schwabsauce-merb_dm_xss_terminate 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE +20 -0
- data/README +89 -0
- data/Rakefile +64 -0
- data/TODO +1 -0
- data/lib/merb_dm_xss_terminate.rb +12 -0
- data/lib/merb_dm_xss_terminate/html/document.rb +68 -0
- data/lib/merb_dm_xss_terminate/html/node.rb +530 -0
- data/lib/merb_dm_xss_terminate/html/sanitizer.rb +173 -0
- data/lib/merb_dm_xss_terminate/html/selector.rb +828 -0
- data/lib/merb_dm_xss_terminate/html/tokenizer.rb +105 -0
- data/lib/merb_dm_xss_terminate/html/version.rb +11 -0
- data/lib/merb_dm_xss_terminate/html5lib_sanitize.rb +2453 -0
- data/lib/merb_dm_xss_terminate/merbtasks.rb +12 -0
- data/lib/merb_dm_xss_terminate/rails_sanitize.rb +36 -0
- data/lib/merb_dm_xss_terminate/xss_terminate.rb +47 -0
- data/merb_rake_helper.rb +24 -0
- data/spec/config/database.yml +7 -0
- data/spec/merb_dm_xss_terminate_spec.rb +54 -0
- data/spec/models/comment.rb +11 -0
- data/spec/models/entry.rb +13 -0
- data/spec/models/message.rb +8 -0
- data/spec/models/person.rb +9 -0
- data/spec/models/review.rb +12 -0
- data/spec/schema.rb +7 -0
- data/spec/spec_helper.rb +21 -0
- metadata +100 -0
@@ -0,0 +1,12 @@
|
|
1
|
+
namespace :merb_dm_xss_terminate do
|
2
|
+
namespace :db do
|
3
|
+
|
4
|
+
desc "Given MODELS=Foo,Bar,Baz find all instances in the DB and save to sanitize existing records"
|
5
|
+
task :sanitize => :environment do
|
6
|
+
models = Dir.open(Merb.root + '/app/models').reject { |file_name| ['.', '..'].include? file_name }.map { |file_name| file_name.gsub(/\.rb/, '').gsub(/\/(.?)/) { "::#{$1.upcase}" }.gsub(/(?:^|_)(.)/) { $1.upcase } }
|
7
|
+
models.each do |model|
|
8
|
+
Module.const_get(model).send(:all).map { |record| record.save }
|
9
|
+
end
|
10
|
+
end
|
11
|
+
end
|
12
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/html/document'
|
2
|
+
|
3
|
+
class RailsSanitize
|
4
|
+
|
5
|
+
def self.included(base)
|
6
|
+
base.extend(ClassMethods)
|
7
|
+
end
|
8
|
+
|
9
|
+
def self.full_sanitizer
|
10
|
+
@full_sanitizer ||= HTML::FullSanitizer.new
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.white_list_sanitizer
|
14
|
+
@white_list_sanitizer ||= HTML::WhiteListSanitizer.new
|
15
|
+
end
|
16
|
+
|
17
|
+
def sanitized_uri_attributes=(attributes)
|
18
|
+
HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
|
19
|
+
end
|
20
|
+
|
21
|
+
def sanitized_bad_tags=(attributes)
|
22
|
+
HTML::WhiteListSanitizer.bad_tags.merge(attributes)
|
23
|
+
end
|
24
|
+
|
25
|
+
def sanitized_allowed_tags=(attributes)
|
26
|
+
HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
|
27
|
+
end
|
28
|
+
|
29
|
+
def sanitized_allowed_attributes=(attributes)
|
30
|
+
HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
|
31
|
+
end
|
32
|
+
|
33
|
+
def sanitized_allowed_protocols=(attributes)
|
34
|
+
HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
module XssTerminate
|
2
|
+
def self.included(base)
|
3
|
+
base.extend(ClassMethods)
|
4
|
+
# sets up default of stripping tags for all fields
|
5
|
+
base.send(:xss_terminate)
|
6
|
+
end
|
7
|
+
|
8
|
+
module ClassMethods
|
9
|
+
def xss_terminate(options = {})
|
10
|
+
before :save, :sanitize_fields
|
11
|
+
|
12
|
+
class_inheritable_writer :xss_terminate_options
