sqreen 1.6.4-java → 1.6.5-java
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8de3ba0a88a08bfeb9fe901f3870882405f1b6b6
|
4
|
+
data.tar.gz: 9e930c8b0e45edff7363942e32706137c70fca89
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dfe9a9b819bc7886f8d441cbd35849941743ed71d3c0f83e83713504f9775d1d5ab2bb7603e2c590aba022a2c2ba55476c6fd94ef6224fb354efc80ba77a32c4
|
7
|
+
data.tar.gz: 2cc48e1d74f06c0623d8299883ba731b42f686b23f65438588bf518716fc179948f99df05acbfbc77ec5a1930645a1bfbddbd267d2dcbac0a2bac76b460860f2
|
@@ -244,6 +244,7 @@ module Sqreen
|
|
244
244
|
when Array
|
245
245
|
look_into.concat(val)
|
246
246
|
else
|
247
|
+
next if val.respond_to?(:seek)
|
247
248
|
val.each { |v| look_into << v } if val.respond_to?(:each)
|
248
249
|
end
|
249
250
|
end
|
@@ -266,6 +267,7 @@ module Sqreen
|
|
266
267
|
when Array
|
267
268
|
look_into.concat(val)
|
268
269
|
else
|
270
|
+
next if val.respond_to?(:seek)
|
269
271
|
if val.respond_to?(:each)
|
270
272
|
val.each { |v| look_into << v }
|
271
273
|
else
|
@@ -15,15 +15,16 @@ module Sqreen
|
|
15
15
|
# The remaining code is only to find out if user entry was an attack,
|
16
16
|
# and record it. Since we don't rely on it to respond to user, it would
|
17
17
|
# be better to do it in background.
|
18
|
-
def report_dangerous_xss(value)
|
18
|
+
def report_dangerous_xss?(value)
|
19
19
|
found = match_regexp(value)
|
20
20
|
|
21
|
-
return unless found
|
21
|
+
return false unless found
|
22
22
|
infos = {
|
23
23
|
:found => found,
|
24
24
|
:payload => value,
|
25
25
|
}
|
26
26
|
record_event(infos)
|
27
|
+
true
|
27
28
|
end
|
28
29
|
end
|
29
30
|
# look for reflected XSS with erb template engine
|
@@ -43,14 +44,14 @@ module Sqreen
|
|
43
44
|
Sqreen.log.debug { format('Found unescaped user param: %s', value) }
|
44
45
|
|
45
46
|
saved_value = value.dup
|
47
|
+
return unless report_dangerous_xss?(saved_value)
|
48
|
+
|
46
49
|
# potential XSS! let's escape
|
47
50
|
if block &&
|
48
51
|
(!framework || !find_whitelisted_path(framework.request_path.to_s))
|
49
52
|
args[0].replace(CGI.escape_html(value))
|
50
53
|
end
|
51
54
|
|
52
|
-
report_dangerous_xss(saved_value)
|
53
|
-
|
54
55
|
advise_action(nil)
|
55
56
|
end
|
56
57
|
end
|
@@ -72,7 +73,7 @@ module Sqreen
|
|
72
73
|
|
73
74
|
return unless value.is_a?(String)
|
74
75
|
|
75
|
-
report_dangerous_xss(value)
|
76
|
+
return unless report_dangerous_xss?(value)
|
76
77
|
|
77
78
|
return unless block
|
78
79
|
# potential XSS! let's escape
|
@@ -139,9 +140,8 @@ module Sqreen
|
|
139
140
|
return unless Haml::VERSION < '5'
|
140
141
|
attrs = args[-1]
|
141
142
|
new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key|
|
142
|
-
if !key.nil? && key.is_a?(String) && framework.full_params_include?(key)
|
143
|
+
if !key.nil? && key.is_a?(String) && framework.full_params_include?(key) && report_dangerous_xss?(key)
|
143
144
|
Sqreen.log.debug { format('Found unescaped user param: %s', key) }
|
144
|
-
report_dangerous_xss(key)
|
145
145
|
[CGI.escape_html(key), true]
|
146
146
|
else
|
147
147
|
[key, false]
|
@@ -209,7 +209,7 @@ module Sqreen
|
|
209
209
|
|
210
210
|
return unless value.is_a?(String)
|
211
211
|
|
212
|
-
report_dangerous_xss(value)
|
212
|
+
return unless report_dangerous_xss?(value)
|
213
213
|
|
214
214
|
return unless block
|
215
215
|
# potential XSS! let's escape
|
data/lib/sqreen/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sqreen
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.6.
|
4
|
+
version: 1.6.5
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Sqreen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-06-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: execjs
|