tainted_love 0.1.5 → 0.4.0

data/tests/rails/test/controllers/test_cases_controller_test.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: false
+
+require 'test_helper'
+
+class TestCasesControllerTest < ActionDispatch::IntegrationTest
+  include TaintedLoveHelpers
+
+  test "should get xss" do
+    assert_report do
+      get test_cases_xss_url(search: '<img src=x oenrror=alert(1)>'.taint)
+    end
+
+    assert_response :success
+  end
+
+  test "should get unsafe_render" do
+    assert_report do
+      get test_cases_unsafe_render_url(file: 'xss'.taint)
+    end
+
+    assert_response :success
+  end
+
+  test "should get render_inline" do
+    assert_report do
+      get test_cases_render_inline_url(template: '<%= `id` %>'.taint)
+    end
+
+    assert_response :success
+  end
+
+  test "user input is tainted" do
+    # Since there's no actual app running, some values are not tainted
+    # by ReplaceRackBuilder
+
+    params = {
+      get_param: 'asdf',
+      get_array_param: ["abc", "def"].each(&:taint),
+    }
+
+    headers = {}
+    headers['HTTP_AAA'.taint] = 'asdf'
+
+    cookies[:something] = 'asdf'.taint
+
+    get test_cases_taint_test_url('route_param', params: params), headers: headers
+
+    json = JSON.parse(response.body)
+
+    json.each do |(value_type, tainted, tags)|
+      assert tainted, "#{value_type} is not tainted"
+    end
+  end
+end

data/{example → tests/rails}/test/replacers/replace_active_record_test.rb

@@ -8,6 +8,27 @@ class ReplaceActiveRecordTest < ActiveSupport::TestCase
     end
   end
 
+  test "reports when the interpolation string is tainted" do
+    assert_report do
+      Product.where("id = ?".taint, 1)
+      Product.where("id = ?", 1)
+    end
+  end
+
+  test "reports when using find_by" do
+    assert_report do
+      Product.find_by("id".taint)
+      Product.find_by("id")
+    end
+  end
+
+  test "doesn't report when a hash is used with find_by" do
+    assert_report(0) do
+      Product.find_by(id: 1)
+      Product.find_by(name: "name".taint)
+    end
+  end
+
   test "replaces select" do
     assert_report do
       Product.select("query".taint)
@@ -28,4 +49,11 @@ class ReplaceActiveRecordTest < ActiveSupport::TestCase
       Product.count_by_sql("select * from products")
     end
   end
+
+  test "replaces order" do
+    assert_report do
+      Product.order('created_at asc'.taint)
+      Product.order('created_at asc')
+    end
+  end
 end

data/tests/rails/test/replacers/replace_rails_user_input_test.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class ReplaceRailsUserInput < ActiveSupport::TestCase
+  test "tainted_love_tags are copied to html_safe string" do
+    tag = { source: 'something' }
+    input = TaintedLove.tag('user input', tag)
+    input_safe = input.html_safe
+
+    assert_equal([tag], input_safe.tainted_love_tags)
+  end
+end

data/tests/sinatra/Gemfile

@@ -0,0 +1,3 @@
+gem 'sinatra'
+gem 'tainted_love', path: '../..'
+gem 'erubis'

data/tests/sinatra/Gemfile.lock

@@ -0,0 +1,29 @@
+PATH
+  remote: ../..
+  specs:
+    tainted_love (0.1.5)
+
+GEM
+  specs:
+    erubis (2.7.0)
+    mustermann (1.0.3)
+    rack (2.0.7)
+    rack-protection (2.0.5)
+      rack
+    sinatra (2.0.5)
+      mustermann (~> 1.0)
+      rack (~> 2.0)
+      rack-protection (= 2.0.5)
+      tilt (~> 2.0)
+    tilt (2.0.9)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  erubis
+  sinatra
+  tainted_love!
+
+BUNDLED WITH
+   1.17.3

