sqreen 1.6.3 → 1.6.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/sqreen/rules_callbacks/reflected_xss.rb +12 -11
- data/lib/sqreen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: da14a9fd26a579f3a1dd61274ee693807de66cb5
|
|
4
|
+
data.tar.gz: 59e9c7f4cdaba120edf901b9e9c1263cc5cf48d4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7ac81e8adb933f2b70faf218922aa75aa6d69ad83e6f39a6dec227af458b2b24df9708150c5f05e8334a75515be16faea459d4f60bd8cb6038f7130f6345a561
|
|
7
|
+
data.tar.gz: 504a06d8e356a3f90c530b5c5027048fb6c3f0356d7511f89341c3b3e0d451ad06d14ac19f5142defe7f0c1423a81f262334bb291dc49e06ab02cf62c70d2e09
|
|
@@ -53,7 +53,6 @@ module Sqreen
|
|
|
53
53
|
|
|
54
54
|
advise_action(nil)
|
|
55
55
|
end
|
|
56
|
-
|
|
57
56
|
end
|
|
58
57
|
# look for reflected XSS with haml template engine
|
|
59
58
|
# hook function arguments of
|
|
@@ -85,10 +84,12 @@ module Sqreen
|
|
|
85
84
|
class Haml4ParserScriptHookCB < RuleCB
|
|
86
85
|
def pre(_inst, *args, &_block)
|
|
87
86
|
return unless args.size > 1
|
|
88
|
-
return unless Haml::VERSION <
|
|
87
|
+
return unless Haml::VERSION < '5'
|
|
89
88
|
text = args[0]
|
|
90
89
|
escape_html = args[1]
|
|
91
|
-
if escape_html == false &&
|
|
90
|
+
if escape_html == false &&
|
|
91
|
+
text.respond_to?(:include?) &&
|
|
92
|
+
!text.include?('html_escape')
|
|
92
93
|
args[0].replace("Sqreen.escape_haml(#{args[0]})")
|
|
93
94
|
end
|
|
94
95
|
nil
|
|
@@ -98,9 +99,10 @@ module Sqreen
|
|
|
98
99
|
# Hook into haml4 tag parser
|
|
99
100
|
class Haml4ParserTagHookCB < RuleCB
|
|
100
101
|
def post(ret, _inst, *_args, &_block)
|
|
101
|
-
return unless Haml::VERSION <
|
|
102
|
+
return unless Haml::VERSION < '5'
|
|
102
103
|
tag = ret
|
|
103
104
|
if tag.value[:escape_html] == false &&
|
|
105
|
+
tag.value[:value].respond_to?(:include?) &&
|
|
104
106
|
!tag.value[:value].include?('html_escape')
|
|
105
107
|
tag.value[:value] = "Sqreen.escape_haml(#{tag.value[:value]})"
|
|
106
108
|
return { :status => :override, :new_return_value => tag }
|
|
@@ -134,7 +136,7 @@ module Sqreen
|
|
|
134
136
|
# Hook build attributes
|
|
135
137
|
class Haml4CompilerBuildAttributeCB < XSSCB
|
|
136
138
|
def pre(inst, *args, &_block)
|
|
137
|
-
return unless Haml::VERSION <
|
|
139
|
+
return unless Haml::VERSION < '5'
|
|
138
140
|
attrs = args[-1]
|
|
139
141
|
new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
|
|
140
142
|
if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
|
|
@@ -148,11 +150,12 @@ module Sqreen
|
|
|
148
150
|
|
|
149
151
|
return if !found_xss || !block
|
|
150
152
|
# potential XSS! let's escape
|
|
151
|
-
if
|
|
152
|
-
|
|
153
|
-
r = inst.send(method, *args)
|
|
154
|
-
return { :status => :skip, :new_return_value => r }
|
|
153
|
+
if framework && find_whitelisted_path(framework.request_path.to_s)
|
|
154
|
+
return nil
|
|
155
155
|
end
|
|
156
|
+
args[-1] = new_attrs
|
|
157
|
+
r = inst.send(method, *args)
|
|
158
|
+
{ :status => :skip, :new_return_value => r }
|
|
156
159
|
end
|
|
157
160
|
|
|
158
161
|
def self.clean_hash_key(hash, limit = 10, seen = [], &block)
|
|
@@ -186,7 +189,6 @@ module Sqreen
|
|
|
186
189
|
end
|
|
187
190
|
end
|
|
188
191
|
|
|
189
|
-
|
|
190
192
|
# Hook into temple template rendering
|
|
191
193
|
class TempleEscapableHookCB < RuleCB
|
|
192
194
|
def post(ret, _inst, *_args, &_block)
|
|
@@ -195,7 +197,6 @@ module Sqreen
|
|
|
195
197
|
end
|
|
196
198
|
end
|
|
197
199
|
|
|
198
|
-
|
|
199
200
|
# Hook into temple template rendering
|
|
200
201
|
class SlimSplatBuilderCB < XSSCB
|
|
201
202
|
def pre(inst, *args, &_block)
|
data/lib/sqreen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sqreen
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sqreen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-05-
|
|
11
|
+
date: 2017-05-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: execjs
|