relevance-tarantula 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/MIT-LICENSE +20 -0
- data/README.rdoc +70 -0
- data/Rakefile +79 -0
- data/init.rb +1 -0
- data/install.rb +1 -0
- data/laf/images/background.jpg +0 -0
- data/laf/images/relevance-os-logo.gif +0 -0
- data/laf/images/tab.png +0 -0
- data/laf/images/table-sort.gif +0 -0
- data/laf/images/tarantula-sprites.png +0 -0
- data/laf/javascripts/jquery-1.2.3.js +3408 -0
- data/laf/javascripts/jquery-ui-tabs.js +890 -0
- data/laf/javascripts/jquery.tablesorter.js +861 -0
- data/laf/javascripts/tarantula.js +10 -0
- data/laf/stylesheets/tarantula.css +638 -0
- data/laf/stylesheets/ui.tabs.css +113 -0
- data/lib/relevance/core_extensions/ellipsize.rb +34 -0
- data/lib/relevance/core_extensions/file.rb +9 -0
- data/lib/relevance/core_extensions/response.rb +9 -0
- data/lib/relevance/core_extensions/test_case.rb +12 -0
- data/lib/relevance/tarantula/attack.rb +15 -0
- data/lib/relevance/tarantula/attack_form_submission.rb +75 -0
- data/lib/relevance/tarantula/attack_handler.rb +37 -0
- data/lib/relevance/tarantula/crawler.rb +240 -0
- data/lib/relevance/tarantula/detail.html.erb +77 -0
- data/lib/relevance/tarantula/form.rb +21 -0
- data/lib/relevance/tarantula/form_submission.rb +70 -0
- data/lib/relevance/tarantula/html_document_handler.rb +36 -0
- data/lib/relevance/tarantula/html_report_helper.rb +56 -0
- data/lib/relevance/tarantula/html_reporter.rb +105 -0
- data/lib/relevance/tarantula/index.html.erb +48 -0
- data/lib/relevance/tarantula/invalid_html_handler.rb +18 -0
- data/lib/relevance/tarantula/io_reporter.rb +34 -0
- data/lib/relevance/tarantula/link.rb +56 -0
- data/lib/relevance/tarantula/log_grabber.rb +16 -0
- data/lib/relevance/tarantula/rails_integration_proxy.rb +70 -0
- data/lib/relevance/tarantula/recording.rb +12 -0
- data/lib/relevance/tarantula/response.rb +13 -0
- data/lib/relevance/tarantula/result.rb +66 -0
- data/lib/relevance/tarantula/test_report.html.erb +34 -0
- data/lib/relevance/tarantula/tidy_handler.rb +32 -0
- data/lib/relevance/tarantula/transform.rb +17 -0
- data/lib/relevance/tarantula.rb +63 -0
- data/manifest.txt +114 -0
- data/tarantula.gemspec +42 -0
- data/tasks/tarantula_tasks.rake +34 -0
- data/template/tarantula_test.rb +12 -0
- data/test/relevance/core_extensions/ellipsize_test.rb +19 -0
- data/test/relevance/core_extensions/file_test.rb +8 -0
- data/test/relevance/core_extensions/response_test.rb +29 -0
- data/test/relevance/core_extensions/test_case_test.rb +17 -0
- data/test/relevance/tarantula/attack_form_submission_test.rb +79 -0
- data/test/relevance/tarantula/attack_handler_test.rb +30 -0
- data/test/relevance/tarantula/crawler_test.rb +297 -0
- data/test/relevance/tarantula/form_submission_test.rb +71 -0
- data/test/relevance/tarantula/form_test.rb +50 -0
- data/test/relevance/tarantula/html_document_handler_test.rb +44 -0
- data/test/relevance/tarantula/html_report_helper_test.rb +48 -0
- data/test/relevance/tarantula/html_reporter_test.rb +82 -0
- data/test/relevance/tarantula/invalid_html_handler_test.rb +34 -0
- data/test/relevance/tarantula/io_reporter_test.rb +12 -0
- data/test/relevance/tarantula/link_test.rb +49 -0
- data/test/relevance/tarantula/log_grabber_test.rb +27 -0
- data/test/relevance/tarantula/rails_integration_proxy_test.rb +95 -0
- data/test/relevance/tarantula/result_test.rb +86 -0
- data/test/relevance/tarantula/tidy_handler_test.rb +59 -0
- data/test/relevance/tarantula/transform_test.rb +21 -0
