RubyGems - tainted_love - Versions diffs - 0.1.5 → 0.4.0 - Mend

tainted_love 0.1.5 → 0.4.0

Files changed (169) hide show

data/lib/tainted_love/replacer/replace_tag_builder.rb ADDED

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Replacer
+    class ReplaceTagBuilder < Base
+      def replace!
+        block = lambda do |return_value, *args|
+          return_value.untaint
+        end
+        TaintedLove.proxy_method('ActionView::Helpers::TagHelper::TagBuilder', :content_tag_string, &block)
+        TaintedLove.proxy_method('ActionView::Helpers::TagHelper::TagBuilder', :tag_options, &block)
+      end
+    end
+  end
+end

data/lib/tainted_love/reporter/base.rb CHANGED

@@ -33,7 +33,10 @@ module TaintedLove
           message: warning.message,
         )
-        @warnings[key][:inputs][warning.tainted_input] = warning.reported_at
+        @warnings[key][:inputs][warning.tainted_input] = {
+          reported_at: warning.reported_at,
+          taint_tags: warning.tainted_input.tainted_love_tags.uniq
+        }
       end
       # Adds a warning to the reporter

data/lib/tainted_love/reporter/stdout_reporter.rb CHANGED

@@ -30,6 +30,7 @@ module TaintedLove
         end
         puts 'Tainted input: ' + tainted_input
+        puts 'Taint tags: ' + warning.tainted_input.tainted_love_tags.uniq.inspect
         warning.stack_trace.lines.take(@stack_trace_size).each do |line|
           puts format_line(line)

data/lib/tainted_love/utils.rb CHANGED

@@ -43,34 +43,19 @@ module TaintedLove
     # Adds information about the object. The information can be about
     # where the object is coming from, validation that has been done on the object, etc.
     #
-    # If the object is frozen, the given block will be called with a new object.
-    # The caller has the responsability of replacing the frozen object with this
-    # new object.
-    #
     # @param object [Object] Object to add tracking
     # @param payload [Hash] Data to add to the object
-    # @yield [Object] Invoked with a duplicate unfrozen version of object
     # @return [Object] Given object or dup of it
-    def add_tracking(object, payload = {}, &block)
-      frozen = object.frozen?
-      return if frozen && block.nil?
-      payload[:stacktrace] = StackTrace.current
-      object = object.dup if frozen
-      object.tainted_love_tracking << payload
-      block.call(object) if frozen
+    def tag(object, payload = {})
+      object.tainted_love_tags << payload
       object
     end
     # Create a hex encoded MD5 hash
     #
-    # @params str [String] Input string
-    # @returns [String]
+    # @param str [String] Input string
+    # @return [String]
     def hash(str)
       h = Digest::MD5.new
       h.update(str)

data/lib/tainted_love/utils/proxy.rb ADDED

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Utils
+    # Utility to wrap a an instance function.
+    #
+    # @example
+    #   TaintedLove::Utils::Proxy.new('MyClass', :my_method) do
+    #     def before
+    #       if arguments.first.tainted?
+    #         @should_taint = true
+    #         do_something
+    #       end
+    #     end
+    #
+    #     def around
+    #       yield # calls the real method
+    #     end
+    #
+    #     def after
+    #       return_value.taint if @should_taint
+    #     end
+    #   end
+    class Proxy
+      attr_accessor :object, :return_value, :block, :arguments
+      # Creates a new proxy. If klass and `method` are provided, it will invoke {#apply} with those arguments.
+      #
+      # @param klass [Class, String] The target class
+      # @param method [Symbol] The method name to replace
+      # @yield [] Evaluated the block in the context of the instance to customize the before, around and after methods
+      def initialize(klass = nil, method = nil, &block)
+        instance_eval(&block) unless block.nil?
+        if !klass.nil? && !method.nil?
+          apply(klass, method)
+        end
+      end
+      # Invoked before invoking the original method
+      def before
+      end
+      # Invoked after invoking the original method
+      def after
+      end
+      # Controls the call to the original function. The default implementation of this method will yield.
+      #
+      # @yield [] The given block will invoke the original method
+      def around
+        yield
+      end
+      def handle(object, method, *args, &block)
+        # thread safety maybe?
+        @arguments = args
+        @block = block
+        @object = object
+        before
+        around do
+          @return_value = object.send(method, *@arguments, &@block)
+        end
+        after
+        @return_value
+      end
+      # Replaces the method in the given klass.
+      #
+      # @param klass [Class, String] The target class
+      # @param method [Symbol] The method name to replace
+      def apply(klass, method)
+        if klass.is_a?(String)
+          return unless Object.const_defined?(klass)
+          klass = Object.const_get(klass)
+        end
+        proxy = self
+        original_method = "_tainted_love_original_#{method}"
+        klass.class_eval do
+          alias_method original_method, method
+          define_method method do |*args, &given_block|
+            proxy.handle(self, original_method, *args, &given_block)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/action_dispatch_diagnostics.rb ADDED

