RubyGems - romanbsd-tarantula - Versions diffs - 0.1.8 - Mend

romanbsd-tarantula 0.1.8

Files changed (126) hide show

data/CHANGELOG +47 -0
data/MIT-LICENSE +20 -0
data/README.rdoc +162 -0
data/Rakefile +69 -0
data/VERSION.yml +4 -0
data/examples/example_helper.rb +48 -0
data/examples/relevance/core_extensions/ellipsize_example.rb +19 -0
data/examples/relevance/core_extensions/file_example.rb +8 -0
data/examples/relevance/core_extensions/response_example.rb +29 -0
data/examples/relevance/core_extensions/test_case_example.rb +20 -0
data/examples/relevance/tarantula/attack_form_submission_example.rb +79 -0
data/examples/relevance/tarantula/attack_handler_example.rb +29 -0
data/examples/relevance/tarantula/crawler_example.rb +386 -0
data/examples/relevance/tarantula/form_example.rb +50 -0
data/examples/relevance/tarantula/form_submission_example.rb +71 -0
data/examples/relevance/tarantula/html_document_handler_example.rb +43 -0
data/examples/relevance/tarantula/html_report_helper_example.rb +46 -0
data/examples/relevance/tarantula/html_reporter_example.rb +82 -0
data/examples/relevance/tarantula/invalid_html_handler_example.rb +33 -0
data/examples/relevance/tarantula/io_reporter_example.rb +11 -0
data/examples/relevance/tarantula/link_example.rb +67 -0
data/examples/relevance/tarantula/log_grabber_example.rb +26 -0
data/examples/relevance/tarantula/rails_integration_proxy_example.rb +88 -0
data/examples/relevance/tarantula/result_example.rb +85 -0
data/examples/relevance/tarantula/tidy_handler_example.rb +58 -0
data/examples/relevance/tarantula/transform_example.rb +20 -0
data/examples/relevance/tarantula/w3c_validator_example.rb +71 -0
data/examples/relevance/tarantula_example.rb +23 -0
data/laf/images/button_active.png +0 -0
data/laf/images/button_hover.png +0 -0
data/laf/images/button_inactive.png +0 -0
data/laf/images/header_bg.jpg +0 -0
data/laf/images/logo.png +0 -0
data/laf/images/tagline.png +0 -0
data/laf/javascripts/jquery-1.2.3.js +3408 -0
data/laf/javascripts/jquery-ui-tabs.js +890 -0
data/laf/javascripts/jquery.tablesorter.js +861 -0
data/laf/javascripts/niftyLayout.js +11 -0
data/laf/javascripts/niftycube-details.js +298 -0
data/laf/javascripts/niftycube.js +298 -0
data/laf/javascripts/tarantula.js +10 -0
data/laf/stylesheets/tarantula.css +345 -0
data/laf/v2/detail.html +59 -0
data/laf/v2/images/button_active.png +0 -0
data/laf/v2/images/button_hover.png +0 -0
data/laf/v2/images/button_inactive.png +0 -0
data/laf/v2/images/header_bg.jpg +0 -0
data/laf/v2/images/logo.png +0 -0
data/laf/v2/images/tagline.png +0 -0
data/laf/v2/index.html +77 -0
data/laf/v2/stylesheets/tarantula.v2.css +324 -0
data/lib/relevance/core_extensions/ellipsize.rb +34 -0
data/lib/relevance/core_extensions/file.rb +9 -0
data/lib/relevance/core_extensions/metaclass.rb +78 -0
data/lib/relevance/core_extensions/response.rb +9 -0
data/lib/relevance/core_extensions/string_chars_fix.rb +11 -0
data/lib/relevance/core_extensions/test_case.rb +19 -0
data/lib/relevance/tarantula/attack.rb +15 -0
data/lib/relevance/tarantula/attack_form_submission.rb +75 -0
data/lib/relevance/tarantula/attack_handler.rb +37 -0
data/lib/relevance/tarantula/crawler.rb +264 -0
data/lib/relevance/tarantula/detail.html.erb +82 -0
data/lib/relevance/tarantula/form.rb +21 -0
data/lib/relevance/tarantula/form_submission.rb +70 -0
data/lib/relevance/tarantula/html_document_handler.rb +36 -0
