RubyGems - sqreen - Versions diffs - 1.6.4 → 1.6.5 - Mend

sqreen 1.6.4 → 1.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/sqreen/binding_accessor.rb +2 -0
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +1 -0
data/lib/sqreen/rules_callbacks/reflected_xss.rb +8 -8
data/lib/sqreen/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: da14a9fd26a579f3a1dd61274ee693807de66cb5
-  data.tar.gz: 59e9c7f4cdaba120edf901b9e9c1263cc5cf48d4
+  metadata.gz: cc4c4bcf86488934c2048d33804dd07398484e09
+  data.tar.gz: 4d4bb6a78d00ef04d6d824f01f1194a156cb019b
 SHA512:
-  metadata.gz: 7ac81e8adb933f2b70faf218922aa75aa6d69ad83e6f39a6dec227af458b2b24df9708150c5f05e8334a75515be16faea459d4f60bd8cb6038f7130f6345a561
-  data.tar.gz: 504a06d8e356a3f90c530b5c5027048fb6c3f0356d7511f89341c3b3e0d451ad06d14ac19f5142defe7f0c1423a81f262334bb291dc49e06ab02cf62c70d2e09
+  metadata.gz: 1ab651db3fb58f44551e4c04885da9bf0c7543a51c479565e8baf23cb7739d83b0b14196ac6958515462b34103542916875da9516cac8517b0f54a74cfa437ee
+  data.tar.gz: b6886860a4d6a9d118bc675c4ea6b1e70fe6093c9cbda35691f89a9058e845b1270f75b67c9b2bbacd4f4e3a40b013fc5ba733c9cc8d269e5b2806a510c4b699

data/lib/sqreen/binding_accessor.rb CHANGED Viewed

@@ -244,6 +244,7 @@ module Sqreen
           when Array
             look_into.concat(val)
           else
+            next if val.respond_to?(:seek)
             val.each { |v| look_into << v } if val.respond_to?(:each)
           end
         end
@@ -266,6 +267,7 @@ module Sqreen
           when Array
             look_into.concat(val)
           else
+            next if val.respond_to?(:seek)
             if val.respond_to?(:each)
               val.each { |v| look_into << v }
             else

data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb CHANGED Viewed

@@ -55,6 +55,7 @@ module Sqreen
             val = resol_cache[accessor]
             val = [val] if val.is_a?(String)
             next unless val.respond_to?(:each)
+            next if val.respond_to?(:seek)
             val.each do |v|
               next if matcher.match(v).nil?
               infos = {

data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED Viewed

@@ -15,15 +15,16 @@ module Sqreen
       # The remaining code is only to find out if user entry was an attack,
       # and record it. Since we don't rely on it to respond to user, it would
       # be better to do it in background.
-      def report_dangerous_xss(value)
+      def report_dangerous_xss?(value)
         found = match_regexp(value)
-        return unless found
+        return false unless found
         infos = {
           :found => found,
           :payload => value,
         }
         record_event(infos)
+        true
       end
     end
     # look for reflected XSS with erb template engine
@@ -43,14 +44,14 @@ module Sqreen
         Sqreen.log.debug { format('Found unescaped user param: %s', value) }
         saved_value = value.dup
+        return unless report_dangerous_xss?(saved_value)
         # potential XSS! let's escape
         if block &&
            (!framework || !find_whitelisted_path(framework.request_path.to_s))
           args[0].replace(CGI.escape_html(value))
         end
-        report_dangerous_xss(saved_value)
         advise_action(nil)
       end
     end
@@ -72,7 +73,7 @@ module Sqreen
         return unless value.is_a?(String)
-        report_dangerous_xss(value)
+        return unless report_dangerous_xss?(value)
         return unless block
         # potential XSS! let's escape
@@ -139,9 +140,8 @@ module Sqreen
         return unless Haml::VERSION < '5'
         attrs = args[-1]
         new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
-          if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
+          if !key.nil? && key.is_a?(String) && framework.full_params_include?(key) && report_dangerous_xss?(key)
             Sqreen.log.debug { format('Found unescaped user param: %s', key) }
-            report_dangerous_xss(key)
             [CGI.escape_html(key), true]
           else
             [key, false]
@@ -209,7 +209,7 @@ module Sqreen
         return unless value.is_a?(String)
-        report_dangerous_xss(value)
+        return unless report_dangerous_xss?(value)
         return unless block
         # potential XSS! let's escape

data/lib/sqreen/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.6.4'.freeze
+  VERSION = '1.6.5'.freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.6.4
+  version: 1.6.5
 platform: ruby
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-05-29 00:00:00.000000000 Z
+date: 2017-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs