relevance-tarantula 0.0.1

data/vendor/xss-shield/lib/xss_shield/safe_string.rb

@@ -0,0 +1,47 @@
+class SafeString < String
+  def to_s
+    self
+  end
+  def to_s_xss_protected
+    self
+  end
+end
+
+class String
+  def mark_as_xss_protected
+    SafeString.new(self)
+  end
+end
+
+class NilClass
+  def mark_as_xss_protected
+    self
+  end
+end
+
+# ERB::Util.h and (include ERB::Util; h) are different methods
+module ERB::Util
+  class <<self
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+  end
+  
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+end
+
+class Object
+  def to_s_xss_protected
+    ERB::Util.h(to_s).mark_as_xss_protected
+  end
+end
+
+class Array
+  def join_xss_protected(sep="")
+    map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
+  end
+end

data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb

@@ -0,0 +1,40 @@
+class Module
+  def mark_helpers_as_xss_protected(*ms)
+    ms.each do |m|
+      begin
+        instance_method("#{m}_with_xss_protection")
+      rescue NameError
+        define_method :"#{m}_with_xss_protection" do |*args|
+          send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
+        end
+        alias_method_chain m, :xss_protection
+      end
+    end
+  end
+end
+
+class ActionView::Base
+  mark_helpers_as_xss_protected :javascript_include_tag,
+                                :stylesheet_link_tag,
+                                :render,
+                                :text_field_tag,
+                                :submit_tag,
+                                :radio_button,
+                                :text_area,
+                                :auto_discovery_link_tag,
+                                :image_tag
+
+  def link_to_with_xss_protection(text, *args)
+    link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :link_to, :xss_protection
+
+  def button_to_with_xss_protection(text, *args)
+    button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :button_to, :xss_protection
+end
+
+module ActionView::Helpers::FormHelper
+  mark_helpers_as_xss_protected :text_field, :check_box
+end

data/vendor/xss-shield/lib/xss_shield.rb

@@ -0,0 +1,6 @@
+require 'xss_shield/safe_string'
+# Tarantula doesn't use haml
+# require 'xss_shield/haml_hacks'
+# ERB hacks blow up Rails
+# require 'xss_shield/erb_hacks'
+require 'xss_shield/secure_helpers'

data/vendor/xss-shield/test/test_actionview_integration.rb

@@ -0,0 +1,40 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestActionViewIntegration < Test::Unit::TestCase
+  def assert_renders(expected, input, extension)
+    base = ActionView::Base.new
+    actual = base.render_template(extension, input, "foo.#{extension}")
+    assert_equal expected, actual
+  end
+
+  def test_erb
+    assert_renders <<OUT, <<IN, :erb
+A & B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+
+  def test_rhtml
+    assert_renders <<OUT, <<IN, :rhtml
+A &amp; B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+ 
+  def test_haml
+    assert_renders <<OUT, <<IN, :haml
+A &amp; B
+A & B
+OUT
+= "A & B"
+= "A & B".mark_as_xss_protected
+IN
+  end
+end

data/vendor/xss-shield/test/test_erb.rb

@@ -0,0 +1,44 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestERB < Test::Unit::TestCase
+  def assert_renders_erb(expected, input, shield=true)
+    erb_class = shield ? XSSProtectedERB : ERB
+
+    actual = eval(erb_class.new(input).src)
+    
+    assert_equal expected, actual
+  end
+  
+  def test_erb_with_shield
+    assert_renders_erb <<OUT, <<IN, true
+Foo &amp;amp; Bar
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+OUT
+<%= "Foo &amp; Bar"  %>
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+  
+  def test_erb_without_shield
+    assert_renders_erb <<OUT, <<IN, false
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo & Bar
+OUT
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar"  %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+end

data/vendor/xss-shield/test/test_haml.rb

@@ -0,0 +1,43 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHaml < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_haml_engine
+    assert_haml_renders <<OUT, <<IN
+A & B
+C &amp; D
+E &amp; F
+G & H
+I &amp; J
+OUT
+A & B
+= "C & D"
+= h("E & F")
+= "G & H".mark_as_xss_protected
+= "I & J".to_s_xss_protected
+IN
+  end
+  
+  def test_attribute_escaping_in_haml
+    @base.instance_eval {
+      @foo = "A < & > ' \" B"
+    }
+    assert_haml_renders <<OUT, <<IN
+<div foo="A &lt; &amp; &gt; ' &quot; B" />
+<div foo="A < & > ' " B" />
+OUT
+%div{:foo => @foo}/
+%div{:foo => @foo.mark_as_xss_protected}/
+IN
+    # Note that '/" explicitly marked as XSS-protected can break validity
+  end
+end

