RubyGems - tainted_love - Versions diffs - 0.1.5 → 0.4.0 - Mend

@@ -0,0 +1,43 @@
+class GraphqlController < ApplicationController
+  def execute
+    variables = ensure_hash(params[:variables])
+    query = params[:query]
+    operation_name = params[:operationName]
+    context = {
+      # Query context goes here, for example:
+      # current_user: current_user,
+    }
+    result = ExampleSchema.execute(query, variables: variables, context: context, operation_name: operation_name)
+    render json: result
+  rescue => e
+    raise e unless Rails.env.development?
+    handle_error_in_development e
+  end
+  private
+  # Handle form data, JSON body, or a blank value
+  def ensure_hash(ambiguous_param)
+    case ambiguous_param
+    when String
+      if ambiguous_param.present?
+        ensure_hash(JSON.parse(ambiguous_param))
+      else
+        {}
+      end
+    when Hash, ActionController::Parameters
+      ambiguous_param
+    when nil
+      {}
+    else
+      raise ArgumentError, "Unexpected parameter: #{ambiguous_param}"
+    end
+  end
+  def handle_error_in_development(e)
+    logger.error e.message
+    logger.error e.backtrace.join("\n")
+    render json: { error: { message: e.message, backtrace: e.backtrace }, data: {} }, status: 500
+  end
+end

data/{example → tests/rails}/app/controllers/products_controller.rb RENAMED

File without changes

data/tests/rails/app/controllers/test_cases_controller.rb ADDED

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+class TestCasesController < ApplicationController
+  layout false
+  def xss
+  end
+  def unsafe_render
+    render(params[:file])
+  end
+  def render_inline
+    render(inline: params[:template])
+  end
+  def unsafe_redirect
+    redirect_to(params[:to])
+  end
+  def taint_test
+    cookies[:something] = 'asdf'
+    values = {
+      'route_parameter_value' => params[:route_param],
+      'get_parameter' => params[:get_param],
+      'get_array_parameter_0' => params[:get_array_param][0],
+      'get_array_parameter_1' => params[:get_array_param][1],
+      'parameter_name' => params.keys.first,
+      'header_value' => request.headers['Host'],
+      'header_name' => request.headers.to_h.keys.select { |k| k['HTTP_AAA'] }.first,
+      'cookie_value' => cookies[:something],
+      'cookie_name' => cookies.to_h.keys.first,
+      'fullpath' => request.original_fullpath
+    }
+    description = values.keys
+    tainted = values.values.map(&:tainted?)
+    sources = values.values.map(&:tainted_love_tags)
+    render json: description.zip(values.values, tainted, sources)
+  end
+end

data/tests/rails/app/graphql/example_schema.rb ADDED

@@ -0,0 +1,4 @@
+class ExampleSchema < GraphQL::Schema
+  mutation(Types::MutationType)
+  query(Types::QueryType)
+end

data/{example/app/models/concerns → tests/rails/app/graphql/mutations}/.keep RENAMED

File without changes

data/{example/lib/assets → tests/rails/app/graphql/types}/.keep RENAMED

File without changes

data/tests/rails/app/graphql/types/base_enum.rb ADDED

@@ -0,0 +1,4 @@
+module Types
+  class BaseEnum < GraphQL::Schema::Enum
+  end
+end

data/tests/rails/app/graphql/types/base_input_object.rb ADDED

@@ -0,0 +1,4 @@
+module Types
+  class BaseInputObject < GraphQL::Schema::InputObject
+  end
+end

data/tests/rails/app/graphql/types/base_interface.rb ADDED

@@ -0,0 +1,5 @@
+module Types
+  module BaseInterface
+    include GraphQL::Schema::Interface
+  end
+end

data/tests/rails/app/graphql/types/base_object.rb ADDED

@@ -0,0 +1,4 @@
+module Types
+  class BaseObject < GraphQL::Schema::Object
+  end
+end

data/tests/rails/app/graphql/types/base_scalar.rb ADDED

@@ -0,0 +1,4 @@
+module Types
+  class BaseScalar < GraphQL::Schema::Scalar
+  end
+end

data/tests/rails/app/graphql/types/base_union.rb ADDED

@@ -0,0 +1,4 @@
+module Types
+  class BaseUnion < GraphQL::Schema::Union
+  end
+end

