sqreen 1.6.2-java → 1.6.3-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 964922cfe82494cbd076546445a9b5cb280e0c9b
-  data.tar.gz: 707dafb9d328277081816b0f23af346101bb1a5a
+  metadata.gz: fb1277e9fe14768daa5419ca6d0e42ab07e95e67
+  data.tar.gz: c8c556e20ad621bd7f18414a4bbc8ee80a56820c
 SHA512:
-  metadata.gz: 61cfe516eb99a7cd8e6ba0008bc846a637daba292b9a7210df59aab350bcd7564a1491bf4e95fc7b45126a4a396111bd1682cfded3a3f888ea7ee0e6e8aec187
-  data.tar.gz: 37d2eba1aef0b8a64a76e687d8d5b46ed4b9bf2ecc99020cc7c87dca5baf0867ec3220cef3b08d07695f0610ff489d3de7689d6918770536fcc7a44915b6abbe
+  metadata.gz: 8caed917d587a1f571c00281d7135e5c5828be9539567ec13ddce6c2052c26111b67a50022243557baa17d2085a208f29e454ef41c6e6a1492008cdbff6f0e2f
+  data.tar.gz: 9b22ce8731b3487d65820bb3f2696c91e89b1c4ab5d93866cec5ca495ecdc839bc531d9826144f7d8dbb058d6ab1ade434e816f2abba0426ce2c33e7572663a6

data/lib/sqreen/instrumentation.rb

@@ -192,6 +192,8 @@ module Sqreen
             skip = true
             result = ret[:new_return_value] if ret.key? :new_return_value
             next
+          when :modify_args, 'modify_args'
+            args = ret[:args]
           when :raise, 'raise'
             fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
           end

data/lib/sqreen/rules_callbacks/reflected_xss.rb

@@ -85,6 +85,7 @@ module Sqreen
     class Haml4ParserScriptHookCB < RuleCB
       def pre(_inst, *args, &_block)
         return unless args.size > 1
+        return unless Haml::VERSION < "5"
         text = args[0]
         escape_html = args[1]
         if escape_html == false && !text.include?('html_escape')
@@ -97,6 +98,7 @@ module Sqreen
     # Hook into haml4 tag parser
     class Haml4ParserTagHookCB < RuleCB
       def post(ret, _inst, *_args, &_block)
+        return unless Haml::VERSION < "5"
         tag = ret
         if tag.value[:escape_html] == false &&
            !tag.value[:value].include?('html_escape')
@@ -109,6 +111,7 @@ module Sqreen
 
     class Haml4UtilInterpolationHookCB < RuleCB
       def pre(_inst, *args, &_block)
+        # Also work in haml5
         str = args[0]
         escape_html = args[1]
         # Original code from HAML tuned up to insert escape_haml call
@@ -131,6 +134,7 @@ module Sqreen
     # Hook build attributes
     class Haml4CompilerBuildAttributeCB < XSSCB
       def pre(inst, *args, &_block)
+        return unless Haml::VERSION < "5"
         attrs = args[-1]
         new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
           if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
@@ -175,6 +179,14 @@ module Sqreen
       end
     end
 
+    class Haml5EscapableHookCB < RuleCB
+      def pre(_inst, *args, &_block)
+        args[0] = "Sqreen.escape_haml(#{args[0]})"
+        { :status => :modify_args, :args => args }
+      end
+    end
+
+
     # Hook into temple template rendering
     class TempleEscapableHookCB < RuleCB
       def post(ret, _inst, *_args, &_block)
@@ -183,6 +195,7 @@ module Sqreen
       end
     end
 
+
     # Hook into temple template rendering
     class SlimSplatBuilderCB < XSSCB
       def pre(inst, *args, &_block)

data/lib/sqreen/version.rb

@@ -1,5 +1,5 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.io/terms.html
 module Sqreen
-  VERSION = '1.6.2'.freeze
+  VERSION = '1.6.3'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sqreen
 version: !ruby/object:Gem::Version
-  version: 1.6.2
+  version: 1.6.3
 platform: java
 authors:
 - Sqreen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-05-16 00:00:00.000000000 Z
+date: 2017-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs