sqreen 1.6.4 → 1.6.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/sqreen/binding_accessor.rb +2 -0
  3. data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +1 -0
  4. data/lib/sqreen/rules_callbacks/reflected_xss.rb +8 -8
  5. data/lib/sqreen/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: da14a9fd26a579f3a1dd61274ee693807de66cb5
4
- data.tar.gz: 59e9c7f4cdaba120edf901b9e9c1263cc5cf48d4
3
+ metadata.gz: cc4c4bcf86488934c2048d33804dd07398484e09
4
+ data.tar.gz: 4d4bb6a78d00ef04d6d824f01f1194a156cb019b
5
5
  SHA512:
6
- metadata.gz: 7ac81e8adb933f2b70faf218922aa75aa6d69ad83e6f39a6dec227af458b2b24df9708150c5f05e8334a75515be16faea459d4f60bd8cb6038f7130f6345a561
7
- data.tar.gz: 504a06d8e356a3f90c530b5c5027048fb6c3f0356d7511f89341c3b3e0d451ad06d14ac19f5142defe7f0c1423a81f262334bb291dc49e06ab02cf62c70d2e09
6
+ metadata.gz: 1ab651db3fb58f44551e4c04885da9bf0c7543a51c479565e8baf23cb7739d83b0b14196ac6958515462b34103542916875da9516cac8517b0f54a74cfa437ee
7
+ data.tar.gz: b6886860a4d6a9d118bc675c4ea6b1e70fe6093c9cbda35691f89a9058e845b1270f75b67c9b2bbacd4f4e3a40b013fc5ba733c9cc8d269e5b2806a510c4b699
data/lib/sqreen/binding_accessor.rb CHANGED
@@ -244,6 +244,7 @@ module Sqreen
244
244
  when Array
245
245
  look_into.concat(val)
246
246
  else
247
+ next if val.respond_to?(:seek)
247
248
  val.each { |v| look_into << v } if val.respond_to?(:each)
248
249
  end
249
250
  end
@@ -266,6 +267,7 @@ module Sqreen
266
267
  when Array
267
268
  look_into.concat(val)
268
269
  else
270
+ next if val.respond_to?(:seek)
269
271
  if val.respond_to?(:each)
270
272
  val.each { |v| look_into << v }
271
273
  else
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb CHANGED
@@ -55,6 +55,7 @@ module Sqreen
55
55
  val = resol_cache[accessor]
56
56
  val = [val] if val.is_a?(String)
57
57
  next unless val.respond_to?(:each)
58
+ next if val.respond_to?(:seek)
58
59
  val.each do |v|
59
60
  next if matcher.match(v).nil?
60
61
  infos = {
data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED
@@ -15,15 +15,16 @@ module Sqreen
15
15
  # The remaining code is only to find out if user entry was an attack,
16
16
  # and record it. Since we don't rely on it to respond to user, it would
17
17
  # be better to do it in background.
18
- def report_dangerous_xss(value)
18
+ def report_dangerous_xss?(value)
19
19
  found = match_regexp(value)
20
20
 
21
- return unless found
21
+ return false unless found
22
22
  infos = {
23
23
  :found => found,
24
24
  :payload => value,
25
25
  }
26
26
  record_event(infos)
27
+ true
27
28
  end
28
29
  end
29
30
  # look for reflected XSS with erb template engine
@@ -43,14 +44,14 @@ module Sqreen
43
44
  Sqreen.log.debug { format('Found unescaped user param: %s', value) }
44
45
 
45
46
  saved_value = value.dup
47
+ return unless report_dangerous_xss?(saved_value)
48
+
46
49
  # potential XSS! let's escape
47
50
  if block &&
48
51
  (!framework || !find_whitelisted_path(framework.request_path.to_s))
49
52
  args[0].replace(CGI.escape_html(value))
50
53
  end
51
54
 
52
- report_dangerous_xss(saved_value)
53
-
54
55
  advise_action(nil)
55
56
  end
56
57
  end
@@ -72,7 +73,7 @@ module Sqreen
72
73
 
73
74
  return unless value.is_a?(String)
74
75
 
75
- report_dangerous_xss(value)
76
+ return unless report_dangerous_xss?(value)
76
77
 
77
78
  return unless block
78
79
  # potential XSS! let's escape
@@ -139,9 +140,8 @@ module Sqreen
139
140
  return unless Haml::VERSION < '5'
140
141
  attrs = args[-1]
141
142
  new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
142
- if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
143
+ if !key.nil? && key.is_a?(String) && framework.full_params_include?(key) && report_dangerous_xss?(key)
143
144
  Sqreen.log.debug { format('Found unescaped user param: %s', key) }
144
- report_dangerous_xss(key)
145
145
  [CGI.escape_html(key), true]
146
146
  else
147
147
  [key, false]
@@ -209,7 +209,7 @@ module Sqreen
209
209
 
210
210
  return unless value.is_a?(String)
211
211
 
212
- report_dangerous_xss(value)
212
+ return unless report_dangerous_xss?(value)
213
213
 
214
214
  return unless block
215
215
  # potential XSS! let's escape
data/lib/sqreen/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
2
  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
3
3
  module Sqreen
4
- VERSION = '1.6.4'.freeze
4
+ VERSION = '1.6.5'.freeze
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sqreen
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.4
4
+ version: 1.6.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sqreen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-05-29 00:00:00.000000000 Z
11
+ date: 2017-06-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: execjs