- data/test/relevance/tarantula_test.rb +23 -0
- data/test/test_helper.rb +32 -0
- data/uninstall.rb +1 -0
- data/vendor/xss-shield/MIT-LICENSE +20 -0
- data/vendor/xss-shield/README +76 -0
- data/vendor/xss-shield/init.rb +16 -0
- data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb +111 -0
- data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb +42 -0
- data/vendor/xss-shield/lib/xss_shield/safe_string.rb +47 -0
- data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb +40 -0
- data/vendor/xss-shield/lib/xss_shield.rb +6 -0
- data/vendor/xss-shield/test/test_actionview_integration.rb +40 -0
- data/vendor/xss-shield/test/test_erb.rb +44 -0
- data/vendor/xss-shield/test/test_haml.rb +43 -0
- data/vendor/xss-shield/test/test_helpers.rb +25 -0
- data/vendor/xss-shield/test/test_safe_string.rb +55 -0
- metadata +256 -0
@@ -0,0 +1,49 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), "..", "..", "test_helper.rb")
|
2
|
+
include Relevance::Tarantula
|
3
|
+
|
4
|
+
describe "Relevance::Tarantula::Link" do
|
5
|
+
include ActionView::Helpers::UrlHelper
|
6
|
+
|
7
|
+
it "parses anchor tags" do
|
8
|
+
link = Relevance::Tarantula::Link.new(Hpricot('<a href="/foo">foo</a>').at('a'))
|
9
|
+
assert_equal "/foo", link.href
|
10
|
+
assert_equal :get, link.method
|
11
|
+
end
|
12
|
+
|
13
|
+
it "parses anchor tags with POST 'method'" do
|
14
|
+
link = Relevance::Tarantula::Link.new(Hpricot(%Q{<a href="/foo" onclick="#{method_javascript_function(:post)}">foo</a>}).at('a'))
|
15
|
+
assert_equal "/foo", link.href
|
16
|
+
assert_equal :post, link.method
|
17
|
+
end
|
18
|
+
|
19
|
+
it "parses anchor tags with PUT 'method'" do
|
20
|
+
link = Relevance::Tarantula::Link.new(Hpricot(%Q{<a href="/foo" onclick="#{method_javascript_function(:put)}">foo</a>}).at('a'))
|
21
|
+
assert_equal "/foo", link.href
|
22
|
+
assert_equal :put, link.method
|
23
|
+
end
|
24
|
+
|
25
|
+
it "parses anchor tags with DELETE 'method'" do
|
26
|
+
link = Relevance::Tarantula::Link.new(Hpricot(%Q{<a href="/foo" onclick="#{method_javascript_function(:delete)}">foo</a>}).at('a'))
|
27
|
+
assert_equal "/foo", link.href
|
28
|
+
assert_equal :delete, link.method
|
29
|
+
end
|
30
|
+
|
31
|
+
it "parses link tags with text" do
|
32
|
+
link = Relevance::Tarantula::Link.new(Hpricot('<link href="/bar">bar</a>').at('link'))
|
33
|
+
assert_equal "/bar", link.href
|
34
|
+
assert_equal :get, link.method
|
35
|
+
end
|
36
|
+
|
37
|
+
it "parses link tags without text" do
|
38
|
+
link = Relevance::Tarantula::Link.new(Hpricot('<link href="/bar" />').at('link'))
|
39
|
+
assert_equal "/bar", link.href
|
40
|
+
assert_equal :get, link.method
|
41
|
+
end
|
42
|
+
|
43
|
+
# method_javascript_function needs this method
|
44
|
+
def protect_against_forgery?
|
45
|
+
false
|
46
|
+
end
|
47
|
+
|
48
|
+
end
|
49
|
+
|
@@ -0,0 +1,27 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), "..", "..", "test_helper.rb")
|
2
|
+
include Relevance::Tarantula
|
3
|
+
|
4
|
+
describe 'Relevance::Tarantula::LogGrabber' do
|
5
|
+
before do
|
6
|
+
@grabber = LogGrabber.new(log_file)
|
7
|
+
FileUtils.mkdir_p(test_output_dir)
|
8
|
+
end
|
9
|
+
|
10
|
+
def log_file
|
11
|
+
File.join(File.join(test_output_dir, "example.log"))
|
12
|
+
end
|
13
|
+
|
14
|
+
it "can clear the log file" do
|
15
|
+
File.open(log_file, "w") {|f| f.print "sample log"}
|
16
|
+
File.size(log_file).should == 10
|
17
|
+
@grabber.clear!
