schwabsauce-merb_dm_xss_terminate 0.6.1

data/lib/merb_dm_xss_terminate/merbtasks.rb

@@ -0,0 +1,12 @@
+namespace :merb_dm_xss_terminate do
+  namespace :db do
+
+    desc "Given MODELS=Foo,Bar,Baz find all instances in the DB and save to sanitize existing records"
+    task :sanitize => :environment do
+      models = Dir.open(Merb.root + '/app/models').reject { |file_name| ['.', '..'].include? file_name }.map { |file_name| file_name.gsub(/\.rb/, '').gsub(/\/(.?)/) { "::#{$1.upcase}" }.gsub(/(?:^|_)(.)/) { $1.upcase } }
+      models.each do |model|
+        Module.const_get(model).send(:all).map { |record| record.save }
+      end
+    end
+  end
+end

data/lib/merb_dm_xss_terminate/rails_sanitize.rb

@@ -0,0 +1,36 @@
+require File.dirname(__FILE__) + '/html/document'
+
+class RailsSanitize
+
+  def self.included(base)
+    base.extend(ClassMethods)
+  end
+  
+  def self.full_sanitizer
+    @full_sanitizer ||= HTML::FullSanitizer.new
+  end
+
+  def self.white_list_sanitizer
+    @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
+  end
+
+  def sanitized_uri_attributes=(attributes)
+    HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
+  end
+
+  def sanitized_bad_tags=(attributes)
+    HTML::WhiteListSanitizer.bad_tags.merge(attributes)
+  end
+
+  def sanitized_allowed_tags=(attributes)
+    HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
+  end
+
+  def sanitized_allowed_attributes=(attributes)
+    HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
+  end
+
+  def sanitized_allowed_protocols=(attributes)
+    HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
+  end
+end

data/lib/merb_dm_xss_terminate/xss_terminate.rb

@@ -0,0 +1,47 @@
+module XssTerminate
+  def self.included(base)
+    base.extend(ClassMethods)
+    # sets up default of stripping tags for all fields
+    base.send(:xss_terminate)
+  end
+
+  module ClassMethods
+    def xss_terminate(options = {})
+      before :save, :sanitize_fields
+
+      class_inheritable_writer :xss_terminate_options
+      class_inheritable_reader :xss_terminate_options
+
+      self.xss_terminate_options = {
+        :disable => (options[:disable] || false),
+        :except => (options[:except] || []),
+        :html5lib_sanitize => (options[:html5lib_sanitize] || []),
+        :sanitize => (options[:sanitize] || [])
+      }
+
+      include XssTerminate::InstanceMethods
+    end
+  end
+  
+  module InstanceMethods
+        
+    def sanitize_fields
+      self.class.properties.each do |column|
+        next unless (column.type == String || (column.type.respond_to?(:primitive) && column.type.primitive == String))
+        
+        field = column.name.to_sym
+        value = self.send field
+        
+        if xss_terminate_options[:disable] || xss_terminate_options[:except].include?(field)
+          next
+        elsif xss_terminate_options[:html5lib_sanitize].include?(field)
+          self.send(field.to_s + '=', HTML5libSanitize.new.sanitize_html(value))
+        elsif xss_terminate_options[:sanitize].include?(field)
+          self.send(field.to_s + '=', RailsSanitize.white_list_sanitizer.sanitize(value))
+        else
+          self.send(field.to_s + '=', RailsSanitize.full_sanitizer.sanitize(value))
+        end
+      end
+    end
+  end
+end