data/tests/sinatra/app.rb

@@ -0,0 +1,26 @@
+require 'sinatra'
+require 'tainted_love'
+require 'erubis'
+
+set :erb, :escape_html => true
+
+
+get '/' do
+  'asdf'
+end
+
+get '/eval/:cmd' do |cmd|
+  eval(cmd)
+end
+
+get '/eval' do
+  eval(params[:cmd])
+end
+
+get '/xss' do
+  erb :xss
+end
+
+
+TaintedLove.enable! do |config|
+end

data/tests/sinatra/test.sh

@@ -0,0 +1 @@
+exit 0 # todo

data/tests/sinatra/views/xss.erb

@@ -0,0 +1 @@
+<%= params[:search] %>

data/tools/web/Gemfile

@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-gem 'sinatra'
+gem 'sinatra', '2.0.5'

data/tools/web/application.rb

@@ -17,7 +17,22 @@ end
 
 helpers do
   def prepare_inputs(warning)
-    warning['inputs'].sort_by { |_, reported_at| -reported_at }
+    warning['inputs'].sort_by { |value, input| -input['reported_at'] }
+  end
+
+  def highlight_input(input, tag)
+    return input[0...100] unless tag
+
+    value = tag['value']
+    source = tag['source']
+
+    input = input.gsub(value) { |match|
+      '[TAINTED_LOVE_MATCH_START]' + match + '[TAINTED_LOVE_MATCH_END]'
+    }
+
+    h(input)
+      .gsub('[TAINTED_LOVE_MATCH_START]', '<span data-title="' + h(source) + '">')
+      .gsub('[TAINTED_LOVE_MATCH_END]', '</span>')
   end
 
   def h(text)
@@ -32,7 +47,7 @@ end
 get '/' do
   @report = JSON.parse(File.read(REPORT_PATH))
   @warnings = @report['warnings'].sort_by do |_, code_path|
-    -code_path['inputs'].map { |_, reported_at| reported_at }.max
+    -code_path['inputs'].map { |value, input| input['reported_at'] }.max
   end.to_h
 
   erb :index

data/tools/web/public/application.css

@@ -2,6 +2,7 @@ body {
     font-family: sans-serif;
     margin: 0;
     background-color: #efefef;
+    color: #333;
 }
 
 .clear {
@@ -55,10 +56,20 @@ h2 {
     font-family: monospace;
 }
 
+.line a {
+    color: #0081d3;
+}
+
+
 .tag {
     font-size: 0.8em;
-    background-color: #9EBABA;
-    padding: 0.1em 0.3em;
+    padding: 0.2em 0.5em;
+    border-radius: 5px;
+    border: 2px solid #9EBABA;
+}
+
+.tag:before {
+    content: '#';
 }
 
 details summary {
@@ -77,3 +88,28 @@ details summary {
     content: attr(data-line);
     margin-right: 1em;
 }
+
+code span {
+    border-bottom: 2px solid rgba(255, 0, 0, 0.8);
+}
+
+
+code span[data-title] {
+  position: relative;
+  cursor: help;
+}
+
+code span[data-title]:hover::before {
+  content: attr(data-title);
+  position: absolute;
+  z-index: 10000;
+  bottom: -26px;
+  display: inline-block;
+  padding: 3px 6px;
+  border-radius: 2px;
+  background-color: rgba(0, 0, 0, 0.8);
+  color: white;
+  font-size: 0.8em;
+  font-family: sans-serif;
+  white-space: nowrap;
+}

data/tools/web/views/index.erb

@@ -25,22 +25,16 @@
         <p class="inputs">
           <% inputs = prepare_inputs(warning) %>
 
-          <% inputs.take(5).each do |(input, reported_at)|  %>
-            <div class="input">
-              <code><%=h input.inspect %></code>
-              <small>reported at <%= Time.at(reported_at) %></small>
-            </div>
+          <% inputs.take(5).each do |(value, input)|  %>
+            <%= erb :input, locals: { value: value, input: input } %>
           <% end %>
 