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Validator
+    class ActionDispatchDiagnostics < Base
+      FILES = %w(
+        action_dispatch/middleware/templates/rescues/routing_error.html.erb
+        action_dispatch/middleware/templates/rescues/diagnostics.html.erb
+      )
+      def remove?(warning)
+        return unless warning.replacer == :ReplaceActionView
+        FILES.any? do |file|
+          warning.stack_trace_line[:file][file]
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/active_record_find.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Validator
+    class ActiveRecordFind < Base
+      def remove?(warning)
+        return unless warning.replacer == :ReplaceActiveRecord
+        warning.stack_trace.lines.take(2).any? do |line|
+          line[:file]['lib/active_record/core.rb'] && line[:method] == 'find'
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/erb_eval.rb CHANGED

@@ -4,9 +4,7 @@ module TaintedLove
   module Validator
     class ErbEval < Base
       def remove?(warning)
-        if Object.const_defined?('Rails') || Object.const_defined?('ERB')
-          return true if warning.tainted_input['_erbout']
-        end
+        return true if warning.replacer == :ReplaceKernel && warning.tainted_input.include?('_erbout')
       end
     end
   end

data/lib/tainted_love/validator/haml_eval.rb ADDED

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Validator
+    class HamlEval < Base
+      CALLS = [
+        ['haml/attribute_compiler.rb', 'static_build'],
+        ['haml/parser.rb', 'parse_static_hash'],
+        ['haml/util.rb', 'block in unescape_interpolation']
+      ]
+      def remove?(warning)
+        return unless warning.replacer == :ReplaceKernel
+        line = warning.stack_trace_line
+        return unless line[:file]['gems/haml']
+        CALLS.any? do |file, method|
+          line[:method] == method && line[:file][file]
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/i18n_load.rb ADDED

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Validator
+    class I18nLoad < Base
+      def remove?(warning)
+        return unless [:ReplaceYAML, :ReplaceKernel].include?(warning.replacer)
+        line = warning.stack_trace.lines.first
+        if line[:file]['i18n/backend/base.rb'] && line[:method].start_with?('load_')
+          return true
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/validator/ignore.rb ADDED

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module TaintedLove
+  module Validator
+    class Ignore < Base
+      class << self
+        attr_accessor :trace_hashes
+      end
+      self.trace_hashes = []
+      def remove?(warning)
+        hash = warning.stack_trace.trace_hash
+        Ignore.trace_hashes.any? do |s|
+          hash.start_with?(s)
+        end
+      end
+    end
+  end
+end

data/lib/tainted_love/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module TaintedLove
-  VERSION = '0.1.5'
+  VERSION = '0.4.0'
 end

data/service.yml ADDED

@@ -0,0 +1,6 @@
+# https://services.shopify.io/services/tainted_love/rubygems
+org_line:
+owners:
+- Shopify/appsec
+rubygems:
+  classification: library

data/{example → tests/rails}/.gitignore RENAMED

File without changes

data/{example → tests/rails}/.ruby-version RENAMED

File without changes

data/{example → tests/rails}/Gemfile RENAMED

@@ -8,7 +8,7 @@ ruby('2.5.3')
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
 gem('rails', '~> 5.2.2')
-gem('tainted_love', path: '..')
+gem('tainted_love', path: '../..')
 gem('sqlite3', '~> 1.3.6')
@@ -50,9 +50,6 @@ group :development do
   # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
   gem 'web-console', '>= 3.3.0'
   gem 'listen', '>= 3.0.5', '< 3.2'
-  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
-  gem 'spring'
-  gem 'spring-watcher-listen', '~> 2.0.0'
 end
 group :test do
@@ -65,3 +62,7 @@ end
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem('tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby])
+gem('graphql')
+gem('graphiql-rails', group: :development)