data/lib/relevance/tarantula/html_report_helper.rb +39 -0
data/lib/relevance/tarantula/html_reporter.rb +105 -0
data/lib/relevance/tarantula/index.html.erb +37 -0
data/lib/relevance/tarantula/invalid_html_handler.rb +18 -0
data/lib/relevance/tarantula/io_reporter.rb +34 -0
data/lib/relevance/tarantula/link.rb +56 -0
data/lib/relevance/tarantula/log_grabber.rb +16 -0
data/lib/relevance/tarantula/rails_integration_proxy.rb +68 -0
data/lib/relevance/tarantula/recording.rb +12 -0
data/lib/relevance/tarantula/response.rb +13 -0
data/lib/relevance/tarantula/result.rb +66 -0
data/lib/relevance/tarantula/test_report.html.erb +32 -0
data/lib/relevance/tarantula/tidy_handler.rb +32 -0
data/lib/relevance/tarantula/transform.rb +17 -0
data/lib/relevance/tarantula/w3c_validator.rb +33 -0
data/lib/relevance/tarantula.rb +59 -0
data/tasks/tarantula_tasks.rake +36 -0
data/template/tarantula_test.rb +22 -0
data/vendor/w3c_validators/CHANGELOG +14 -0
data/vendor/w3c_validators/LICENSE +60 -0
data/vendor/w3c_validators/README +120 -0
data/vendor/w3c_validators/README.svn +4 -0
data/vendor/w3c_validators/lib/w3c_validators/constants.rb +80 -0
data/vendor/w3c_validators/lib/w3c_validators/css_validator.rb +149 -0
data/vendor/w3c_validators/lib/w3c_validators/exceptions.rb +4 -0
data/vendor/w3c_validators/lib/w3c_validators/feed_validator.rb +110 -0
data/vendor/w3c_validators/lib/w3c_validators/markup_validator.rb +227 -0
data/vendor/w3c_validators/lib/w3c_validators/message.rb +82 -0
data/vendor/w3c_validators/lib/w3c_validators/results.rb +62 -0
data/vendor/w3c_validators/lib/w3c_validators/validator.rb +157 -0
data/vendor/w3c_validators/lib/w3c_validators.rb +5 -0
data/vendor/w3c_validators/rakefile.rb +53 -0
data/vendor/w3c_validators/test/fixtures/invalid_css.css +2 -0
data/vendor/w3c_validators/test/fixtures/invalid_encoding.html +10 -0
data/vendor/w3c_validators/test/fixtures/invalid_feed.xml +19 -0
data/vendor/w3c_validators/test/fixtures/invalid_html5.html +16 -0
data/vendor/w3c_validators/test/fixtures/invalid_markup.html +11 -0
data/vendor/w3c_validators/test/fixtures/valid_css.css +2 -0
data/vendor/w3c_validators/test/fixtures/valid_feed.xml +20 -0
data/vendor/w3c_validators/test/fixtures/valid_html5.html +16 -0
data/vendor/w3c_validators/test/fixtures/valid_markup.html +11 -0
data/vendor/w3c_validators/test/test_css_validator.rb +51 -0
data/vendor/w3c_validators/test/test_exceptions.rb +35 -0
data/vendor/w3c_validators/test/test_feed_validator.rb +61 -0
data/vendor/w3c_validators/test/test_helper.rb +6 -0
data/vendor/w3c_validators/test/test_html5_validator.rb +64 -0
data/vendor/w3c_validators/test/test_markup_validator.rb +94 -0
data/vendor/xss-shield/MIT-LICENSE +20 -0
data/vendor/xss-shield/README +76 -0
data/vendor/xss-shield/init.rb +16 -0
data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb +111 -0
data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb +42 -0
data/vendor/xss-shield/lib/xss_shield/safe_string.rb +47 -0
data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb +40 -0
data/vendor/xss-shield/lib/xss_shield.rb +6 -0
data/vendor/xss-shield/test/test_actionview_integration.rb +40 -0
data/vendor/xss-shield/test/test_erb.rb +44 -0
data/vendor/xss-shield/test/test_haml.rb +43 -0
data/vendor/xss-shield/test/test_helpers.rb +25 -0
data/vendor/xss-shield/test/test_safe_string.rb +55 -0
metadata +218 -0

data/laf/v2/stylesheets/tarantula.v2.css ADDED Viewed

@@ -0,0 +1,324 @@
+/* RESET */
+html, body, div, span, applet, object, iframe,
+h1, h2, h3, h4, h5, h6, p, blockquote, pre,
+a, abbr, acronym, address, big, cite, code,
+del, dfn, em, font, img, ins, kbd, q, s, samp,
+small, strike, strong, sub, sup, tt, var,
+b, u, i, center,
+dl, dt, dd, ol, ul, li,
+fieldset, form, label, legend,
+table, caption, tbody, tfoot, thead, tr, th, td {
+	margin: 0;
+	padding: 0;
+	border: 0;
+	outline: 0;
+	font-size: 100%;
+	vertical-align: baseline;
+	background: transparent;
+}
+body {
+	line-height: 1;
+}
+ol, ul {
+	list-style: none;
+}
+blockquote, q {
+	quotes: none;
+}
+/* remember to define focus styles! */
+:focus {
+	outline: 0;
+}
+/* remember to highlight inserts somehow! */
+ins {
+	text-decoration: none;
+}
+del {
+	text-decoration: line-through;
+}
+/* tables still need 'cellspacing="0"' in the markup */
+table {
+	border-collapse: collapse;
+	border-spacing: 0;
+}
+body {
+  line-height: 1em;
+  font-family: Tahoma, Arial, Helvetica, sans-serif;
+  color: #050505;
+}
+/* header */
+#header {
+  background: #37302e url(../images/header_bg.jpg) no-repeat top left;
+  height: 70px;
+  border-bottom: 2px solid #d0d0d0;
+}
+#header h1 {
+  width:206px;
+  height:56px;
+  text-indent: -9999em;
+  background: transparent url(../images/logo.png) no-repeat top center;
+  position: absolute;
+  top: 7px;
+  left: 42px;
+}
+#header h2 {
+  width:196px;
+  height:34px;
+  text-indent: -9999em;
+  background: transparent url(../images/tagline.png) no-repeat top center;
+  position: absolute;
+  top: 15px;
+  left: 257px;
+}
+#header p {
+  display: block;
+  position: absolute;
+  right: 42px;
+  width: 315px;
+  padding: 8px;
+  color: #fff;
+  font-size: 13px;
+  line-height: 15px;
+}
+#header a:link, #header a:visited, #header a  {
+  color: #70b1ca;
+}
+#header a:hover {
+  text-decoration: none;
+}
+#header hr {
+  display: none;
+}
+.left { text-align: left !important; }
+.right { text-align: right !important; }
+.center { text-align: center !important; }
+/* page */
+#page {
+  padding: 55px 10px 0 10px;
+  width: 1000px;
+  margin: auto;
+  position: relative;
+}
+div#page ul.tabs {
+  clear: both;
+}
+div#page ul.tabs li{
+  display: block;
+  float: left;
+}
+div#page ul.tabs li a {
+  display: block;
+  float: left;
+  clear: right;
+  margin-right: 5px;
+}
+div#page ul.tabs li a.active {
+  background: transparent url(../images/button_active.png) no-repeat top left;
+  color: #050505;
+}
+div#page ul.tabs li a {
+  background: transparent url(../images/button_inactive.png) no-repeat top left;
+  height: 38px;
+  width: 110px;
+  color: #fff;
+  padding: 8px 0 0 12px;
+  font-size: 18px;
+  line-height: 18px;
+  text-decoration: none;
+}
+div#page ul.tabs li a:hover {
+  background: transparent url(../images/button_hover.png) no-repeat top left;
+  color: #613005;
+}
+div#page ul.tabs {
+  position: absolute;
+  top: 7px;
+  left: 7px;
+}
+#list {
+  width: 100%;
+}
+#list th, #list th a, #list tfoot td {
+  background: #b9b9a9;
+  color: #463c38;
