sqreen 1.6.3-java → 1.6.4-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/sqreen/rules_callbacks/reflected_xss.rb +12 -11
- data/lib/sqreen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 16272b9166ff785fd074fa26c4f9d4d57d9a4999
|
|
4
|
+
data.tar.gz: 2a8e6688467b84113424e9888053f7ee16a8c979
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a81ca9d97fef431d8a3ec8d3de8755c04ab8b252ba8b88080cce05699ca9e18eb52facec8e4cbbb76c4835a17095eb24b6d7fa978bb927233bc75a263ca9a106
|
|
7
|
+
data.tar.gz: 44dfd38d40d3e6d2824c4892d110636620af9a71675f96ab06c052aaf7cc1c42c7ff326ec5ba7fd6b413b778426ceb239bfe737822516d87317de5aa2249bfaf
|
|
@@ -53,7 +53,6 @@ module Sqreen
|
|
|
53
53
|
|
|
54
54
|
advise_action(nil)
|
|
55
55
|
end
|
|
56
|
-
|
|
57
56
|
end
|
|
58
57
|
# look for reflected XSS with haml template engine
|
|
59
58
|
# hook function arguments of
|
|
@@ -85,10 +84,12 @@ module Sqreen
|
|
|
85
84
|
class Haml4ParserScriptHookCB < RuleCB
|
|
86
85
|
def pre(_inst, *args, &_block)
|
|
87
86
|
return unless args.size > 1
|
|
88
|
-
return unless Haml::VERSION <
|
|
87
|
+
return unless Haml::VERSION < '5'
|
|
89
88
|
text = args[0]
|
|
90
89
|
escape_html = args[1]
|
|
91
|
-
if escape_html == false &&
|
|
90
|
+
if escape_html == false &&
|
|
91
|
+
text.respond_to?(:include?) &&
|
|
92
|
+
!text.include?('html_escape')
|
|
92
93
|
args[0].replace("Sqreen.escape_haml(#{args[0]})")
|
|
93
94
|
end
|
|
94
95
|
nil
|
|
@@ -98,9 +99,10 @@ module Sqreen
|
|
|
98
99
|
# Hook into haml4 tag parser
|
|
99
100
|
class Haml4ParserTagHookCB < RuleCB
|
|
100
101
|
def post(ret, _inst, *_args, &_block)
|
|
101
|
-
return unless Haml::VERSION <
|
|
102
|
+
return unless Haml::VERSION < '5'
|
|
102
103
|
tag = ret
|
|
103
104
|
if tag.value[:escape_html] == false &&
|
|
105
|
+
tag.value[:value].respond_to?(:include?) &&
|
|
104
106
|
!tag.value[:value].include?('html_escape')
|
|
105
107
|
tag.value[:value] = "Sqreen.escape_haml(#{tag.value[:value]})"
|
|
106
108
|
return { :status => :override, :new_return_value => tag }
|
|
@@ -134,7 +136,7 @@ module Sqreen
|
|
|
134
136
|
# Hook build attributes
|
|
135
137
|
class Haml4CompilerBuildAttributeCB < XSSCB
|
|
136
138
|
def pre(inst, *args, &_block)
|
|
137
|
-
return unless Haml::VERSION <
|
|
139
|
+
return unless Haml::VERSION < '5'
|
|
138
140
|
attrs = args[-1]
|
|
139
141
|
new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
|
|
140
142
|
if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
|
|
@@ -148,11 +150,12 @@ module Sqreen
|
|
|
148
150
|
|
|
149
151
|
return if !found_xss || !block
|
|
150
152
|
# potential XSS! let's escape
|
|
151
|
-
if
|
|
152
|
-
|
|
153
|
-
r = inst.send(method, *args)
|
|
154
|
-
return { :status => :skip, :new_return_value => r }
|
|
153
|
+
if framework && find_whitelisted_path(framework.request_path.to_s)
|
|
154
|
+
return nil
|
|
155
155
|
end
|
|
156
|
+
args[-1] = new_attrs
|
|
157
|
+
r = inst.send(method, *args)
|
|
158
|
+
{ :status => :skip, :new_return_value => r }
|
|
156
159
|
end
|
|
157
160
|
|
|
158
161
|
def self.clean_hash_key(hash, limit = 10, seen = [], &block)
|
|
@@ -186,7 +189,6 @@ module Sqreen
|
|
|
186
189
|
end
|
|
187
190
|
end
|
|
188
191
|
|
|
189
|
-
|
|
190
192
|
# Hook into temple template rendering
|
|
191
193
|
class TempleEscapableHookCB < RuleCB
|
|
192
194
|
def post(ret, _inst, *_args, &_block)
|
|
@@ -195,7 +197,6 @@ module Sqreen
|
|
|
195
197
|
end
|
|
196
198
|
end
|
|
197
199
|
|
|
198
|
-
|
|
199
200
|
# Hook into temple template rendering
|
|
200
201
|
class SlimSplatBuilderCB < XSSCB
|
|
201
202
|
def pre(inst, *args, &_block)
|
data/lib/sqreen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sqreen
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.4
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Sqreen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-05-
|
|
11
|
+
date: 2017-05-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: execjs
|