data/{example → tests/rails}/Gemfile.lock RENAMED

@@ -1,7 +1,7 @@
 PATH
-  remote: ..
+  remote: ../..
   specs:
-    tainted_love (0.1.4)
+    tainted_love (0.4.0)
 GEM
   remote: https://rubygems.org/
@@ -52,21 +52,21 @@ GEM
     archive-zip (0.12.0)
       io-like (~> 0.3.0)
     arel (9.0.0)
-    bindex (0.6.0)
-    bootsnap (1.4.2)
+    bindex (0.7.0)
+    bootsnap (1.4.4)
       msgpack (~> 1.0)
     builder (3.2.3)
     byebug (11.0.1)
-    capybara (3.16.1)
+    capybara (3.25.0)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
       rack (>= 1.6.0)
       rack-test (>= 0.6.3)
-      regexp_parser (~> 1.2)
+      regexp_parser (~> 1.5)
       xpath (~> 3.2)
-    childprocess (0.9.0)
-      ffi (~> 1.0, >= 1.0.11)
+    childprocess (1.0.1)
+      rake (< 13.0)
     chromedriver-helper (2.1.1)
       archive-zip (~> 0.10)
       nokogiri (~> 1.8)
@@ -81,15 +81,18 @@ GEM
     crass (1.0.4)
     erubi (1.8.0)
     execjs (2.7.0)
-    ffi (1.10.0)
+    ffi (1.11.1)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
+    graphiql-rails (1.7.0)
+      railties
+      sprockets-rails
+    graphql (1.9.6)
     i18n (1.6.0)
       concurrent-ruby (~> 1.0)
     io-like (0.3.0)
-    jbuilder (2.8.0)
+    jbuilder (2.9.1)
       activesupport (>= 4.2.0)
-      multi_json (>= 1.2)
     listen (3.1.5)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
@@ -103,17 +106,16 @@ GEM
       mimemagic (~> 0.3.2)
     method_source (0.9.2)
     mimemagic (0.3.3)
-    mini_mime (1.0.1)
+    mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.11.3)
-    msgpack (1.2.9)
-    multi_json (1.13.1)
-    nio4r (2.3.1)
-    nokogiri (1.10.2)
+    msgpack (1.3.0)
+    nio4r (2.4.0)
+    nokogiri (1.10.3)
       mini_portile2 (~> 2.4.0)
-    public_suffix (3.0.3)
+    public_suffix (3.1.1)
     puma (3.12.1)
-    rack (2.0.6)
+    rack (2.0.7)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (5.2.3)
@@ -144,10 +146,10 @@ GEM
     rb-fsevent (0.10.3)
     rb-inotify (0.10.0)
       ffi (~> 1.0)
-    regexp_parser (1.3.0)
+    regexp_parser (1.5.1)
     ruby_dep (1.5.0)
-    rubyzip (1.2.2)
-    sass (3.7.3)
+    rubyzip (1.2.3)
+    sass (3.7.4)
       sass-listen (~> 4.0.0)
     sass-listen (4.0.0)
       rb-fsevent (~> 0.9, >= 0.9.4)
@@ -158,14 +160,9 @@ GEM
       sprockets (>= 2.8, < 4.0)
       sprockets-rails (>= 2.0, < 4.0)
       tilt (>= 1.1, < 3)
-    selenium-webdriver (3.141.0)
-      childprocess (~> 0.5)
+    selenium-webdriver (3.142.3)
+      childprocess (>= 0.5, < 2.0)
       rubyzip (~> 1.2, >= 1.2.2)
-    spring (2.0.2)
-      activesupport (>= 4.2)
-    spring-watcher-listen (2.0.1)
-      listen (>= 2.7, < 4.0)
-      spring (>= 1.2, < 3.0)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -189,9 +186,9 @@ GEM
       activemodel (>= 5.0)
       bindex (>= 0.4.0)
       railties (>= 5.0)
-    websocket-driver (0.7.0)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
+    websocket-extensions (0.1.4)
     xpath (3.2.0)
       nokogiri (~> 1.8)
@@ -204,14 +201,14 @@ DEPENDENCIES
   capybara (>= 2.15)
   chromedriver-helper
   coffee-rails (~> 4.2)
+  graphiql-rails
+  graphql
   jbuilder (~> 2.5)
   listen (>= 3.0.5, < 3.2)
   puma (~> 3.11)
   rails (~> 5.2.2)
   sass-rails (~> 5.0)
   selenium-webdriver
-  spring
-  spring-watcher-listen (~> 2.0.0)
   sqlite3 (~> 1.3.6)
   tainted_love!
   turbolinks (~> 5)