+  text-decoration: none;
+}
+.sort {
+  font-size: 75%;
+  filter:alpha(opacity=50);
+	-moz-opacity:0.5;
+	-khtml-opacity: 0.5;
+	opacity: 0.5;
+}
+#list th, #list th a:hover span {
+  filter:alpha(opacity=100);
+	-moz-opacity:1;
+	-khtml-opacity: 1;
+	opacity: 1;
+}
+#list td, #list th {
+  text-align: center;
+  padding: 4px;
+  font-size: 14px;
+}
+div#page tbody a {
+ color: #6699cc;
+}
+div#page tbody a:hover {
+  text-decoration: none;
+}
+div#page table caption  {
+  text-align: left;
+  padding: 7px;
+  background: #d0d0c4;
+  border-bottom: 2px solid #aba7a1;
+  -moz-border-radius-topleft: 2px;
+  -moz-border-radius-topright: 2px;
+}
+#list tbody td {
+  background: #f2f2eb;
+}
+#list tfoot td {
+   line-height: 18px;
+}
+tr.even td {
+  background: #e9e9e2 !important;
+}
+/* Response Codes */
+span.r1, span.r2, span.r3, span.r4,
+span.r5 {
+	display: block;
+	padding: .15em;
+	margin: .15em;
+	color: #dac7ad;
+}
+/* Informational 1xx */
+span.r1 {
+	background-color: #3333cc;
+	border: 1px solid #376edc;
+}
+/* Successfull 2xx */
+span.r2 {
+	background-color: #006600;
+	border: 1px solid #008900;
+}
+/* Redirection 3xx */
+span.r3 {
+	background-color: #555652;
+	border: 1px solid #80817b;
+}
+/* Client 4xx */
+span.r4 {
+	background-color: #857400;
+	border: 1px solid #baa200;
+}
+/* Server Error 5xx */
+span.r5 {
+	background-color: #c40000;
+	border: 1px solid #dc0000;
+}
+/* Detail */
+#report h3 {
+  background: #D0D0C4; font-weight: normal;
+  border-bottom: 2px solid #ABA7A1;
+  -moz-border-radius-topleft: 2px; -moz-border-radius-topright: 2px;
+  -webkit-border-top-left-radius: 2px; -webkit-border-top-right-radius: 2px;
+}
+#report h3,
+#report p {
+  width: 50%;
+  padding:6px 8px;
+  margin: 1px 0;
+}
+#report a {
+  color: #70B1CA
+}
+#report a:hover {
+  text-decoration: none;
+}
+#report p b {
+  color: #050505;
+  font-weight: normal;
+}
+#report p {
+  color: #463C38;
+  background: #f2f2eb;
+  line-height: 22px;
+}
+#report p span {
+  display: inline-block;
+  display: -moz-inline-block;
+  margin: 0;
+  padding: 2px 6px;
+  line-height: 16px;
+}
+#report h3 em {
+  display: block;
+  font-family: Consolas, Lucida Console, Monaco, monospace;
+  font-size: 75%;
+  font-style: normal;
+  font-weight: normal;
+  color: #463C38;
+  line-height: 22px;
+}
+/* Output */
+#output {margin: 10px 0; width: 100%; font-size: 82.5%;}
+#output th { background: #b9b9a9; text-align: left; padding-left: 2.25em; font-weight: normal; line-height: 18px; color: #463C38; border-bottom: 1px solid #fff;
+  -moz-border-radius-topleft: 2px; -moz-border-radius-topright: 2px;
+  -webkit-border-top-left-radius: 2px; -webkit-border-top-right-radius: 2px;
+}
+#output td { background: #f2f2eb; padding: 1px; line-height: 18px; }
+#output { font-family: Consolas, Lucida Console, Monaco, monospace; }
+#output .numbers { width: 3em; text-align: right; border-right: 1px solid #fff;}
+#output .lines { width: auto; text-align: left;}
+#output .line { display: block; text-align: left; padding: 1px 4px;}
+#output .line.number { text-align: right;  color: #585850; }