data/merb_rake_helper.rb

@@ -0,0 +1,24 @@
+def sudo
+  windows = (PLATFORM =~ /win32|cygwin/) rescue nil
+  ENV['MERB_SUDO'] ||= "sudo"
+  sudo = windows ? "" : ENV['MERB_SUDO']
+end
+
+def gemx
+  win32 = (PLATFORM =~ /win32/) rescue nil
+  win32 ? 'gem.bat' : 'gem'
+end
+
+def rakex
+  win32 = (PLATFORM =~ /win32/) rescue nil
+  win32 ? 'rake.bat' : 'rake'
+end
+
+def gems_path
+  d, cwd = nil, Dir.pwd
+  3.times do
+    Dir.chdir('..')
+    d = Dir.pwd and break if Dir.pwd =~ /\/gems$/i
+  end
+  Dir.chdir(cwd) and d
+end

data/spec/config/database.yml

@@ -0,0 +1,7 @@
+---
+test:
+  adapter: mysql
+  database: merb_xss_terminate_test
+  host: 127.0.0.1
+  username: root
+  password: 

data/spec/merb_dm_xss_terminate_spec.rb

@@ -0,0 +1,54 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe "merb_xss_terminate" do
+  it "should do nothing" do
+    true.should == true
+  end
+
+  it "should strip tags on discovered fields" do
+    c = Comment.create!(:title => "<script>alert('xss in title')</script>",
+                        :body  => "<script>alert('xss in body')</script>")
+  
+    c.title.should == "alert('xss in title')"
+    c.body.should  == "alert('xss in body')"
+  end
+  
+  it "should use white-list sanitizer on specified fields" do
+    e = Entry.create!(:title => "<script>alert('xss in title')</script>",
+                      :body => "<script>alert('xss in body')</script>",
+                      :extended => "<script>alert('xss in extended')</script>",
+                      :person_id => 1)
+  
+    e.xss_terminate_options[:sanitize].should == [:body, :extended]
+    e.title.should == "alert('xss in title')"
+    e.body.should == ""
+    e.extended.should === ""
+  end
+  
+  it "should exclude specified fields from being sanitized" do
+    p = Person.create!(:name => "<strong>Mallory</strong>")
+  
+    p.xss_terminate_options[:except].should == [:name]
+    p.name.should === "<strong>Mallory</strong>"
+  end
+  
+  it "should use html5lib sanitizer on specified fields" do
+    r = Review.create!(:title => "<script>alert('xss in title')</script>",
+                       :body => "<script>alert('xss in body')</script>",
+                       :extended => "<script>alert('xss in extended')</script>",
+                       :person_id => 1)
+                       
+    r.xss_terminate_options[:html5lib_sanitize].should == [:body, :extended]
+    r.title.should == "alert('xss in title')"
+    r.body.should == "&lt;script&gt;alert('xss in body')&lt;/script&gt;"
+    r.extended.should == "&lt;script&gt;alert('xss in extended')&lt;/script&gt;"
+  end
+  
+  it "should strip tags from one field and sanitize another" do
+    p = Page.create!(:title => "<title>Helpless, helpless helpless</title>",
+                     :contents => "<script>bad_move()</script><b>oh look out</b>")
+                     
+    p.title.should == 'Helpless, helpless helpless'
+    p.contents.should == '<b>oh look out</b>'
+  end
+end

data/spec/models/comment.rb

@@ -0,0 +1,11 @@
+# Comment uses the default: stripping tags from all fields.
+class Comment
+  include DataMapper::Resource
+  property :id, Integer, :serial => true
+  property :title, String
+  property :body, Text
+  property :created_on, DateTime
+  
+  belongs_to :entry
+  belongs_to :person
+end

data/spec/models/entry.rb

@@ -0,0 +1,13 @@
+# Rails HTML sanitization on some fields
+class Entry
+  include DataMapper::Resource
+  property :id, Integer, :serial => true
+  property :title, String
+  property :body, Text
+  property :extended, Text
+  property :created_on, DateTime
+  
+  belongs_to :person
+  has n, :comments
+  xss_terminate :sanitize => [:body, :extended]
+end

data/spec/models/message.rb

@@ -0,0 +1,8 @@
+class Message
+  include DataMapper::Resource
+  property :id, Integer, :serial => true
+  property :body, Text
+  
+  belongs_to :person
+  belongs_to :recipient, :class_name => 'Person'
+end