|
18
|
+
File.size(log_file).should == 0
|
19
|
+
end
|
20
|
+
|
21
|
+
it "can grab the log file" do
|
22
|
+
File.open(log_file, "w") {|f| f.print "sample log"}
|
23
|
+
@grabber.grab!.should == "sample log"
|
24
|
+
File.size(log_file).should == 0
|
25
|
+
end
|
26
|
+
|
27
|
+
end
|
@@ -0,0 +1,95 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), "..", "..", "test_helper.rb")
|
2
|
+
include Relevance::Tarantula
|
3
|
+
|
4
|
+
describe "Relevance::Tarantula::RailsIntegrationProxy rails_integration_test" do
|
5
|
+
before {
|
6
|
+
Crawler.any_instance.stubs(:crawl)
|
7
|
+
Crawler.any_instance.stubs(:rails_root).returns("STUB_RAILS_ROOT")
|
8
|
+
RailsIntegrationProxy.stubs(:rails_root).returns("STUB_RAILS_ROOT")
|
9
|
+
RailsIntegrationProxy.stubs(:new).returns(stub(:integration_test => stub(:method_name => @test_name)))
|
10
|
+
@test_name = "test_user_pages"
|
11
|
+
}
|
12
|
+
|
13
|
+
it "strips leading hostname from link urls" do
|
14
|
+
crawler = RailsIntegrationProxy.rails_integration_test(stub(:host => "foo.com"))
|
15
|
+
crawler.transform_url("http://foo.com/path").should == "/path"
|
16
|
+
crawler.transform_url("http://bar.com/path").should == "http://bar.com/path"
|
17
|
+
end
|
18
|
+
|
19
|
+
it "allows override of max_url_length" do
|
20
|
+
crawler = RailsIntegrationProxy.rails_integration_test(stub(:host => "foo.com"),
|
21
|
+
:max_url_length => 16)
|
22
|
+
crawler.max_url_length.should == 16
|
23
|
+
end
|
24
|
+
|
25
|
+
it "has some useful defaults" do
|
26
|
+
crawler = RailsIntegrationProxy.rails_integration_test(stub(:host => "foo.com"))
|
27
|
+
crawler.log_grabber.should.not.be nil
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
|
32
|
+
describe "Relevance::Tarantula::RailsIntegrationProxy" do
|
33
|
+
%w{get post}.each do |http_method|
|
34
|
+
it "can #{http_method}" do
|
35
|
+
@rip = Relevance::Tarantula::RailsIntegrationProxy.new(stub)
|
36
|
+
@response = stub({:code => :foo})
|
37
|
+
@rip.integration_test = stub_everything(:response => @response)
|
38
|
+
@rip.send(http_method, "/url").should.be @response
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
it "adds a response accessor to its delegate rails integration test" do
|
43
|
+
o = Object.new
|
44
|
+
Relevance::Tarantula::RailsIntegrationProxy.new(o)
|
45
|
+
o.methods(false).sort.should == %w{response response=}
|
46
|
+
end
|
47
|
+
|
48
|
+
end
|
49
|
+
|
50
|
+
describe "Relevance::Tarantula::RailsIntegrationProxy patching" do
|
51
|
+
before do
|
52
|
+
@rip = Relevance::Tarantula::RailsIntegrationProxy.new(stub)
|
53
|
+
@rip.stubs(:rails_root).returns("faux_rails_root")
|
54
|
+
@response = stub_everything({:code => "404", :headers => {}})
|
55
|
+
File.stubs(:exist?).returns(true)
|
56
|
+
end
|
57
|
+
|
58
|
+
it "patches in Relevance::CoreExtensions::Response" do
|
59
|
+
@rip = Relevance::Tarantula::RailsIntegrationProxy.new(stub)
|
60
|
+
@rip.stubs(:rails_root).returns("faux_rails_root")
|
61
|
+
@response = stub_everything({:code => "404", :headers => {}, :content_type => "text/html"})
|
62
|
+
@response.meta.ancestors.should.not.include Relevance::CoreExtensions::Response
|
63
|
+
@rip.patch_response("/url", @response)
|
64
|
+
@response.meta.ancestors.should.include Relevance::CoreExtensions::Response
|
65
|
+
@response.html?.should == true
|
66
|
+
end
|
67
|
+
|
68
|
+