data/lib/relevance/core_extensions/ellipsize.rb ADDED Viewed

@@ -0,0 +1,34 @@
+module Relevance::CoreExtensions::Nil
+  def ellipsize(cutoff = 20)
+    ""
+  end
+end
+module Relevance::CoreExtensions::String
+  def ellipsize(cutoff = 20)
+    if length > cutoff
+      "#{self[0...cutoff]}..."
+    else
+      self
+    end
+  end
+end
+module Relevance::CoreExtensions::Object
+  def ellipsize(cutoff = 20)
+    inspect.ellipsize(cutoff)
+  end
+end
+class Object
+  include Relevance::CoreExtensions::Object
+end
+class String
+  include Relevance::CoreExtensions::String
+end
+class NilClass
+  include Relevance::CoreExtensions::Nil
+end

data/lib/relevance/core_extensions/file.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module Relevance::CoreExtensions::File
+  def extension(path)
+    extname(path)[1..-1]
+  end
+end
+class File
+  extend Relevance::CoreExtensions::File
+end

data/lib/relevance/core_extensions/metaclass.rb ADDED Viewed

@@ -0,0 +1,78 @@
+# This is a direct copy of the facets library metaclass stuff.
+# used by Tarantula pulling in all of Facets doesn't make sense here.
+# From lib/core/facets/metaid.rb
+module Kernel
+  def meta_alias(*args)
+    meta_class do
+      alias_method(*args)
+    end
+  end
+  def meta_eval(str=nil, &blk)
+    if str
+      meta_class.instance_eval(str)
+    else
+      meta_class.instance_eval(&blk)
+    end
+  end
+  def meta_def( name, &block )
+    meta_class do
+      define_method( name, &block )
+    end
+  end
+  def meta_class(&block)
+    if block_given?
+      (class << self; self; end).class_eval(&block)
+    else
+      (class << self; self; end)
+    end
+  end
+  alias_method :metaclass, :meta_class
+  def eigenclass
+    (class << self; self; end)
+  end
+end
+class Module
+  def class_def name, &blk
+    class_eval { define_method name, &blk }
+  end
+  protected :attr
+  protected :attr_reader
+  protected :attr_writer
+  protected :attr_accessor
+  protected :remove_method
+  protected :undef_method
+end
+# From /lib/more/facets/kernel/meta.rb
+module Kernel
+  def meta
+    @_meta_functor ||= Functor.new do |op,*args|
+      (class << self; self; end).send(op,*args)
+    end
+  end
+end
+# From /lib/core/facets/functor.rb
+class Functor
+  private(*instance_methods.select { |m| m !~ /(^__|^binding$)/ })
+  def initialize(&function)
+    @function = function
+  end
+  def to_proc
+    @function
+  end
+  def method_missing(op, *args, &blk)
+    @function.call(op, *args, &blk)
+  end
+end

data/lib/relevance/core_extensions/response.rb ADDED Viewed

@@ -0,0 +1,9 @@
+# dynamically mixed in to response objects
+module Relevance::CoreExtensions::Response
+  def html?
+    # some versions of Rails integration tests don't set content type
+    # so we are treating nil as html. A better fix would be welcome here.
+    ((content_type =~ %r{^text/html}) != nil)  || content_type == nil
+  end
+end

data/lib/relevance/core_extensions/string_chars_fix.rb ADDED Viewed

@@ -0,0 +1,11 @@
+if RUBY_VERSION == "1.8.7" # fix interaction between Ruby 187 and Rails 202, so we can at least run the test suite on that combination
+  unless '1.9'.respond_to?(:force_encoding)
+    String.class_eval do
+      begin
+        remove_method :chars
+      rescue NameError
+        # OK
+      end
+    end
+  end
+end

data/lib/relevance/core_extensions/test_case.rb ADDED Viewed

@@ -0,0 +1,19 @@
+require 'action_controller/integration'
+module Relevance::CoreExtensions::TestCaseExtensions
+  def tarantula_crawl(integration_test, options = {})
+    url = options[:url] || "/"
+    t = tarantula_crawler(integration_test, options)
+    t.crawl url
+  end
+  def tarantula_crawler(integration_test, options = {})
+    Relevance::Tarantula::RailsIntegrationProxy.rails_integration_test(integration_test, options)
+  end
+end
+if defined? ActionController::IntegrationTest
+  ActionController::IntegrationTest.class_eval { include Relevance::CoreExtensions::TestCaseExtensions }
+end

