app_root/config/routes.rb
66
+ - spec/rails-4.2/app_root/lib/tasks/.gitkeep
67
+ - spec/rails-4.2/app_root/log/.gitkeep
68
+ - spec/rails-4.2/app_root/script/rails
69
+ - spec/rails-4.2/rcov.opts
70
+ - spec/rails-4.2/spec/spec_helper.rb
71
+ - spec/shared/app_root/app/controllers/application_controller.rb
72
+ - spec/shared/app_root/app/helpers/application_helper.rb
73
+ - spec/shared/app_root/app/models/.gitkeep
74
+ - spec/shared/app_root/app/views/test/_test_erb.erb
75
+ - spec/shared/app_root/config/database.yml
76
+ - spec/shared/app_root/db/migrate/.gitkeep
77
+ - spec/shared/support/engine_preventing_angular_xss.rb
78
+ - spec/shared/tests/erb_spec.rb
79
+ - spec/shared/tests/safe_buffer_spec.rb
80
+ homepage: https://github.com/opf/rails-angular-xss
81
+ licenses:
82
+ - MIT
83
+ metadata: {}
84
+ post_install_message:
85
+ rdoc_options: []
86
+ require_paths:
87
+ - lib
88
+ required_ruby_version: !ruby/object:Gem::Requirement
89
+ requirements:
90
+ - - ">="
91
+ - !ruby/object:Gem::Version
92
+ version: '0'
93
+ required_rubygems_version: !ruby/object:Gem::Requirement
94
+ requirements:
95
+ - - ">="
96
+ - !ruby/object:Gem::Version
97
+ version: '0'
98
+ requirements: []
99
+ rubyforge_project:
100
+ rubygems_version: 2.4.5.1
101
+ signing_key:
102
+ specification_version: 4
103
+ summary: Patches rails_xss so AngularJS interpolations are auto-escaped in unsafe
104
+ strings.Forked from https://github.com/makandra/angular_xss to remove HAML dependency
105
+ test_files:
106
+ - spec/rails-4.2/.rspec
107
+ - spec/rails-4.2/Gemfile
108
+ - spec/rails-4.2/Gemfile.lock
109
+ - spec/rails-4.2/Rakefile
110
+ - spec/rails-4.2/app_root/.gitignore
111
+ - spec/rails-4.2/app_root/config/application.rb
112
+ - spec/rails-4.2/app_root/config/boot.rb
113
+ - spec/rails-4.2/app_root/config/database.yml
114
+ - spec/rails-4.2/app_root/config/environment.rb
115
+ - spec/rails-4.2/app_root/config/environments/test.rb
116
+ - spec/rails-4.2/app_root/config/initializers/backtrace_silencers.rb
117
+ - spec/rails-4.2/app_root/config/initializers/inflections.rb
118
+ - spec/rails-4.2/app_root/config/initializers/mime_types.rb
119
+ - spec/rails-4.2/app_root/config/initializers/secret_token.rb
120
+ - spec/rails-4.2/app_root/config/initializers/session_store.rb
121
+ - spec/rails-4.2/app_root/config/routes.rb
122
+ - spec/rails-4.2/app_root/lib/tasks/.gitkeep
123
+ - spec/rails-4.2/app_root/log/.gitkeep
124
+ - spec/rails-4.2/app_root/script/rails
125
+ - spec/rails-4.2/rcov.opts
126
+ - spec/rails-4.2/spec/spec_helper.rb
127
+ - spec/shared/app_root/app/controllers/application_controller.rb
128
+ - spec/shared/app_root/app/helpers/application_helper.rb
129
+ - spec/shared/app_root/app/models/.gitkeep
130
+ - spec/shared/app_root/app/views/test/_test_erb.erb
131
+ - spec/shared/app_root/config/database.yml
132
+ - spec/shared/app_root/db/migrate/.gitkeep
133
+ - spec/shared/support/engine_preventing_angular_xss.rb
134
+ - spec/shared/tests/erb_spec.rb
135
+ - spec/shared/tests/safe_buffer_spec.rb
136
+ has_rdoc: