romanbsd-tarantula 0.1.8

data/vendor/w3c_validators/test/test_html5_validator.rb

@@ -0,0 +1,64 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+# Test cases for the HTML5Validator.
+class HTML5ValidatorTests < Test::Unit::TestCase
+  include W3CValidators
+  def setup
+    @v = NuValidator.new
+    sleep 1
+  end
+
+  def test_getting_request_data
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/valid_html5.html')
+    assert_equal :html5, r.doctype
+    assert_equal 'http://code.dunae.ca/w3c_validators/test/valid_html5.html', r.uri
+    assert_equal 0, r.errors.length
+    assert_equal 0, r.warnings.length
+    assert r.is_valid?
+  end
+
+  def test_validating_uri
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_html5.html')
+    assert_equal 1, r.errors.length
+    assert_equal 1, r.warnings.length
+    assert !r.is_valid?
+  end
+
+  def test_validating_file
+    file = File.dirname(__FILE__) + '/fixtures/invalid_html5.html'
+    r = @v.validate_file(file)
+    assert_equal 1, r.errors.length
+  end
+
+  def test_validating_text
+    valid_fragment = <<-EOV
+    <!DOCTYPE html>
+    <html lang="en-ca">
+      <head>
+        <title>HTML 5 Example</title>
+      </head>
+      <body>
+        <!-- should have one error (missing </section>) -->
+        <p>This is a sample HTML 5 document.</p>
+        <section>
+        <h1>Example of paragraphs</h1>
+        This is the <em>first</em> paragraph in this example.
+        <p>This is the second.</p>
+        <p>Test<br>test</p>
+      </body>
+    </html>
+    EOV
+
+    r = @v.validate_text(valid_fragment)
+    assert_equal 1, r.errors.length
+  end
+
+  #def test_validating_text_via_file
+  #  fh = File.new(File.dirname(__FILE__) + '/fixtures/invalid_html5.html', 'r+')
+  #  r = @v.validate_file(fh)
+  #  fh.close
+  #  assert_equal 1, r.errors.length
+  #end
+
+
+end

data/vendor/w3c_validators/test/test_markup_validator.rb

@@ -0,0 +1,94 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+# Test cases for the MarkupValidator.
+class MarkupValidatorTests < Test::Unit::TestCase
+  include W3CValidators
+  def setup
+    @v = MarkupValidator.new
+    sleep 1
+  end
+
+  def test_overriding_doctype
+    @v.set_doctype!(:html32, false)
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_markup.html')
+    assert_equal '-//W3C//DTD HTML 3.2 Final//EN', r.doctype
+  end
+
+  def test_overriding_doctype_for_fallback_only
+    @v.set_doctype!(:html32, true)
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_markup.html')
+    assert_not_equal '-//W3C//DTD HTML 3.2 Final//EN', r.doctype
+  end
+
+  def test_overriding_charset
+    @v.set_charset!(:utf_16, false)
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_markup.html')
+    assert_equal 'utf-16', r.charset
+  end
+
+  def test_overriding_charset_for_fallback_only
+    @v.set_doctype!(:utf_16, true)
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_markup.html')
+    assert_not_equal 'utf-16', r.charset
+  end
+
+  def test_validating_uri_with_head_request
+    r = @v.validate_uri_quickly('http://code.dunae.ca/w3c_validators/test/invalid_markup.html')
+    assert_equal 1, r.errors.length
+    assert_equal 0, r.warnings.length
+  end
+
+  def test_validating_uri_with_soap
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_markup.html')
+    assert_equal 1, r.errors.length
+    assert_equal 0, r.warnings.length
+  end
+
+  def test_debugging_uri
+    @v.set_debug!
+    r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_markup.html')
+    assert r.debug_messages.length > 0
+  end
+
+  def test_validating_file
+    file = File.dirname(__FILE__) + '/fixtures/invalid_markup.html'
+    r = @v.validate_file(file)
+    assert_equal 1, r.errors.length
+
+    assert r.uri =~ /fixtures\/invalid_markup\.html$/
+  end
+
+  def test_validating_text
+    valid_fragment = <<-EOV
+      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+      <title>Test</title>
+      <body>
+      <div class="example">This is a test</div>
+      </body>
+    EOV
+
+    r = @v.validate_text(valid_fragment)
+    assert_equal 0, r.errors.length
+    assert_equal 0, r.warnings.length
+  end
+
+  def test_validating_text_via_file
+    fh = File.new(File.dirname(__FILE__) + '/fixtures/invalid_markup.html', 'r+')
+    r = @v.validate_file(fh)
+    fh.close
+    assert_equal 1, r.errors.length
+  end
+
+
+  def test_validator_abort
+    @v.set_debug!
+    assert_nothing_raised do
+      r = @v.validate_uri('http://code.dunae.ca/w3c_validators/test/invalid_encoding.html')
+      assert !r.is_valid?
+      assert_equal 1, r.errors.length
+      assert_equal [], r.warnings
+    end
+  end
+
+
+end

data/vendor/xss-shield/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2007 Trampoline Systems
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/vendor/xss-shield/README

@@ -0,0 +1,76 @@
+FIXME: THIS README IS NOT UP-TO-DATE.
+
+This plugin provides XSS protection for views coded in HAML and RHTML.
+
+ERB templates are sometimes used for HTML, and sometimes for
+other kinds of languages (SQL, email templates, YAML etc.).
+XSS Shield protects only those templates with .rhtml extension,
+leaving templates with .erb extension unprotected.
+
+=== Quick start ===
+
+Assuming you're using HAML for all your templates.
+
+* Install plugin.
+* Edit all your layout files and change:
+    = @content_for_layout
+    = yield(:foo) # Foo being usually :js or :css
+  to:
+    = @content_for_layout.mark_as_xss_protected
+    = yield(:foo).mark_as_xss_protected
+* By this point your application should be runnanble,
+  but might need some tweaking here and there to avoid potential
+  double-escaping.
+
+=== How it works ===
+
+It works by subclassing String into SafeString.
+When HAML engine seems a "= foo" fragment it check if result of executing "foo"
+is a SafeString. If it is - it copies it to the output, if it's anything else
+(String, Integer, nil and so on) it HTML-escapes it first.
+
+To avoid double-escaping output of h is a SafeString, as is everything you
+mark as XSS-protected.
+  = h(@foo)
+  = @foo # fully equivalent to h(@foo)
+  = "X <br /> Y".mark_as_xss_protected
+
+It would be cumbersome to require mark_as_xss_protected every time you use
+some helper like render :partial or link_to, so some helpers are modified
+to return SafeString.
+
+  = render :partial => "foo"
+  = link_to "Bar", :action => :bar
+
+If you trust your helpers, make them as XSS-protected:
+
+  module Some::Module
+    mark_helpers_as_xss_protected :text_field, :check_box
+  end
+
+Because it is not possible to alter syntactic keywords like yield
+or instance variables like @content_for_layout to mark them automatically
+as secure, layout files need some manual tweaking.
+
+=== Other template engines ===
+
+If a templates uses some templating engine other than HAML or ERB,
+or it uses ERB but has extension .erb not .rhtml, XSS Shield does not protect it.
+
+However some helpers like link_to and button_to are patched by XSS Shield to
+make them more secure, and this extra security will be there even when used
+in an otherwise unprotected context.
+
+For example with XSS shield
+  link_to "A & B", "/foo"
+will return (marked as safe):
+  '<a href="/foo">A &amp; B</a>'
+not (plain String):
+  '<a href="/foo">A & B</a>'
+
+Also - RHTML protection only works with default ERB engine (erb.rb from Ruby base).
+If you use some alternative ERB engine it probably won't work.
+
+Adding support for alternative templating engine should be relatively straightforward.
+It's mostly a matter of changing to_s to to_s_xss_protected in a few places
+in their source.

data/vendor/xss-shield/init.rb

@@ -0,0 +1,16 @@
+unless ENV['DISABLE_XSS_SHIELD']
+  puts "Loading XSS Shield"
+  require 'xss_shield'
+else
+  class ::String
+    def mark_as_xss_protected
+      self
+    end
+  end
+
+  class ::NilClass
+    def mark_as_xss_protected
+      self
+    end
+  end
+end

data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb

@@ -0,0 +1,111 @@
+class XSSProtectedERB < ERB
+  class Compiler < ::ERB::Compiler
+    def compile(s)
+      out = Buffer.new(self)
+
+      content = ''
+      scanner = make_scanner(s)
+      scanner.scan do |token|
+  if scanner.stag.nil?
+    case token
+          when PercentLine
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      content = ''
+            out.push(token.to_s)
+            out.cr
+    when :cr
+      out.cr
+    when '<%', '<%=', '<%#'
+      scanner.stag = token
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      content = ''
+    when "\n"
+      content << "\n"
+      out.push("#{@put_cmd} #{content.dump}")
+      out.cr
+      content = ''
+    when '<%%'
+      content << '<%'
+    else
+      content << token
+    end
+  else
+    case token
+    when '%>'
+      case scanner.stag
+      when '<%'
+        if content[-1] == ?\n
+    content.chop!
+    out.push(content)
+    out.cr
+        else
+    out.push(content)
+        end
+      when '<%='
+              # NOTE: Changed lines
+        out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
+              # NOTE: End changed lines
+      when '<%#'
+        # out.push("# #{content.dump}")
+      end
+      scanner.stag = nil
+      content = ''
+    when '%%>'
+      content << '%>'
+    else
+      content << token
+    end
+  end
+      end
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      out.close
+      out.script
+    end
+  end
+
+  def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
+    @safe_level = safe_level
+    compiler = XSSProtectedERB::Compiler.new(trim_mode)
+    set_eoutvar(compiler, eoutvar)
+    @src = compiler.compile(str)
+    @filename = nil
+  end
+end
+
+module ActionView
+  class Base
+    private
+      def create_template_source(extension, template, render_symbol, locals)
+        if template_requires_setup?(extension)
+          body = case extension.to_sym
+            when :rxml, :builder
+              content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
+              "#{content_type_handler}.content_type ||= Mime::XML\n" +
+              "xml = Builder::XmlMarkup.new(:indent => 2)\n" +
+              template +
+              "\nxml.target!\n"
+            when :rjs
+              "controller.response.content_type ||= Mime::JS\n" +
+              "update_page do |page|\n#{template}\nend"
+          end
+        # NOTE: Changed lines
+        elsif extension.to_sym == :rhtml
+          body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
+        # NOTE: End changed lines
+        else
+          body = ERB.new(template, nil, @@erb_trim_mode).src
+        end
+
+        @@template_args[render_symbol] ||= {}
+        locals_keys = @@template_args[render_symbol].keys | locals
+        @@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
+
+        locals_code = ""
+        locals_keys.each do |key|
+          locals_code << "#{key} = local_assigns[:#{key}]\n"
+        end
+
+        "def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
+      end
+  end
+end

data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb

@@ -0,0 +1,42 @@
+raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
+
+module Haml
+  class Engine
+    def push_script(text, flattened)
+      unless options[:suppress_eval]
+        push_silent("haml_temp = #{text}", true)
+        push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
+        out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
+        if @block_opened
+          push_and_tabulate([:loud, out])
+        else
+          @precompiled << out
+        end
+      end
+    end
+
+    def build_attributes(attributes = {})
+      # We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to &apos;
+      # making ' as attribute quote not workable
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+
+  class Buffer
+    def build_attributes(attributes = {})
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+end

data/vendor/xss-shield/lib/xss_shield/safe_string.rb

@@ -0,0 +1,47 @@
+class SafeString < String
+  def to_s
+    self
+  end
+  def to_s_xss_protected
+    self
+  end
+end
+
+class String
+  def mark_as_xss_protected
+    SafeString.new(self)
+  end
+end
+
+class NilClass
+  def mark_as_xss_protected
+    self
+  end
+end
+
+# ERB::Util.h and (include ERB::Util; h) are different methods
+module ERB::Util
+  class <<self
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+  end
+  
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+end
+
+class Object
+  def to_s_xss_protected
+    ERB::Util.h(to_s).mark_as_xss_protected
+  end
+end
+
+class Array
+  def join_xss_protected(sep="")
+    map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
+  end
+end

data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb

@@ -0,0 +1,40 @@
+class Module
+  def mark_helpers_as_xss_protected(*ms)
+    ms.each do |m|
+      begin
+        instance_method("#{m}_with_xss_protection")
+      rescue NameError
+        define_method :"#{m}_with_xss_protection" do |*args|
+          send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
+        end
+        alias_method_chain m, :xss_protection
+      end
+    end
+  end
+end
+
+class ActionView::Base
+  mark_helpers_as_xss_protected :javascript_include_tag,
+                                :stylesheet_link_tag,
+                                :render,
+                                :text_field_tag,
+                                :submit_tag,
+                                :radio_button,
+                                :text_area,
+                                :auto_discovery_link_tag,
+                                :image_tag
+
+  def link_to_with_xss_protection(text, *args)
+    link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :link_to, :xss_protection
+
+  def button_to_with_xss_protection(text, *args)
+    button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :button_to, :xss_protection
+end
+
+module ActionView::Helpers::FormHelper
+  mark_helpers_as_xss_protected :text_field, :check_box
+end

data/vendor/xss-shield/lib/xss_shield.rb

@@ -0,0 +1,6 @@
+require 'xss_shield/safe_string'
+# Tarantula doesn't use haml
+# require 'xss_shield/haml_hacks'
+# ERB hacks blow up Rails
+# require 'xss_shield/erb_hacks'
+require 'xss_shield/secure_helpers'

data/vendor/xss-shield/test/test_actionview_integration.rb

@@ -0,0 +1,40 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestActionViewIntegration < Test::Unit::TestCase
+  def assert_renders(expected, input, extension)
+    base = ActionView::Base.new
+    actual = base.render_template(extension, input, "foo.#{extension}")
+    assert_equal expected, actual
+  end
+
+  def test_erb
+    assert_renders <<OUT, <<IN, :erb
+A & B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+
+  def test_rhtml
+    assert_renders <<OUT, <<IN, :rhtml
+A &amp; B
+A & B
+OUT
+<%= "A & B" %>
+<%= "A & B".mark_as_xss_protected %>
+IN
+  end
+ 
+  def test_haml
+    assert_renders <<OUT, <<IN, :haml
+A &amp; B
+A & B
+OUT
+= "A & B"
+= "A & B".mark_as_xss_protected
+IN
+  end
+end

data/vendor/xss-shield/test/test_erb.rb

@@ -0,0 +1,44 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestERB < Test::Unit::TestCase
+  def assert_renders_erb(expected, input, shield=true)
+    erb_class = shield ? XSSProtectedERB : ERB
+
+    actual = eval(erb_class.new(input).src)
+    
+    assert_equal expected, actual
+  end
+  
+  def test_erb_with_shield
+    assert_renders_erb <<OUT, <<IN, true
+Foo &amp;amp; Bar
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+OUT
+<%= "Foo &amp; Bar"  %>
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+  
+  def test_erb_without_shield
+    assert_renders_erb <<OUT, <<IN, false
+Foo &amp;amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo &amp; Bar
+Foo & Bar
+OUT
+<%= h("Foo &amp; Bar") %>
+<%= "Foo &amp; Bar"  %>
+<%= "Foo &amp; Bar".mark_as_xss_protected  %>
+<%= h("Foo & Bar") %>
+<%= "Foo & Bar" %>
+IN
+  end
+end

data/vendor/xss-shield/test/test_haml.rb

@@ -0,0 +1,43 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHaml < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_haml_engine
+    assert_haml_renders <<OUT, <<IN
+A & B
+C &amp; D
+E &amp; F
+G & H
+I &amp; J
+OUT
+A & B
+= "C & D"
+= h("E & F")
+= "G & H".mark_as_xss_protected
+= "I & J".to_s_xss_protected
+IN
+  end
+  
+  def test_attribute_escaping_in_haml
+    @base.instance_eval {
+      @foo = "A < & > ' \" B"
+    }
+    assert_haml_renders <<OUT, <<IN
+<div foo="A &lt; &amp; &gt; ' &quot; B" />
+<div foo="A < & > ' " B" />
+OUT
+%div{:foo => @foo}/
+%div{:foo => @foo.mark_as_xss_protected}/
+IN
+    # Note that '/" explicitly marked as XSS-protected can break validity
+  end
+end

data/vendor/xss-shield/test/test_helpers.rb

@@ -0,0 +1,25 @@
+# Run from your Rails main directory
+require 'test/test_helper'
+
+class TestHelpers < Test::Unit::TestCase
+  def setup
+    @base = ActionView::Base.new
+  end
+
+  def assert_haml_renders(expected, input)
+    actual = Haml::Engine.new(input).to_html(@base)
+    assert_equal expected, actual
+  end
+
+  def test_link_to
+    assert_haml_renders <<OUT, <<IN
+<a href="/bar">Foo</a>
+<a href="/bar">Foo &amp; Bar</a>
+<a href="/bar">Foo & Bar</a>
+OUT
+= link_to "Foo", "/bar"
+= link_to "Foo & Bar", "/bar"
+= link_to "Foo & Bar".mark_as_xss_protected, "/bar"
+IN
+  end
+end