it "ignores 404s for known static binary types" do
|
69
|
+
File.expects(:extension).returns("pdf")
|
70
|
+
@rip.expects(:log).with("Skipping /url (for now)")
|
71
|
+
@rip.patch_response("/url", @response)
|
72
|
+
end
|
73
|
+
|
74
|
+
it "replaces 404s with 200s, pulling content from public, for known text types" do
|
75
|
+
File.expects(:extension).returns("html")
|
76
|
+
@rip.expects(:static_content_file).with("/url").returns("File body")
|
77
|
+
@rip.patch_response("/url", @response)
|
78
|
+
@response.headers.should == {"type" => "text/html"}
|
79
|
+
end
|
80
|
+
|
81
|
+
it "logs and skips types we haven't dealt with yet" do
|
82
|
+
File.expects(:extension).returns("whizzy")
|
83
|
+
@rip.expects(:log).with("Skipping unknown type /url")
|
84
|
+
@rip.patch_response("/url", @response)
|
85
|
+
end
|
86
|
+
|
87
|
+
it "can find static content relative to rails root" do
|
88
|
+
@rip.static_content_path("foo").should == File.expand_path("faux_rails_root/public/foo")
|
89
|
+
end
|
90
|
+
|
91
|
+
it "can read static content relative to rails root" do
|
92
|
+
File.expects(:read).with(@rip.static_content_path("foo"))
|
93
|
+
@rip.static_content_file("foo")
|
94
|
+
end
|
95
|
+
end
|
@@ -0,0 +1,86 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), "..", "..", "test_helper.rb")
|
2
|
+
include Relevance::Tarantula
|
3
|
+
|
4
|
+
describe "Relevance::Tarantula::Result" do
|
5
|
+
before do
|
6
|
+
@result = Relevance::Tarantula::Result.new(
|
7
|
+
:success => true,
|
8
|
+
:method => "get",
|
9
|
+
:url => "/some/url?arg1=foo&arg2=bar"
|
10
|
+
)
|
11
|
+
end
|
12
|
+
|
13
|
+
it "has a short description" do
|
14
|
+
@result.short_description.should == "get /some/url?arg1=foo&arg2=bar"
|
15
|
+
end
|
16
|
+
|
17
|
+
it "has a sequence number" do
|
18
|
+
@result.class.next_number = 0
|
19
|
+
@result.sequence_number.should == 1
|
20
|
+
@result.class.next_number.should == 1
|
21
|
+
end
|
22
|
+
|
23
|
+
it "has link to the url at localhost" do
|
24
|
+
@result.full_url.should == "http://localhost:3000/some/url?arg1=foo&arg2=bar"
|
25
|
+
end
|
26
|
+
|
27
|
+
end
|
28
|
+
|
29
|
+
describe "Relevance::Tarantula::Result class methods" do
|
30
|
+
before do
|
31
|
+
@rh = Relevance::Tarantula::Result
|
32
|
+
end
|
33
|
+
|
34
|
+
it "defines HTTP responses that are considered 'successful' when spidering" do
|
35
|
+
%w{200 201 302 401}.each do |code|
|
36
|
+
@rh.successful?(stub(:code => code)).should == true
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
it "adds successful responses to success collection" do
|
41
|
+
stub = stub_everything(:code => "200")
|
42
|
+
@rh.handle(Result.new(:response => stub)).success.should == true
|
43
|
+
end
|
44
|
+
|
45
|
+
it "adds failed responses to failure collection" do
|
46
|
+
stub = stub_everything(:code => "500")
|
47
|
+
result = @rh.handle(Result.new(:response => stub))
|
48
|
+
result.success.should == false
|
49
|
+
result.description.should == "Bad HTTP Response"
|
50
|
+
end
|
51
|
+
|
52
|
+
end
|
53
|
+
|
54
|
+
describe "Relevance::Tarantula::Result allowed errors" do
|
55
|
+
before do
|
56
|
+
Result.allow_errors_for = {}
|
57
|
+
end
|
58
|
+
|
59
|
+
it "defaults to *not* skip errors" do
|
60
|
+
Result.can_skip_error?(stub(:code => "404")).should == false
|
61
|
+
end
|
62
|
+
|
63
|
+
it "can skip errors matching code and url" do
|
64
|
+