data/lib/relevance/tarantula/attack.rb ADDED Viewed

@@ -0,0 +1,15 @@
+class Relevance::Tarantula::Attack
+  HASHABLE_ATTRS = [:name, :input, :output, :description]
+  attr_accessor *HASHABLE_ATTRS
+  def initialize(hash)
+    hash.each do |k,v|
+      raise ArgumentError, k unless HASHABLE_ATTRS.member?(k)
+      self.instance_variable_set("@#{k}", v)
+    end
+  end
+  def ==(other)
+    Relevance::Tarantula::Attack === other && HASHABLE_ATTRS.all? { |attr| send(attr) == other.send(attr)}
+  end
+end

data/lib/relevance/tarantula/attack_form_submission.rb ADDED Viewed

@@ -0,0 +1,75 @@
+class Relevance::Tarantula::AttackFormSubmission
+  attr_accessor :method, :action, :data, :attack
+  class << self
+    def attacks
+      # normalize from hash input to Attack
+      @attacks = @attacks.map do |val|
+        Hash === val ? Relevance::Tarantula::Attack.new(val) : val
+      end
+      @attacks
+    end
+    def attacks=(atts)
+      # normalize from hash input to Attack
+      @attacks = atts.map do |val|
+        Hash === val ? Relevance::Tarantula::Attack.new(val) : val
+      end
+    end
+  end
+  @attacks = []
+  def initialize(form, attack = nil)
+    @method = form.method
+    @action = form.action
+    @attack = attack
+    @data = mutate_selects(form).merge(mutate_text_areas(form)).merge(mutate_inputs(form))
+  end
+  def self.mutate(form)
+    attacks and attacks.map do |attack|
+      self.new(form, attack)
+    end
+  end
+  def to_s
+    "#{action} #{method} #{data.inspect} #{attack.inspect}"
+  end
+  # a form's signature is what makes it unique (e.g. action + fields)
+  # used to keep track of which forms we have submitted already
+  def signature
+    [action, data.keys.sort, attack.name]
+  end
+  def create_random_data_for(form, tag_selector)
+    form.search(tag_selector).inject({}) do |form_args, input|
+      # TODO: test
+      form_args[input['name']] = random_data(input) if input['name']
+      form_args
+    end
+  end
+  def mutate_inputs(form)
+    create_random_data_for(form, 'input')
+  end
+  def mutate_text_areas(form)
+    create_random_data_for(form, 'textarea')
+  end
+  def mutate_selects(form)
+    form.search('select').inject({}) do |form_args, select|
+      options = select.search('option')
+      option = options.rand
+      form_args[select['name']] = option['value']
+      form_args
+    end
+  end
+  def random_data(input)
+    case input['name']
+      when /^_method$/      : input['value']
+      else                    attack.input
+    end
+  end
+end

data/lib/relevance/tarantula/attack_handler.rb ADDED Viewed

@@ -0,0 +1,37 @@
+require 'hpricot'
+class Relevance::Tarantula::AttackHandler
+  include ERB::Util
+  def attacks
+    Relevance::Tarantula::AttackFormSubmission.attacks.select(&:output)
+  end
+  def handle(result)
+    return unless attacks.size > 0
+    regexp = '(' + attacks.map {|a| Regexp.escape a.output}.join('|') + ')'
+    response = result.response
+    return unless response.html?
+    if n = (response.body =~ /#{regexp}/)
+      error_result = result.dup
+      error_result.success = false
+      error_result.description = "XSS error found, match was: #{h($1)}"
+      error_result.data = <<-STR
+        ########################################################################
+        # Text around unescaped string: #{$1}
+        ########################################################################
+        #{response.body[[0, n - 200].max , 400]}
+        ########################################################################
+        # Attack information:
+        ########################################################################
+        #{attacks.select {|a| a.output == $1}[0].to_yaml}
+      STR
+      error_result
+    end
+  end
+end