data/vendor/xss-shield/test/test_helpers.rb

@@ -0,0 +1,25 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHelpers < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_link_to
+    assert_haml_renders <<OUT, <<IN
+<a href="/bar">Foo</a>
+<a href="/bar">Foo &amp; Bar</a>
+<a href="/bar">Foo & Bar</a>
+OUT
+= link_to "Foo", "/bar"
+= link_to "Foo & Bar", "/bar"
+= link_to "Foo & Bar".mark_as_xss_protected, "/bar"
+IN
+  end
+end

data/vendor/xss-shield/test/test_safe_string.rb

@@ -0,0 +1,55 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestSafeString < Test::Unit::TestCase
+  def test_safe_string
+    assert_equal "foo", "foo".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected
+    assert_equal "foo &amp;amp; bar", "foo &amp; bar".to_s_xss_protected
+    assert_equal "foo &amp; bar", "foo & bar".to_s_xss_protected.to_s_xss_protected
+    assert_equal "foo &amp; bar", h("foo & bar").to_s_xss_protected
+    assert_equal "foo &amp;amp; bar", h(h("foo & bar"))
+    
+    assert_not_equal "foo".mark_as_xss_protected.object_id, "foo".mark_as_xss_protected.object_id
+    x = "foo & bar".mark_as_xss_protected
+    assert_equal x.mark_as_xss_protected, x
+    # Not sure if this makes sense
+    assert_not_equal x.mark_as_xss_protected.object_id, x.object_id
+
+    assert_equal x.to_s, x
+    assert_equal x.to_s.object_id, x.object_id
+  end
+  
+  def test_nonstring_objects
+    assert_equal "15", 15.to_s_xss_protected
+    assert_equal SafeString, 15.to_s_xss_protected.class
+  end
+  
+  def test_nil
+    assert_equal "", nil.to_s_xss_protected
+    assert_equal SafeString, nil.to_s_xss_protected.class
+    assert_equal nil, nil.mark_as_xss_protected
+  end
+  
+  def test_join
+    assert_equal "", [].join_xss_protected
+    assert_equal "", [].join_xss_protected(",")
+    assert_equal "a", ["a"].join_xss_protected
+    assert_equal "a", ["a"].join_xss_protected(",")
+    assert_equal "ab", ["a", "b"].join_xss_protected
+    assert_equal "a,b", ["a", "b"].join_xss_protected(",")
+
+    assert_equal "a&amp;b", ["a", "b"].join_xss_protected("&")
+    assert_equal "a&amp;amp;b", ["a", "b"].join_xss_protected("&amp;")
+    assert_equal "a&amp;b", ["a", "b"].join_xss_protected("&amp;".mark_as_xss_protected)
+
+    assert_equal "&lt;&amp;&gt;", ["<", ">"].join_xss_protected("&")
+    assert_equal "&lt;&amp;amp;&gt;", ["<", ">"].join_xss_protected("&amp;")
+    assert_equal "&lt;&amp;&gt;", ["<", ">"].join_xss_protected("&amp;".mark_as_xss_protected)
+
+    assert_equal "< &amp; &gt;", ["<".mark_as_xss_protected, ">"].join_xss_protected(" & ")
+    assert_equal "&lt; &amp; >", ["<", ">".mark_as_xss_protected].join_xss_protected(" & ")
+    assert_equal "&lt; & &gt;", ["<", ">"].join_xss_protected(" & ".mark_as_xss_protected)
+  end
+end

metadata

@@ -0,0 +1,256 @@
+--- !ruby/object:Gem::Specification 
+name: relevance-tarantula
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Relevance
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-09-05 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: htmlentities
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: hpricot
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: facets
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 2.4.3
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: echoe
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+description: A big hairy fuzzy spider that crawls your site, wreaking havoc
+email: opensource@thinkrelevance.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- MIT-LICENSE
+- README.rdoc
+- lib/relevance/core_extensions/ellipsize.rb
+- lib/relevance/core_extensions/file.rb
+- lib/relevance/core_extensions/response.rb
+- lib/relevance/core_extensions/test_case.rb
+- lib/relevance/tarantula/attack.rb
+- lib/relevance/tarantula/attack_form_submission.rb
+- lib/relevance/tarantula/attack_handler.rb
+- lib/relevance/tarantula/crawler.rb
+- lib/relevance/tarantula/detail.html.erb
+- lib/relevance/tarantula/form.rb
+- lib/relevance/tarantula/form_submission.rb
+- lib/relevance/tarantula/html_document_handler.rb
+- lib/relevance/tarantula/html_report_helper.rb
+- lib/relevance/tarantula/html_reporter.rb
+- lib/relevance/tarantula/index.html.erb
+- lib/relevance/tarantula/invalid_html_handler.rb
+- lib/relevance/tarantula/io_reporter.rb
+- lib/relevance/tarantula/link.rb
+- lib/relevance/tarantula/log_grabber.rb
+- lib/relevance/tarantula/rails_integration_proxy.rb
+- lib/relevance/tarantula/recording.rb
+- lib/relevance/tarantula/response.rb
+- lib/relevance/tarantula/result.rb
+- lib/relevance/tarantula/test_report.html.erb
+- lib/relevance/tarantula/tidy_handler.rb
+- lib/relevance/tarantula/transform.rb
+- lib/relevance/tarantula.rb
+- vendor/xss-shield/MIT-LICENSE
+files: 
+- MIT-LICENSE
+- README.rdoc
+- Rakefile
+- init.rb
+- install.rb
+- laf/images/background.jpg
+- laf/images/relevance-os-logo.gif
+- laf/images/tab.png
+- laf/images/table-sort.gif
+- laf/images/tarantula-sprites.png
+- laf/javascripts/jquery-1.2.3.js
+- laf/javascripts/jquery-ui-tabs.js
+- laf/javascripts/jquery.tablesorter.js
+- laf/javascripts/tarantula.js
+- laf/stylesheets/tarantula.css
+- laf/stylesheets/ui.tabs.css
+- lib/relevance/core_extensions/ellipsize.rb
+- lib/relevance/core_extensions/file.rb
+- lib/relevance/core_extensions/response.rb
+- lib/relevance/core_extensions/test_case.rb
+- lib/relevance/tarantula/attack.rb
+- lib/relevance/tarantula/attack_form_submission.rb
+- lib/relevance/tarantula/attack_handler.rb
+- lib/relevance/tarantula/crawler.rb
+- lib/relevance/tarantula/detail.html.erb
+- lib/relevance/tarantula/form.rb
+- lib/relevance/tarantula/form_submission.rb
+- lib/relevance/tarantula/html_document_handler.rb
+- lib/relevance/tarantula/html_report_helper.rb
+- lib/relevance/tarantula/html_reporter.rb
+- lib/relevance/tarantula/index.html.erb
+- lib/relevance/tarantula/invalid_html_handler.rb
+- lib/relevance/tarantula/io_reporter.rb
+- lib/relevance/tarantula/link.rb
+- lib/relevance/tarantula/log_grabber.rb
+- lib/relevance/tarantula/rails_integration_proxy.rb
+- lib/relevance/tarantula/recording.rb
+- lib/relevance/tarantula/response.rb
+- lib/relevance/tarantula/result.rb
+- lib/relevance/tarantula/test_report.html.erb
+- lib/relevance/tarantula/tidy_handler.rb
+- lib/relevance/tarantula/transform.rb
+- lib/relevance/tarantula.rb
+- tasks/tarantula_tasks.rake
+- template/tarantula_test.rb
+- test/relevance/core_extensions/ellipsize_test.rb
+- test/relevance/core_extensions/file_test.rb
+- test/relevance/core_extensions/response_test.rb
+- test/relevance/core_extensions/test_case_test.rb
+- test/relevance/tarantula/attack_form_submission_test.rb
+- test/relevance/tarantula/attack_handler_test.rb
+- test/relevance/tarantula/crawler_test.rb
+- test/relevance/tarantula/form_submission_test.rb
+- test/relevance/tarantula/form_test.rb
+- test/relevance/tarantula/html_document_handler_test.rb
+- test/relevance/tarantula/html_report_helper_test.rb
+- test/relevance/tarantula/html_reporter_test.rb
+- test/relevance/tarantula/invalid_html_handler_test.rb
+- test/relevance/tarantula/io_reporter_test.rb
+- test/relevance/tarantula/link_test.rb
+- test/relevance/tarantula/log_grabber_test.rb
+- test/relevance/tarantula/rails_integration_proxy_test.rb
+- test/relevance/tarantula/result_test.rb
+- test/relevance/tarantula/tidy_handler_test.rb
+- test/relevance/tarantula/transform_test.rb
+- test/relevance/tarantula_test.rb
+- test/test_helper.rb
+- tmp/test_output/images/background.jpg
+- tmp/test_output/images/relevance-os-logo.gif
+- tmp/test_output/images/tab.png
+- tmp/test_output/images/table-sort.gif
+- tmp/test_output/images/tarantula-sprites.png
+- tmp/test_output/index.html
+- tmp/test_output/javascripts/jquery-1.2.3.js
+- tmp/test_output/javascripts/jquery-ui-tabs.js
+- tmp/test_output/javascripts/jquery.tablesorter.js
+- tmp/test_output/javascripts/tarantula.js
+- tmp/test_output/stylesheets/tarantula.css
+- tmp/test_output/stylesheets/ui.tabs.css
+- tmp/test_output/test_user_pages/1.html
+- tmp/test_output/test_user_pages/10.html
+- tmp/test_output/test_user_pages/11.html
+- tmp/test_output/test_user_pages/12.html
+- tmp/test_output/test_user_pages/13.html
+- tmp/test_output/test_user_pages/14.html
+- tmp/test_output/test_user_pages/15.html
+- tmp/test_output/test_user_pages/16.html
+- tmp/test_output/test_user_pages/17.html
+- tmp/test_output/test_user_pages/18.html
+- tmp/test_output/test_user_pages/19.html
+- tmp/test_output/test_user_pages/2.html
+- tmp/test_output/test_user_pages/20.html
+- tmp/test_output/test_user_pages/3.html
+- tmp/test_output/test_user_pages/4.html
+- tmp/test_output/test_user_pages/5.html
+- tmp/test_output/test_user_pages/6.html
+- tmp/test_output/test_user_pages/7.html
+- tmp/test_output/test_user_pages/8.html
+- tmp/test_output/test_user_pages/9.html
+- uninstall.rb
+- vendor/xss-shield/MIT-LICENSE
+- vendor/xss-shield/README
+- vendor/xss-shield/init.rb
+- vendor/xss-shield/lib/xss_shield/erb_hacks.rb
+- vendor/xss-shield/lib/xss_shield/haml_hacks.rb
+- vendor/xss-shield/lib/xss_shield/safe_string.rb
+- vendor/xss-shield/lib/xss_shield/secure_helpers.rb
+- vendor/xss-shield/lib/xss_shield.rb
+- vendor/xss-shield/test/test_actionview_integration.rb
+- vendor/xss-shield/test/test_erb.rb
+- vendor/xss-shield/test/test_haml.rb
+- vendor/xss-shield/test/test_helpers.rb
+- vendor/xss-shield/test/test_safe_string.rb
+- manifest.txt
+- tarantula.gemspec
+has_rdoc: true
+homepage: http://opensource.thinkrelevance.com/wiki/tarantula
+post_install_message: 
+rdoc_options: 
+- --line-numbers
+- --inline-source
+- --title
+- Tarantula
+- --main
+- README.rdoc
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - "="
+    - !ruby/object:Gem::Version 
+      version: "1.2"
+  version: 
+requirements: []
+
+rubyforge_project: thinkrelevance
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: A big hairy fuzzy spider that crawls your site, wreaking havoc
+test_files: 
+- test/relevance/core_extensions/ellipsize_test.rb
+- test/relevance/core_extensions/file_test.rb
+- test/relevance/core_extensions/response_test.rb
+- test/relevance/core_extensions/test_case_test.rb
+- test/relevance/tarantula/attack_form_submission_test.rb
+- test/relevance/tarantula/attack_handler_test.rb
+- test/relevance/tarantula/crawler_test.rb
+- test/relevance/tarantula/form_submission_test.rb
+- test/relevance/tarantula/form_test.rb
+- test/relevance/tarantula/html_document_handler_test.rb
+- test/relevance/tarantula/html_report_helper_test.rb
+- test/relevance/tarantula/html_reporter_test.rb
+- test/relevance/tarantula/invalid_html_handler_test.rb
+- test/relevance/tarantula/io_reporter_test.rb
+- test/relevance/tarantula/link_test.rb
+- test/relevance/tarantula/log_grabber_test.rb
+- test/relevance/tarantula/rails_integration_proxy_test.rb
+- test/relevance/tarantula/result_test.rb
+- test/relevance/tarantula/tidy_handler_test.rb
+- test/relevance/tarantula/transform_test.rb
+- test/relevance/tarantula_test.rb