sqreen 1.6.4-java → 1.6.5-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/sqreen/binding_accessor.rb +2 -0
  3. data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb +1 -0
  4. data/lib/sqreen/rules_callbacks/reflected_xss.rb +8 -8
  5. data/lib/sqreen/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 16272b9166ff785fd074fa26c4f9d4d57d9a4999
4
- data.tar.gz: 2a8e6688467b84113424e9888053f7ee16a8c979
3
+ metadata.gz: 8de3ba0a88a08bfeb9fe901f3870882405f1b6b6
4
+ data.tar.gz: 9e930c8b0e45edff7363942e32706137c70fca89
5
5
  SHA512:
6
- metadata.gz: a81ca9d97fef431d8a3ec8d3de8755c04ab8b252ba8b88080cce05699ca9e18eb52facec8e4cbbb76c4835a17095eb24b6d7fa978bb927233bc75a263ca9a106
7
- data.tar.gz: 44dfd38d40d3e6d2824c4892d110636620af9a71675f96ab06c052aaf7cc1c42c7ff326ec5ba7fd6b413b778426ceb239bfe737822516d87317de5aa2249bfaf
6
+ metadata.gz: dfe9a9b819bc7886f8d441cbd35849941743ed71d3c0f83e83713504f9775d1d5ab2bb7603e2c590aba022a2c2ba55476c6fd94ef6224fb354efc80ba77a32c4
7
+ data.tar.gz: 2cc48e1d74f06c0623d8299883ba731b42f686b23f65438588bf518716fc179948f99df05acbfbc77ec5a1930645a1bfbddbd267d2dcbac0a2bac76b460860f2
data/lib/sqreen/binding_accessor.rb CHANGED
@@ -244,6 +244,7 @@ module Sqreen
244
244
  when Array
245
245
  look_into.concat(val)
246
246
  else
247
+ next if val.respond_to?(:seek)
247
248
  val.each { |v| look_into << v } if val.respond_to?(:each)
248
249
  end
249
250
  end
@@ -266,6 +267,7 @@ module Sqreen
266
267
  when Array
267
268
  look_into.concat(val)
268
269
  else
270
+ next if val.respond_to?(:seek)
269
271
  if val.respond_to?(:each)
270
272
  val.each { |v| look_into << v }
271
273
  else
data/lib/sqreen/rules_callbacks/binding_accessor_matcher.rb CHANGED
@@ -55,6 +55,7 @@ module Sqreen
55
55
  val = resol_cache[accessor]
56
56
  val = [val] if val.is_a?(String)
57
57
  next unless val.respond_to?(:each)
58
+ next if val.respond_to?(:seek)
58
59
  val.each do |v|
59
60
  next if matcher.match(v).nil?
60
61
  infos = {
data/lib/sqreen/rules_callbacks/reflected_xss.rb CHANGED
@@ -15,15 +15,16 @@ module Sqreen
15
15
  # The remaining code is only to find out if user entry was an attack,
16
16
  # and record it. Since we don't rely on it to respond to user, it would
17
17
  # be better to do it in background.
18
- def report_dangerous_xss(value)
18
+ def report_dangerous_xss?(value)
19
19
  found = match_regexp(value)
20
20
 
21
- return unless found
21
+ return false unless found
22
22
  infos = {
23
23
  :found => found,
24
24
  :payload => value,
25
25
  }
26
26
  record_event(infos)
27
+ true
27
28
  end
28
29
  end
29
30
  # look for reflected XSS with erb template engine
@@ -43,14 +44,14 @@ module Sqreen
43
44
  Sqreen.log.debug { format('Found unescaped user param: %s', value) }
44
45
 
45
46
  saved_value = value.dup
47
+ return unless report_dangerous_xss?(saved_value)
48
+
46
49
  # potential XSS! let's escape
47
50
  if block &&
48
51
  (!framework || !find_whitelisted_path(framework.request_path.to_s))
49
52
  args[0].replace(CGI.escape_html(value))
50
53
  end
51
54
 
52
- report_dangerous_xss(saved_value)
53
-
54
55
  advise_action(nil)
55
56
  end
56
57
  end
@@ -72,7 +73,7 @@ module Sqreen
72
73
 
73
74
  return unless value.is_a?(String)
74
75
 
75
- report_dangerous_xss(value)
76
+ return unless report_dangerous_xss?(value)
76
77
 
77
78
  return unless block
78
79
  # potential XSS! let's escape
@@ -139,9 +140,8 @@ module Sqreen
139
140
  return unless Haml::VERSION < '5'
140
141
  attrs = args[-1]
141
142
  new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
142
- if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
143
+ if !key.nil? && key.is_a?(String) && framework.full_params_include?(key) && report_dangerous_xss?(key)
143
144
  Sqreen.log.debug { format('Found unescaped user param: %s', key) }
144
- report_dangerous_xss(key)
145
145
  [CGI.escape_html(key), true]
146
146
  else
147
147
  [key, false]
@@ -209,7 +209,7 @@ module Sqreen
209
209
 
210
210
  return unless value.is_a?(String)
211
211
 
212
- report_dangerous_xss(value)
212
+ return unless report_dangerous_xss?(value)
213
213
 
214
214
  return unless block
215
215
  # potential XSS! let's escape
data/lib/sqreen/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # Copyright (c) 2015 Sqreen. All Rights Reserved.
2
2
  # Please refer to our terms for more information: https://www.sqreen.io/terms.html
3
3
  module Sqreen
4
- VERSION = '1.6.4'.freeze
4
+ VERSION = '1.6.5'.freeze
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sqreen
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.4
4
+ version: 1.6.5
5
5
  platform: java
6
6
  authors:
7
7
  - Sqreen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-05-29 00:00:00.000000000 Z
11
+ date: 2017-06-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: execjs