Result.allow_errors_for = {"404" => [/some_url/]}
|
65
|
+
Result.can_skip_error?(stub(:code => "404", :url => "this_is_some_url")).should == true
|
66
|
+
end
|
67
|
+
|
68
|
+
it "does not skip errors matching code only" do
|
69
|
+
Result.allow_errors_for = {"404" => [/some_other_url/]}
|
70
|
+
Result.can_skip_error?(stub(:code => "404", :url => "this_is_some_url")).should == false
|
71
|
+
end
|
72
|
+
|
73
|
+
it "users allow_nnn_for syntax to specify allowed errors" do
|
74
|
+
Result.allow_404_for(/this_url/)
|
75
|
+
Result.allow_errors_for.should == {"404" => [/this_url/]}
|
76
|
+
Result.allow_404_for(/another_url/)
|
77
|
+
Result.allow_errors_for.should == {"404" => [/this_url/, /another_url/]}
|
78
|
+
end
|
79
|
+
|
80
|
+
it "chains to super method missing" do
|
81
|
+
lambda{Result.allow_xxx_for}.should.raise(NoMethodError)
|
82
|
+
end
|
83
|
+
|
84
|
+
end
|
85
|
+
|
86
|
+
|
@@ -0,0 +1,59 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), "..", "..", "test_helper.rb")
|
2
|
+
include Relevance::Tarantula
|
3
|
+
|
4
|
+
if defined?(Tidy) && ENV['TIDY_PATH']
|
5
|
+
describe "Relevance::Tarantula::TidyHandler default" do
|
6
|
+
before do
|
7
|
+
@handler = Relevance::Tarantula::TidyHandler.new
|
8
|
+
end
|
9
|
+
|
10
|
+
it "likes a good document" do
|
11
|
+
response = stub(:html? => true, :body => <<-BODY, :code => 200)
|
12
|
+
<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3.2//EN\">
|
13
|
+
<html>
|
14
|
+
<title></title>
|
15
|
+
<body></body>
|
16
|
+
</html>
|
17
|
+
BODY
|
18
|
+
@handler.handle(Result.new(:response => response)).should == nil
|
19
|
+
end
|
20
|
+
|
21
|
+
it "rejects a document with errors" do
|
22
|
+
response = stub(:html? => true, :body => "<hotml>", :code => 200)
|
23
|
+
result = @handler.handle(Result.new(:response => response))
|
24
|
+
result.should.not.be nil
|
25
|
+
result.data.should =~ /Error: <hotml> is not recognized!/
|
26
|
+
result.description.should == "Bad HTML (Tidy)"
|
27
|
+
end
|
28
|
+
|
29
|
+
it "rejects a document with warnings" do
|
30
|
+
response = stub(:html? => true, :body => <<-BODY, :code => 200)
|
31
|
+
<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3.2//EN\">
|
32
|
+
<html>
|
33
|
+
</html>
|
34
|
+
BODY
|
35
|
+
result = @handler.handle(Result.new(:response => response))
|
36
|
+
result.should.not.be nil
|
37
|
+
result.data.should =~ /Warning: inserting missing 'title' element/
|
38
|
+
end
|
39
|
+
|
40
|
+
end
|
41
|
+
|
42
|
+
describe "Relevance::Tarantula::TidyHandler with :show_warnings => false" do
|
43
|
+
before do
|
44
|
+
@handler = Relevance::Tarantula::TidyHandler.new(:show_warnings => false)
|
45
|
+
end
|
46
|
+
|
47
|
+
it "permits a document with warnings" do
|
48
|
+
response = stub(:html? => true, :body => <<-BODY, :code => 200)
|
49
|
+
<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3.2//EN\">
|
50
|
+
<html>
|
51
|
+
</html>
|
52
|
+
BODY
|
53
|
+
result = @handler.handle(Result.new(:response => response))
|
54
|
+
result.should.be nil
|
55
|
+
end
|
56
|
+
end
|
57
|
+
else
|
58
|
+
puts "TIDY_PATH not set. Tidy test will not run"
|
59
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), "../..", "test_helper.rb")
|
2
|
+
|
3
|
+
describe "Relevance::Tarantula::Transform" do
|
4
|
+
it "can do a simple replace" do
|
5
|
+
t = Relevance::Tarantula::Transform.new(/\w/, ".")