data/tests/rails/app/graphql/types/mutation_type.rb ADDED

@@ -0,0 +1,10 @@
+module Types
+  class MutationType < Types::BaseObject
+    # TODO: remove me
+    field :test_field, String, null: false,
+      description: "An example field added by the generator"
+    def test_field
+      "Hello World"
+    end
+  end
+end

data/tests/rails/app/graphql/types/product_type.rb ADDED

@@ -0,0 +1,10 @@
+module Types
+  class ProductType < Types::BaseObject
+    field :id, Integer, null: false
+    field :name, String, null: true
+    field :price, Integer, null: false
+    field :description, String, null: true
+    field :products, [ProductType], null: true
+  end
+end

data/tests/rails/app/graphql/types/query_type.rb ADDED

@@ -0,0 +1,46 @@
+module Types
+  class QueryType < Types::BaseObject
+    field :object_argument_taint_test_case, Boolean, null: false do
+      argument :input, TaintTestCaseInput, required: true
+    end
+    field :string_argument_taint_test_case, Boolean, null: false do
+      argument :input, String, required: true
+      argument :input_default, String, required: false, default_value: "something"
+    end
+    field :mutate_context, Integer, null: true do
+      argument :id, Integer, required: true
+    end
+    field :whoami, Integer, null: true
+    field :products, [ProductType], null: true
+    def object_argument_taint_test_case(input:)
+      [
+        input.top_level_string.tainted?,
+        !input.default_value_untainted.tainted?
+      ].all?
+    end
+    def string_argument_taint_test_case(input:, input_default:)
+      [
+        input.tainted?,
+        !input_default.tainted?
+      ].all?
+    end
+    def mutate_context(id:)
+      context[:user_id] = id
+    end
+    def whoami
+      context[:user_id]
+    end
+    def products
+      Product.all
+    end
+  end
+end

data/tests/rails/app/graphql/types/taint_test_case_input.rb ADDED

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Types
+  class TaintTestCaseInput < Types::BaseInputObject
+    argument :top_level_string, String, required: true
+    argument :default_value_untainted, String, required: false, default_value: "A value"
+  end
+end

data/{example → tests/rails}/app/helpers/application_helper.rb RENAMED

File without changes

data/{example → tests/rails}/app/helpers/products_helper.rb RENAMED

File without changes

data/{example → tests/rails}/app/helpers/test_cases_helper.rb RENAMED

File without changes

data/{example → tests/rails}/app/jobs/application_job.rb RENAMED

File without changes

data/{example → tests/rails}/app/mailers/application_mailer.rb RENAMED

File without changes

data/{example → tests/rails}/app/models/application_record.rb RENAMED

File without changes

data/{example/lib/tasks → tests/rails/app/models/concerns}/.keep RENAMED

File without changes

data/{example → tests/rails}/app/models/product.rb RENAMED

File without changes

data/{example → tests/rails}/app/views/layouts/application.html.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/layouts/mailer.html.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/layouts/mailer.text.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/products/_form.html.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/products/_product.json.jbuilder RENAMED

File without changes

data/{example → tests/rails}/app/views/products/edit.html.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/products/index.html.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/products/index.json.jbuilder RENAMED

File without changes

data/{example → tests/rails}/app/views/products/new.html.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/products/show.html.erb RENAMED