|
13
|
+
class_inheritable_reader :xss_terminate_options
|
14
|
+
|
15
|
+
self.xss_terminate_options = {
|
16
|
+
:disable => (options[:disable] || false),
|
17
|
+
:except => (options[:except] || []),
|
18
|
+
:html5lib_sanitize => (options[:html5lib_sanitize] || []),
|
19
|
+
:sanitize => (options[:sanitize] || [])
|
20
|
+
}
|
21
|
+
|
22
|
+
include XssTerminate::InstanceMethods
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
module InstanceMethods
|
27
|
+
|
28
|
+
def sanitize_fields
|
29
|
+
self.class.properties.each do |column|
|
30
|
+
next unless (column.type == String || (column.type.respond_to?(:primitive) && column.type.primitive == String))
|
31
|
+
|
32
|
+
field = column.name.to_sym
|
33
|
+
value = self.send field
|
34
|
+
|
35
|
+
if xss_terminate_options[:disable] || xss_terminate_options[:except].include?(field)
|
36
|
+
next
|
37
|
+
elsif xss_terminate_options[:html5lib_sanitize].include?(field)
|
38
|
+
self.send(field.to_s + '=', HTML5libSanitize.new.sanitize_html(value))
|
39
|
+
elsif xss_terminate_options[:sanitize].include?(field)
|
40
|
+
self.send(field.to_s + '=', RailsSanitize.white_list_sanitizer.sanitize(value))
|
41
|
+
else
|
42
|
+
self.send(field.to_s + '=', RailsSanitize.full_sanitizer.sanitize(value))
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
data/merb_rake_helper.rb
ADDED
@@ -0,0 +1,24 @@
|
|
1
|
+
def sudo
|
2
|
+
windows = (PLATFORM =~ /win32|cygwin/) rescue nil
|
3
|
+
ENV['MERB_SUDO'] ||= "sudo"
|
4
|
+
sudo = windows ? "" : ENV['MERB_SUDO']
|
5
|
+
end
|
6
|
+
|
7
|
+
def gemx
|
8
|
+
win32 = (PLATFORM =~ /win32/) rescue nil
|
9
|
+
win32 ? 'gem.bat' : 'gem'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rakex
|
13
|
+
win32 = (PLATFORM =~ /win32/) rescue nil
|
14
|
+
win32 ? 'rake.bat' : 'rake'
|
15
|
+
end
|
16
|
+
|
17
|
+
def gems_path
|
18
|
+
d, cwd = nil, Dir.pwd
|
19
|
+
3.times do
|
20
|
+
Dir.chdir('..')
|
21
|
+
d = Dir.pwd and break if Dir.pwd =~ /\/gems$/i
|
22
|
+
end
|
23
|
+
Dir.chdir(cwd) and d
|
24
|
+
end
|
@@ -0,0 +1,54 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/spec_helper'
|
2
|
+
|
3
|
+
describe "merb_xss_terminate" do
|
4
|
+
it "should do nothing" do
|
5
|
+
true.should == true
|
6
|
+
end
|
7
|
+
|
8
|
+
it "should strip tags on discovered fields" do
|
9
|
+
c = Comment.create!(:title => "<script>alert('xss in title')</script>",
|
10
|
+
:body => "<script>alert('xss in body')</script>")
|
11
|
+
|
12
|
+
c.title.should == "alert('xss in title')"
|
13
|
+
c.body.should == "alert('xss in body')"
|
14
|
+
end
|
15
|
+
|
16
|
+
it "should use white-list sanitizer on specified fields" do
|
17
|
+
e = Entry.create!(:title => "<script>alert('xss in title')</script>",
|
18
|
+
:body => "<script>alert('xss in body')</script>",
|
19
|
+
:extended => "<script>alert('xss in extended')</script>",
|
20
|
+
:person_id => 1)
|
21
|
+
|
22
|
+
e.xss_terminate_options[:sanitize].should == [:body, :extended]
|
23
|
+
e.title.should == "alert('xss in title')"
|
24
|
+
e.body.should == ""
|
25
|
+
e.extended.should === ""
|
26
|
+
end
|
27
|
+
|
28
|
+
it "should exclude specified fields from being sanitized" do
|
29
|
+
p = Person.create!(:name => "<strong>Mallory</strong>")
|
30
|
+