|
6
|
+
t["hello world"].should == "..... ....."
|
7
|
+
end
|
8
|
+
|
9
|
+
it "can do a replace with a block" do
|
10
|
+
t = Relevance::Tarantula::Transform.new(/([aeiou])/, Proc.new {|value| value.upcase})
|
11
|
+
t["hello world"].should == "hEllO wOrld"
|
12
|
+
end
|
13
|
+
|
14
|
+
# this is broken in Ruby?
|
15
|
+
it "cannot access groups from a block, despite Ruby docs" do
|
16
|
+
p = Proc.new {|value| $1.upcase}
|
17
|
+
t = Relevance::Tarantula::Transform.new(/([aeiou])/, p)
|
18
|
+
lambda {t["hello world"]}.should.raise(NoMethodError).message.should ==
|
19
|
+
"undefined method `upcase' for nil:NilClass"
|
20
|
+
end
|
21
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), "..", "test_helper.rb")
|
2
|
+
|
3
|
+
describe "Relevance::Tarantula" do
|
4
|
+
include Relevance::Tarantula
|
5
|
+
attr_accessor :verbose
|
6
|
+
|
7
|
+
it "writes to stdout if verbose" do
|
8
|
+
self.verbose = true
|
9
|
+
expects(:puts).with("foo")
|
10
|
+
log("foo")
|
11
|
+
end
|
12
|
+
|
13
|
+
it "swallows output if !verbose" do
|
14
|
+
self.verbose = false
|
15
|
+
expects(:puts).never
|
16
|
+
log("foo")
|
17
|
+
end
|
18
|
+
|
19
|
+
it "puts RAILS_ROOT behind a method call" do
|
20
|
+
lambda{rails_root}.should.raise(NameError).message.should == "uninitialized constant RAILS_ROOT"
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
data/test/test_helper.rb
ADDED
@@ -0,0 +1,32 @@
|
|
1
|
+
basedir = File.dirname(__FILE__)
|
2
|
+
$:.unshift "#{basedir}/../lib"
|
3
|
+
require 'rubygems'
|
4
|
+
gem 'ruby-debug'
|
5
|
+
gem 'test-spec'
|
6
|
+
gem 'activesupport'
|
7
|
+
gem 'actionpack'
|
8
|
+
gem 'activerecord'
|
9
|
+
|
10
|
+
require 'test/spec'
|
11
|
+
require 'mocha'
|
12
|
+
require 'ostruct'
|
13
|
+
require 'ruby-debug'
|
14
|
+
require 'activerecord'
|
15
|
+
require 'relevance/tarantula'
|
16
|
+
|
17
|
+
# needed for html-scanner, grr
|
18
|
+
require 'active_support'
|
19
|
+
require 'action_controller'
|
20
|
+
|
21
|
+
class Test::Unit::TestCase
|
22
|
+
def test_output_dir
|
23
|
+
File.join(File.dirname(__FILE__), "..", "tmp", "test_output")
|
24
|
+
end
|
25
|
+
|
26
|
+
# TODO change puts/print to use a single method for logging, which will then make the stubbing cleaner
|
27
|
+
def stub_puts_and_print(obj)
|
28
|
+
obj.stubs(:puts)
|
29
|
+
obj.stubs(:print)
|
30
|
+
end
|
31
|
+
|
32
|
+
end
|
data/uninstall.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
# Uninstall hook code here
|
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2007 Trampoline Systems
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
@@ -0,0 +1,76 @@
|
|
1
|
+
FIXME: THIS README IS NOT UP-TO-DATE.
|
2
|
+
|
3
|
+
This plugin provides XSS protection for views coded in HAML and RHTML.
|
4
|
+
|
5
|
+
ERB templates are sometimes used for HTML, and sometimes for
|
6
|
+
other kinds of languages (SQL, email templates, YAML etc.).
|
7
|
+
XSS Shield protects only those templates with .rhtml extension,
|
8
|
+
leaving templates with .erb extension unprotected.
|
9
|
+
|
10
|
+
=== Quick start ===
|
11
|
+
|
12
|
+
Assuming you're using HAML for all your templates.
|
13
|
+
|
14
|
+
* Install plugin.