File without changes

data/{example → tests/rails}/app/views/products/show.json.jbuilder RENAMED

File without changes

data/{example → tests/rails}/app/views/test_cases/xss.html.erb RENAMED

File without changes

data/{example → tests/rails}/bin/bundle RENAMED

File without changes

data/{example → tests/rails}/bin/rails RENAMED

File without changes

data/{example → tests/rails}/bin/rake RENAMED

File without changes

data/{example → tests/rails}/bin/setup RENAMED

File without changes

data/{example → tests/rails}/bin/spring RENAMED

File without changes

data/{example → tests/rails}/bin/update RENAMED

File without changes

data/{example → tests/rails}/bin/yarn RENAMED

File without changes

data/{example → tests/rails}/config.ru RENAMED

File without changes

data/{example → tests/rails}/config/application.rb RENAMED

File without changes

data/{example → tests/rails}/config/boot.rb RENAMED

File without changes

data/{example → tests/rails}/config/cable.yml RENAMED

File without changes

data/{example → tests/rails}/config/credentials.yml.enc RENAMED

File without changes

data/{example → tests/rails}/config/database.yml RENAMED

File without changes

data/{example → tests/rails}/config/environment.rb RENAMED

File without changes

data/{example → tests/rails}/config/environments/development.rb RENAMED

File without changes

data/{example → tests/rails}/config/environments/production.rb RENAMED

File without changes

data/{example → tests/rails}/config/environments/test.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/application_controller_renderer.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/assets.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/backtrace_silencers.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/content_security_policy.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/cookies_serializer.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/filter_parameter_logging.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/inflections.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/mime_types.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/tainted_love.rb RENAMED

File without changes

data/{example → tests/rails}/config/initializers/wrap_parameters.rb RENAMED

File without changes

data/{example → tests/rails}/config/locales/en.yml RENAMED

File without changes

data/{example → tests/rails}/config/puma.rb RENAMED

File without changes

data/{example → tests/rails}/config/routes.rb RENAMED

@@ -1,10 +1,16 @@
 # frozen_string_literal: true
 Rails.application.routes.draw do
+  if Rails.env.development?
+    mount GraphiQL::Rails::Engine, at: "/graphiql", graphql_path: "/graphql"
+  end
+  post "/graphql", to: "graphql#execute"
   get 'test_cases/xss'
   get 'test_cases/unsafe_render'
   get 'test_cases/render_inline'
   get 'test_cases/unsafe_redirect'
+  get 'test_cases/taint_test/:route_param' => 'test_cases#taint_test', as: 'test_cases_taint_test'
   resources :products
   # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
 end

data/{example → tests/rails}/config/spring.rb RENAMED

File without changes

data/{example → tests/rails}/config/storage.yml RENAMED

File without changes

data/{example → tests/rails}/db/migrate/20190311220346_create_products.rb RENAMED

File without changes

data/{example → tests/rails}/db/schema.rb RENAMED

File without changes

data/{example → tests/rails}/db/seeds.rb RENAMED

File without changes

data/{example/log → tests/rails/lib/assets}/.keep RENAMED

File without changes

data/{example/storage → tests/rails/lib/tasks}/.keep RENAMED

File without changes

data/{example/test/controllers → tests/rails/log}/.keep RENAMED

File without changes

data/{example → tests/rails}/package.json RENAMED

File without changes

data/{example → tests/rails}/public/404.html RENAMED

File without changes

data/{example → tests/rails}/public/422.html RENAMED

File without changes

data/{example → tests/rails}/public/500.html RENAMED

File without changes

data/{example → tests/rails}/public/apple-touch-icon-precomposed.png RENAMED

File without changes

data/{example → tests/rails}/public/apple-touch-icon.png RENAMED

File without changes

data/{example → tests/rails}/public/favicon.ico RENAMED

File without changes

data/{example → tests/rails}/public/robots.txt RENAMED

File without changes

data/{example/test/fixtures → tests/rails/storage}/.keep RENAMED

File without changes

data/tests/rails/test.sh ADDED

	@@ -0,0 +1 @@
1	+ bundle exec rails test

data/{example → tests/rails}/test/application_system_test_case.rb RENAMED

File without changes

data/{example/test/fixtures/files → tests/rails/test/controllers}/.keep RENAMED

File without changes

data/tests/rails/test/controllers/graphql_controller_test.rb ADDED

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require 'test_helper'
+class GraphQLControllerTest < ActionDispatch::IntegrationTest
+  test "string arguments are tainted" do
+    response = run_graphql('{ stringArgumentTaintTestCase(input:"asdf") }')
+    assert_equal({ "data" => { "stringArgumentTaintTestCase" => true } }, response)
+  end
+  test "string in object arguments are tainted" do
+    response = run_graphql('{ objectArgumentTaintTestCase(input: { topLevelString: "Asdf" }) }')
+    assert_equal({ "data" => { "objectArgumentTaintTestCase" => true } }, response)
+  end
+  def run_graphql(query)
+    params = {
+      query: query
+    }
+    post graphql_url, params: params
+    assert_response :success
+    response.parsed_body
+  end
+end