|
31
|
+
p.xss_terminate_options[:except].should == [:name]
|
32
|
+
p.name.should === "<strong>Mallory</strong>"
|
33
|
+
end
|
34
|
+
|
35
|
+
it "should use html5lib sanitizer on specified fields" do
|
36
|
+
r = Review.create!(:title => "<script>alert('xss in title')</script>",
|
37
|
+
:body => "<script>alert('xss in body')</script>",
|
38
|
+
:extended => "<script>alert('xss in extended')</script>",
|
39
|
+
:person_id => 1)
|
40
|
+
|
41
|
+
r.xss_terminate_options[:html5lib_sanitize].should == [:body, :extended]
|
42
|
+
r.title.should == "alert('xss in title')"
|
43
|
+
r.body.should == "<script>alert('xss in body')</script>"
|
44
|
+
r.extended.should == "<script>alert('xss in extended')</script>"
|
45
|
+
end
|
46
|
+
|
47
|
+
it "should strip tags from one field and sanitize another" do
|
48
|
+
p = Page.create!(:title => "<title>Helpless, helpless helpless</title>",
|
49
|
+
:contents => "<script>bad_move()</script><b>oh look out</b>")
|
50
|
+
|
51
|
+
p.title.should == 'Helpless, helpless helpless'
|
52
|
+
p.contents.should == '<b>oh look out</b>'
|
53
|
+
end
|
54
|
+
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# Comment uses the default: stripping tags from all fields.
|
2
|
+
class Comment
|
3
|
+
include DataMapper::Resource
|
4
|
+
property :id, Integer, :serial => true
|
5
|
+
property :title, String
|
6
|
+
property :body, Text
|
7
|
+
property :created_on, DateTime
|
8
|
+
|
9
|
+
belongs_to :entry
|
10
|
+
belongs_to :person
|
11
|
+
end
|
@@ -0,0 +1,13 @@
|
|
1
|
+
# Rails HTML sanitization on some fields
|
2
|
+
class Entry
|
3
|
+
include DataMapper::Resource
|
4
|
+
property :id, Integer, :serial => true
|
5
|
+
property :title, String
|
6
|
+
property :body, Text
|
7
|
+
property :extended, Text
|
8
|
+
property :created_on, DateTime
|
9
|
+
|
10
|
+
belongs_to :person
|
11
|
+
has n, :comments
|
12
|
+
xss_terminate :sanitize => [:body, :extended]
|
13
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
class Review
|
2
|
+
include DataMapper::Resource
|
3
|
+
property :id, Integer, :serial => true
|
4
|
+
property :title, String
|
5
|
+
property :body, Text
|
6
|
+
property :extended, Text
|
7
|
+
property :created_on, DateTime
|
8
|
+
|
9
|
+
belongs_to :person
|
10
|
+
|
11
|
+
xss_terminate :html5lib_sanitize => [:body, :extended]
|
12
|
+
end
|
data/spec/schema.rb
ADDED
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
$TESTING=true
|
2
|
+
$:.push File.join(File.dirname(__FILE__), '..', 'lib')
|
3
|
+
|
4
|
+
require 'rubygems'
|
5
|
+
require 'merb-core'
|
6
|
+
require 'merb-core/test'
|
7
|
+
require 'dm-core'
|
8
|
+
require 'merb_dm_xss_terminate'
|
9
|
+
|
10
|
+
Merb.start :adapter => 'runner', :environment => 'test', :merb_root => File.dirname(__FILE__)
|
11
|
+
|
12
|
+
# load test models
|
13
|
+
require File.join(File.dirname(__FILE__), 'models/person')
|
14
|
+
require File.join(File.dirname(__FILE__), 'models/entry')
|
15
|
+
require File.join(File.dirname(__FILE__), 'models/comment')
|
16
|
+
require File.join(File.dirname(__FILE__), 'models/message')
|
17
|
+
require File.join(File.dirname(__FILE__), 'models/review')
|
18
|
+
require File.join(File.dirname(__FILE__), 'models/page')
|
19
|
+
|
20
|
+
# load test schema
|