|
15
|
+
* Edit all your layout files and change:
|
16
|
+
= @content_for_layout
|
17
|
+
= yield(:foo) # Foo being usually :js or :css
|
18
|
+
to:
|
19
|
+
= @content_for_layout.mark_as_xss_protected
|
20
|
+
= yield(:foo).mark_as_xss_protected
|
21
|
+
* By this point your application should be runnanble,
|
22
|
+
but might need some tweaking here and there to avoid potential
|
23
|
+
double-escaping.
|
24
|
+
|
25
|
+
=== How it works ===
|
26
|
+
|
27
|
+
It works by subclassing String into SafeString.
|
28
|
+
When HAML engine seems a "= foo" fragment it check if result of executing "foo"
|
29
|
+
is a SafeString. If it is - it copies it to the output, if it's anything else
|
30
|
+
(String, Integer, nil and so on) it HTML-escapes it first.
|
31
|
+
|
32
|
+
To avoid double-escaping output of h is a SafeString, as is everything you
|
33
|
+
mark as XSS-protected.
|
34
|
+
= h(@foo)
|
35
|
+
= @foo # fully equivalent to h(@foo)
|
36
|
+
= "X <br /> Y".mark_as_xss_protected
|
37
|
+
|
38
|
+
It would be cumbersome to require mark_as_xss_protected every time you use
|
39
|
+
some helper like render :partial or link_to, so some helpers are modified
|
40
|
+
to return SafeString.
|
41
|
+
|
42
|
+
= render :partial => "foo"
|
43
|
+
= link_to "Bar", :action => :bar
|
44
|
+
|
45
|
+
If you trust your helpers, make them as XSS-protected:
|
46
|
+
|
47
|
+
module Some::Module
|
48
|
+
mark_helpers_as_xss_protected :text_field, :check_box
|
49
|
+
end
|
50
|
+
|
51
|
+
Because it is not possible to alter syntactic keywords like yield
|
52
|
+
or instance variables like @content_for_layout to mark them automatically
|
53
|
+
as secure, layout files need some manual tweaking.
|
54
|
+
|
55
|
+
=== Other template engines ===
|
56
|
+
|
57
|
+
If a templates uses some templating engine other than HAML or ERB,
|
58
|
+
or it uses ERB but has extension .erb not .rhtml, XSS Shield does not protect it.
|
59
|
+
|
60
|
+
However some helpers like link_to and button_to are patched by XSS Shield to
|
61
|
+
make them more secure, and this extra security will be there even when used
|
62
|
+
in an otherwise unprotected context.
|
63
|
+
|
64
|
+
For example with XSS shield
|
65
|
+
link_to "A & B", "/foo"
|
66
|
+
will return (marked as safe):
|
67
|
+
'<a href="/foo">A & B</a>'
|
68
|
+
not (plain String):
|
69
|
+
'<a href="/foo">A & B</a>'
|
70
|
+
|
71
|
+
Also - RHTML protection only works with default ERB engine (erb.rb from Ruby base).
|
72
|
+
If you use some alternative ERB engine it probably won't work.
|
73
|
+
|
74
|
+
Adding support for alternative templating engine should be relatively straightforward.
|
75
|
+
It's mostly a matter of changing to_s to to_s_xss_protected in a few places
|
76
|
+
in their source.
|
@@ -0,0 +1,111 @@
|
|
1
|
+
class XSSProtectedERB < ERB
|
2
|
+
class Compiler < ::ERB::Compiler
|
3
|
+
def compile(s)
|
4
|
+
out = Buffer.new(self)
|
5
|
+
|
6
|
+
content = ''
|
7
|
+
scanner = make_scanner(s)
|
8
|
+
scanner.scan do |token|
|
9
|
+
if scanner.stag.nil?
|
10
|
+
case token
|
11
|
+
when PercentLine
|
12
|
+
out.push("#{@put_cmd} #{content.dump}") if content.size > 0
|
13
|
+
content = ''
|
14
|
+
out.push(token.to_s)
|
15
|
+
out.cr
|
16
|
+
when :cr
|
17
|
+
out.cr
|
18
|
+
when '<%', '<%=', '<%#'
|
19
|
+
scanner.stag = token
|
20
|
+
out.push("#{@put_cmd} #{content.dump}") if content.size > 0
|
21
|
+
content = ''
|
22
|
+
when "\n"
|
23
|
+
content << "\n"
|
24
|
+
out.push("#{@put_cmd} #{content.dump}")
|
25
|
+
out.cr
|
26
|
+
content = ''
|
27
|
+
when '<%%'
|
28
|
+
content << '<%'
|
29
|
+
else
|
30
|
+
content << token
|
31
|
+
end
|
32
|
+
else
|
33
|
+
case token
|
34
|
+
when '%>'
|
35
|
+
case scanner.stag
|
36
|
+
when '<%'
|
37
|
+
if content[-1] == ?\n
|
38
|
+
content.chop!