data/spec/models/person.rb

@@ -0,0 +1,9 @@
+# This model excepts HTML sanitization on the name
+class Person
+  include DataMapper::Resource
+  property :id, Integer, :serial => true
+  property :name, String
+  has n, :entries  
+  
+  xss_terminate :except => [:name]
+end

data/spec/models/review.rb

@@ -0,0 +1,12 @@
+class Review
+  include DataMapper::Resource
+  property :id, Integer, :serial => true
+  property :title, String
+  property :body, Text
+  property :extended, Text
+  property :created_on, DateTime
+  
+  belongs_to :person
+  
+  xss_terminate :html5lib_sanitize => [:body, :extended]
+end

data/spec/schema.rb

@@ -0,0 +1,7 @@
+DataMapper.setup(:default, 'mysql://localhost/merb_xss_terminate_test')
+Comment.auto_migrate!
+Entry.auto_migrate!
+Message.auto_migrate!
+Person.auto_migrate!
+Review.auto_migrate!
+Page.auto_migrate!

data/spec/spec_helper.rb

@@ -0,0 +1,21 @@
+$TESTING=true
+$:.push File.join(File.dirname(__FILE__), '..', 'lib')
+
+require 'rubygems'
+require 'merb-core'
+require 'merb-core/test'
+require 'dm-core'
+require 'merb_dm_xss_terminate'
+
+Merb.start :adapter => 'runner', :environment => 'test', :merb_root => File.dirname(__FILE__)
+
+# load test models
+require File.join(File.dirname(__FILE__), 'models/person')
+require File.join(File.dirname(__FILE__), 'models/entry')
+require File.join(File.dirname(__FILE__), 'models/comment')
+require File.join(File.dirname(__FILE__), 'models/message')
+require File.join(File.dirname(__FILE__), 'models/review')
+require File.join(File.dirname(__FILE__), 'models/page')
+
+# load test schema
+load(File.dirname(__FILE__) + "/schema.rb")

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification 
+name: schwabsauce-merb_dm_xss_terminate
+version: !ruby/object:Gem::Version 
+  version: 0.6.1
+platform: ruby
+authors: 
+- Mike Schwab
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-07-11 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: merb-core
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.9.0
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: html5
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.10.0
+    version: 
+description: Plugin that auto-sanitizes data before it is saved in your DataMapper models
+email: mike.schwab@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+- LICENSE
+- TODO
+files: 
+- LICENSE
+- README
+- Rakefile
+- TODO
+- merb_rake_helper.rb
+- lib/merb_dm_xss_terminate
+- lib/merb_dm_xss_terminate/html
+- lib/merb_dm_xss_terminate/html/document.rb
+- lib/merb_dm_xss_terminate/html/node.rb
+- lib/merb_dm_xss_terminate/html/sanitizer.rb
+- lib/merb_dm_xss_terminate/html/selector.rb
+- lib/merb_dm_xss_terminate/html/tokenizer.rb
+- lib/merb_dm_xss_terminate/html/version.rb
+- lib/merb_dm_xss_terminate/html5lib_sanitize.rb
+- lib/merb_dm_xss_terminate/merbtasks.rb
+- lib/merb_dm_xss_terminate/rails_sanitize.rb
+- lib/merb_dm_xss_terminate/xss_terminate.rb
+- lib/merb_dm_xss_terminate.rb
+- spec/config
+- spec/config/database.yml
+- spec/merb_dm_xss_terminate_spec.rb
+- spec/models
+- spec/models/comment.rb
+- spec/models/entry.rb
+- spec/models/message.rb
+- spec/models/person.rb
+- spec/models/review.rb
+- spec/schema.rb
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/schwabsauce/merb_dm_xss_terminate
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Plugin that auto-sanitizes data before it is saved in your DataMapper models
+test_files: []
+