21
|
+
load(File.dirname(__FILE__) + "/schema.rb")
|
metadata
ADDED
@@ -0,0 +1,100 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: schwabsauce-merb_dm_xss_terminate
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.6.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Mike Schwab
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
|
12
|
+
date: 2008-07-11 00:00:00 -07:00
|
13
|
+
default_executable:
|
14
|
+
dependencies:
|
15
|
+
- !ruby/object:Gem::Dependency
|
16
|
+
name: merb-core
|
17
|
+
version_requirement:
|
18
|
+
version_requirements: !ruby/object:Gem::Requirement
|
19
|
+
requirements:
|
20
|
+
- - ">="
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: 0.9.0
|
23
|
+
version:
|
24
|
+
- !ruby/object:Gem::Dependency
|
25
|
+
name: html5
|
26
|
+
version_requirement:
|
27
|
+
version_requirements: !ruby/object:Gem::Requirement
|
28
|
+
requirements:
|
29
|
+
- - ">="
|
30
|
+
- !ruby/object:Gem::Version
|
31
|
+
version: 0.10.0
|
32
|
+
version:
|
33
|
+
description: Plugin that auto-sanitizes data before it is saved in your DataMapper models
|
34
|
+
email: mike.schwab@gmail.com
|
35
|
+
executables: []
|
36
|
+
|
37
|
+
extensions: []
|
38
|
+
|
39
|
+
extra_rdoc_files:
|
40
|
+
- README
|
41
|
+
- LICENSE
|
42
|
+
- TODO
|
43
|
+
files:
|
44
|
+
- LICENSE
|
45
|
+
- README
|
46
|
+
- Rakefile
|
47
|
+
- TODO
|
48
|
+
- merb_rake_helper.rb
|
49
|
+
- lib/merb_dm_xss_terminate
|
50
|
+
- lib/merb_dm_xss_terminate/html
|
51
|
+
- lib/merb_dm_xss_terminate/html/document.rb
|
52
|
+
- lib/merb_dm_xss_terminate/html/node.rb
|
53
|
+
- lib/merb_dm_xss_terminate/html/sanitizer.rb
|
54
|
+
- lib/merb_dm_xss_terminate/html/selector.rb
|
55
|
+
- lib/merb_dm_xss_terminate/html/tokenizer.rb
|
56
|
+
- lib/merb_dm_xss_terminate/html/version.rb
|
57
|
+
- lib/merb_dm_xss_terminate/html5lib_sanitize.rb
|
58
|
+
- lib/merb_dm_xss_terminate/merbtasks.rb
|
59
|
+
- lib/merb_dm_xss_terminate/rails_sanitize.rb
|
60
|
+
- lib/merb_dm_xss_terminate/xss_terminate.rb
|
61
|
+
- lib/merb_dm_xss_terminate.rb
|
62
|
+
- spec/config
|
63
|
+
- spec/config/database.yml
|
64
|
+
- spec/merb_dm_xss_terminate_spec.rb
|
65
|
+
- spec/models
|
66
|
+
- spec/models/comment.rb
|
67
|
+
- spec/models/entry.rb
|
68
|
+
- spec/models/message.rb
|
69
|
+
- spec/models/person.rb
|
70
|
+
- spec/models/review.rb
|
71
|
+
- spec/schema.rb
|
72
|
+
- spec/spec_helper.rb
|
73
|
+
has_rdoc: true
|
74
|
+
homepage: http://github.com/schwabsauce/merb_dm_xss_terminate
|
75
|
+
post_install_message:
|
76
|
+
rdoc_options: []
|
77
|
+
|
78
|
+
require_paths:
|
79
|
+
- lib
|
80
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
81
|
+
requirements:
|
82
|
+
- - ">="
|
83
|
+
- !ruby/object:Gem::Version
|
84
|
+
version: "0"
|
85
|
+
version:
|
86
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
87
|
+
requirements:
|
88
|
+
- - ">="
|
89
|
+
- !ruby/object:Gem::Version
|
90
|
+
version: "0"
|
91
|
+
version:
|
92
|
+
requirements: []
|
93
|
+
|
94
|
+
rubyforge_project:
|
95
|
+
rubygems_version: 1.2.0
|
96
|
+
signing_key:
|
97
|
+
specification_version: 2
|
98
|
+
summary: Plugin that auto-sanitizes data before it is saved in your DataMapper models
|
99
|
+
test_files: []
|
100
|
+
|