|
39
|
+
out.push(content)
|
40
|
+
out.cr
|
41
|
+
else
|
42
|
+
out.push(content)
|
43
|
+
end
|
44
|
+
when '<%='
|
45
|
+
# NOTE: Changed lines
|
46
|
+
out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
|
47
|
+
# NOTE: End changed lines
|
48
|
+
when '<%#'
|
49
|
+
# out.push("# #{content.dump}")
|
50
|
+
end
|
51
|
+
scanner.stag = nil
|
52
|
+
content = ''
|
53
|
+
when '%%>'
|
54
|
+
content << '%>'
|
55
|
+
else
|
56
|
+
content << token
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
out.push("#{@put_cmd} #{content.dump}") if content.size > 0
|
61
|
+
out.close
|
62
|
+
out.script
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
|
67
|
+
@safe_level = safe_level
|
68
|
+
compiler = XSSProtectedERB::Compiler.new(trim_mode)
|
69
|
+
set_eoutvar(compiler, eoutvar)
|
70
|
+
@src = compiler.compile(str)
|
71
|
+
@filename = nil
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
75
|
+
module ActionView
|
76
|
+
class Base
|
77
|
+
private
|
78
|
+
def create_template_source(extension, template, render_symbol, locals)
|
79
|
+
if template_requires_setup?(extension)
|
80
|
+
body = case extension.to_sym
|
81
|
+
when :rxml, :builder
|
82
|
+
content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
|
83
|
+
"#{content_type_handler}.content_type ||= Mime::XML\n" +
|
84
|
+
"xml = Builder::XmlMarkup.new(:indent => 2)\n" +
|
85
|
+
template +
|
86
|
+
"\nxml.target!\n"
|
87
|
+
when :rjs
|
88
|
+
"controller.response.content_type ||= Mime::JS\n" +
|
89
|
+
"update_page do |page|\n#{template}\nend"
|
90
|
+
end
|
91
|
+
# NOTE: Changed lines
|
92
|
+
elsif extension.to_sym == :rhtml
|
93
|
+
body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
|
94
|
+
# NOTE: End changed lines
|
95
|
+
else
|
96
|
+
body = ERB.new(template, nil, @@erb_trim_mode).src
|
97
|
+
end
|
98
|
+
|
99
|
+
@@template_args[render_symbol] ||= {}
|
100
|
+
locals_keys = @@template_args[render_symbol].keys | locals
|
101
|
+
@@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
|
102
|
+
|
103
|
+
locals_code = ""
|
104
|
+
locals_keys.each do |key|
|
105
|
+
locals_code << "#{key} = local_assigns[:#{key}]\n"
|
106
|
+
end
|
107
|
+
|
108
|
+
"def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
|
109
|
+
end
|
110
|
+
end
|
111
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
|
2
|
+
|
3
|
+
module Haml
|
4
|
+
class Engine
|
5
|
+
def push_script(text, flattened)
|
6
|
+
unless options[:suppress_eval]
|
7
|
+
push_silent("haml_temp = #{text}", true)
|
8
|
+
push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
|
9
|
+
out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
|
10
|
+
if @block_opened
|
11
|
+
push_and_tabulate([:loud, out])
|
12
|
+
else
|
13
|
+
@precompiled << out
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
def build_attributes(attributes = {})
|
19
|
+
# We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to '
|
20
|
+
# making ' as attribute quote not workable
|
21
|
+
result = attributes.map do |a,v|
|
22
|
+
v = v.to_s_xss_protected
|
23
|
+
unless v.blank?
|
24
|
+
" #{a}=\"#{v}\""
|
25
|
+
end
|
26
|
+
end
|
27
|
+
result.sort.join
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
class Buffer
|
32
|
+
def build_attributes(attributes = {})
|
33
|
+
result = attributes.map do |a,v|
|
34
|
+
v = v.to_s_xss_protected
|
35
|
+
unless v.blank?
|
36
|
+
" #{a}=\"#{v}\""
|
37
|
+
end
|
38
|
+
end
|
39
|
+
result.sort.join
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|