sqreen 1.6.2 → 1.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e9b34c2f5b3b78e6d6d58ac18f1d9faa33cbf196
-  data.tar.gz: eea4dcce2fb145c35185db91ffbb6f6800edb005
+  metadata.gz: 465f1e96c5f05d74be7a753b77454dec4738ead7
+  data.tar.gz: 730be003ff5f5d80110ad07eb49714cafdebc16d
 SHA512:
-  metadata.gz: 154b88bedb17ff5cb7228a927a0b94220bbfcde0377fb13354635efa366016d2c7118d714ebefa5784d1563be5bd178e85efbaae6f8b7cc6a462c8f7a85ac89a
-  data.tar.gz: eab036031ab15bb2f2edc6749cb5d2d0952c04f7da50ab3442966f49e9021b7bebd1bcf9c5c3f63fad7a2e6d453b0f33aeb2a58f988451af6e24e9099b6efe97
+  metadata.gz: 06c92cd9d9cb2e151206246ad2120ce4e0eae545f17613ee90d6df04853415c532311a706684d68ae05e21b738be3c8870c7d5d9cd8ed34fa026d6ad13735489
+  data.tar.gz: d8c9577156bfa2a232927a35df86d61737b41bb51d38161e6744b33a16e4c71a2a8cf8aa7f5e5b38774aee519c52eac130a06d753016322b0fcaa23fbce0541e

data/lib/sqreen/instrumentation.rb

@@ -192,6 +192,8 @@ module Sqreen
             skip = true
             result = ret[:new_return_value] if ret.key? :new_return_value
             next
+          when :modify_args, 'modify_args'
+            args = ret[:args]
           when :raise, 'raise'
             fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
           end

data/lib/sqreen/rules_callbacks/reflected_xss.rb

@@ -85,6 +85,7 @@ module Sqreen
     class Haml4ParserScriptHookCB < RuleCB
       def pre(_inst, *args, &_block)
         return unless args.size > 1
+        return unless Haml::VERSION < "5"
         text = args[0]
         escape_html = args[1]
         if escape_html == false && !text.include?('html_escape')
@@ -97,6 +98,7 @@ module Sqreen
     # Hook into haml4 tag parser
     class Haml4ParserTagHookCB < RuleCB
       def post(ret, _inst, *_args, &_block)
+        return unless Haml::VERSION < "5"
         tag = ret
         if tag.value[:escape_html] == false &&
            !tag.value[:value].include?('html_escape')
@@ -109,6 +111,7 @@ module Sqreen
 
     class Haml4UtilInterpolationHookCB < RuleCB
       def pre(_inst, *args, &_block)
+        # Also work in haml5
         str = args[0]
         escape_html = args[1]
         # Original code from HAML tuned up to insert escape_haml call
@@ -131,6 +134,7 @@ module Sqreen
     # Hook build attributes
     class Haml4CompilerBuildAttributeCB < XSSCB
       def pre(inst, *args, &_block)
+        return unless Haml::VERSION < "5"
         attrs = args[-1]
         new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
           if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
@@ -175,6 +179,14 @@ module Sqreen
       end
     end
 
+    class Haml5EscapableHookCB < RuleCB
+      def pre(_inst, *args, &_block)
+        args[0] = "Sqreen.escape_haml(#{args[0]})"
+        { :status => :modify_args, :args => args }
+      end
+    end
+
+
     # Hook into temple template rendering
     class TempleEscapableHookCB < RuleCB
       def post(ret, _inst, *_args, &_block)
@@ -183,6 +195,7 @@ module Sqreen
       end
     end
 
+
     # Hook into temple template rendering
     class SlimSplatBuilderCB < XSSCB
       def pre(inst, *args, &_block)

data/lib/sqreen/version.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.6.2'.freeze
+  VERSION = '1.6.3'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.6.2
+  version: 1.6.3
 platform: ruby
 authors:
 - Sqreen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-16 00:00:00.000000000 Z
+date: 2017-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs