sqreen 1.6.2 → 1.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/sqreen/instrumentation.rb +2 -0
- data/lib/sqreen/rules_callbacks/reflected_xss.rb +13 -0
- data/lib/sqreen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 465f1e96c5f05d74be7a753b77454dec4738ead7
|
4
|
+
data.tar.gz: 730be003ff5f5d80110ad07eb49714cafdebc16d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 06c92cd9d9cb2e151206246ad2120ce4e0eae545f17613ee90d6df04853415c532311a706684d68ae05e21b738be3c8870c7d5d9cd8ed34fa026d6ad13735489
|
7
|
+
data.tar.gz: d8c9577156bfa2a232927a35df86d61737b41bb51d38161e6744b33a16e4c71a2a8cf8aa7f5e5b38774aee519c52eac130a06d753016322b0fcaa23fbce0541e
|
@@ -192,6 +192,8 @@ module Sqreen
|
|
192
192
|
skip = true
|
193
193
|
result = ret[:new_return_value] if ret.key? :new_return_value
|
194
194
|
next
|
195
|
+
when :modify_args, 'modify_args'
|
196
|
+
args = ret[:args]
|
195
197
|
when :raise, 'raise'
|
196
198
|
fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
|
197
199
|
end
|
@@ -85,6 +85,7 @@ module Sqreen
|
|
85
85
|
class Haml4ParserScriptHookCB < RuleCB
|
86
86
|
def pre(_inst, *args, &_block)
|
87
87
|
return unless args.size > 1
|
88
|
+
return unless Haml::VERSION < "5"
|
88
89
|
text = args[0]
|
89
90
|
escape_html = args[1]
|
90
91
|
if escape_html == false && !text.include?('html_escape')
|
@@ -97,6 +98,7 @@ module Sqreen
|
|
97
98
|
# Hook into haml4 tag parser
|
98
99
|
class Haml4ParserTagHookCB < RuleCB
|
99
100
|
def post(ret, _inst, *_args, &_block)
|
101
|
+
return unless Haml::VERSION < "5"
|
100
102
|
tag = ret
|
101
103
|
if tag.value[:escape_html] == false &&
|
102
104
|
!tag.value[:value].include?('html_escape')
|
@@ -109,6 +111,7 @@ module Sqreen
|
|
109
111
|
|
110
112
|
class Haml4UtilInterpolationHookCB < RuleCB
|
111
113
|
def pre(_inst, *args, &_block)
|
114
|
+
# Also work in haml5
|
112
115
|
str = args[0]
|
113
116
|
escape_html = args[1]
|
114
117
|
# Original code from HAML tuned up to insert escape_haml call
|
@@ -131,6 +134,7 @@ module Sqreen
|
|
131
134
|
# Hook build attributes
|
132
135
|
class Haml4CompilerBuildAttributeCB < XSSCB
|
133
136
|
def pre(inst, *args, &_block)
|
137
|
+
return unless Haml::VERSION < "5"
|
134
138
|
attrs = args[-1]
|
135
139
|
new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
|
136
140
|
if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
|
@@ -175,6 +179,14 @@ module Sqreen
|
|
175
179
|
end
|
176
180
|
end
|
177
181
|
|
182
|
+
class Haml5EscapableHookCB < RuleCB
|
183
|
+
def pre(_inst, *args, &_block)
|
184
|
+
args[0] = "Sqreen.escape_haml(#{args[0]})"
|
185
|
+
{ :status => :modify_args, :args => args }
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
189
|
+
|
178
190
|
# Hook into temple template rendering
|
179
191
|
class TempleEscapableHookCB < RuleCB
|
180
192
|
def post(ret, _inst, *_args, &_block)
|
@@ -183,6 +195,7 @@ module Sqreen
|
|
183
195
|
end
|
184
196
|
end
|
185
197
|
|
198
|
+
|
186
199
|
# Hook into temple template rendering
|
187
200
|
class SlimSplatBuilderCB < XSSCB
|
188
201
|
def pre(inst, *args, &_block)
|
data/lib/sqreen/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sqreen
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.6.
|
4
|
+
version: 1.6.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sqreen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-05-
|
11
|
+
date: 2017-05-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: execjs
|