           <% if inputs.size > 5 %>
             <details>
               <summary>Show more</summary>
 
-              <% inputs.drop(5).each do |(input, reported_at)|  %>
-                <div class="input">
-                  <code><%=h input.inspect %></code>
-                  <small>reported at <%= Time.at(reported_at) %></small>
-                </div>
+              <% inputs.drop(5).each do |(value, input)|  %>
+                <%= erb :input, locals: { value: value, input: input } %>
               <% end %>
             </details>
           <% end %>
@@ -48,7 +42,7 @@
 
         <div>
           <% warning['tags'].each do |tag| %>
-            <span class="tag">#<%= tag %></span>
+            <span class="tag"><%= tag %></span>
           <% end %>
         </div>
       </div>

data/tools/web/views/input.erb

@@ -0,0 +1,4 @@
+<div class="input">
+  <code><%= highlight_input(value, input['taint_tags'].last) %></code>
+  <small>reported at <%= Time.at(input['reported_at']) %></small>
+</div>

data/tools/web/views/line.erb

@@ -3,9 +3,9 @@
     <%= line['file'].sub(@report['application_path'], '.') %></a><span>:<%= line['line_number'] %></span> in <%= line['method'] %>
   <% if line['file'].start_with?(@report['application_path']) %>
     <div class="code">
-    <% render_source(line['file'], line['line_number']).each do |(code, line_number)| %>
+        <% render_source(line['file'], line['line_number']).each do |(code, line_number)| %>
       <pre data-line="<%= line_number %>"><%= code %></pre>
-    <% end %>
+        <% end %>
     </div>
   <% end %>
 </div>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tainted_love
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.4.0
 platform: ruby
 authors:
 - Benoit Cote-Jodoin
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-15 00:00:00.000000000 Z
+date: 2019-08-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -103,113 +103,6 @@ files:
 - bin/setup
 - bin/test
 - dev.yml
-- example/.gitignore
-- example/.ruby-version
-- example/Gemfile
-- example/Gemfile.lock
-- example/README.md
-- example/Rakefile
-- example/app/assets/config/manifest.js
-- example/app/assets/images/.keep
-- example/app/assets/javascripts/application.js
-- example/app/assets/javascripts/cable.js
-- example/app/assets/javascripts/channels/.keep
-- example/app/assets/javascripts/products.coffee
-- example/app/assets/stylesheets/application.css
-- example/app/assets/stylesheets/products.scss
-- example/app/assets/stylesheets/scaffolds.scss
-- example/app/channels/application_cable/channel.rb
-- example/app/channels/application_cable/connection.rb
-- example/app/controllers/application_controller.rb
-- example/app/controllers/concerns/.keep
-- example/app/controllers/products_controller.rb
-- example/app/controllers/test_cases_controller.rb
-- example/app/helpers/application_helper.rb
-- example/app/helpers/products_helper.rb
-- example/app/helpers/test_cases_helper.rb
-- example/app/jobs/application_job.rb
-- example/app/mailers/application_mailer.rb
-- example/app/models/application_record.rb
-- example/app/models/concerns/.keep
-- example/app/models/product.rb
-- example/app/views/layouts/application.html.erb
-- example/app/views/layouts/mailer.html.erb
-- example/app/views/layouts/mailer.text.erb
-- example/app/views/products/_form.html.erb
-- example/app/views/products/_product.json.jbuilder
-- example/app/views/products/edit.html.erb
-- example/app/views/products/index.html.erb
-- example/app/views/products/index.json.jbuilder
-- example/app/views/products/new.html.erb
-- example/app/views/products/show.html.erb
-- example/app/views/products/show.json.jbuilder
-- example/app/views/test_cases/xss.html.erb
-- example/bin/bundle
-- example/bin/rails
-- example/bin/rake
-- example/bin/setup
-- example/bin/spring
-- example/bin/update
-- example/bin/yarn
-- example/config.ru
-- example/config/application.rb
-- example/config/boot.rb
-- example/config/cable.yml
-- example/config/credentials.yml.enc
-- example/config/database.yml
-- example/config/environment.rb
-- example/config/environments/development.rb
-- example/config/environments/production.rb
-- example/config/environments/test.rb
-- example/config/initializers/application_controller_renderer.rb
-- example/config/initializers/assets.rb
-- example/config/initializers/backtrace_silencers.rb
-- example/config/initializers/content_security_policy.rb
-- example/config/initializers/cookies_serializer.rb
-- example/config/initializers/filter_parameter_logging.rb
-- example/config/initializers/inflections.rb
-- example/config/initializers/mime_types.rb
-- example/config/initializers/tainted_love.rb
-- example/config/initializers/wrap_parameters.rb
-- example/config/locales/en.yml
-- example/config/puma.rb
-- example/config/routes.rb
-- example/config/spring.rb
-- example/config/storage.yml
-- example/db/migrate/20190311220346_create_products.rb
-- example/db/schema.rb
-- example/db/seeds.rb
-- example/lib/assets/.keep
-- example/lib/tasks/.keep
-- example/log/.keep
-- example/package.json
-- example/public/404.html
-- example/public/422.html
-- example/public/500.html
-- example/public/apple-touch-icon-precomposed.png
-- example/public/apple-touch-icon.png
-- example/public/favicon.ico
-- example/public/robots.txt
-- example/storage/.keep
-- example/test/application_system_test_case.rb
-- example/test/controllers/.keep
-- example/test/controllers/products_controller_test.rb
-- example/test/controllers/test_cases_controller_test.rb
-- example/test/fixtures/.keep
-- example/test/fixtures/files/.keep
-- example/test/fixtures/products.yml
-- example/test/helpers/.keep
-- example/test/integration/.keep
-- example/test/mailers/.keep
-- example/test/models/.keep
-- example/test/models/product_test.rb
-- example/test/replacers/replace_active_record_test.rb
-- example/test/replacers/replace_sprokets_test.rb
-- example/test/system/.keep
-- example/test/system/products_test.rb
-- example/test/test_helper.rb
-- example/tmp/.keep
-- example/vendor/.keep
 - lib/tainted_love.rb
 - lib/tainted_love/configuration.rb
 - lib/tainted_love/replacer/base.rb
@@ -218,20 +111,32 @@ files:
 - lib/tainted_love/replacer/replace_active_record.rb
 - lib/tainted_love/replacer/replace_digest.rb
 - lib/tainted_love/replacer/replace_file.rb
+- lib/tainted_love/replacer/replace_graphql.rb
 - lib/tainted_love/replacer/replace_kernel.rb
 - lib/tainted_love/replacer/replace_marshal.rb
 - lib/tainted_love/replacer/replace_object.rb
+- lib/tainted_love/replacer/replace_rack_builder.rb
+- lib/tainted_love/replacer/replace_rack_file.rb
+- lib/tainted_love/replacer/replace_rack_query_parser.rb
 - lib/tainted_love/replacer/replace_rails_user_input.rb
 - lib/tainted_love/replacer/replace_sprokets.rb
+- lib/tainted_love/replacer/replace_string.rb
+- lib/tainted_love/replacer/replace_tag_builder.rb
 - lib/tainted_love/replacer/replace_yaml.rb
 - lib/tainted_love/reporter/base.rb
 - lib/tainted_love/reporter/file_reporter.rb
 - lib/tainted_love/reporter/stdout_reporter.rb
 - lib/tainted_love/stack_trace.rb
 - lib/tainted_love/utils.rb
+- lib/tainted_love/utils/proxy.rb
+- lib/tainted_love/validator/action_dispatch_diagnostics.rb
 - lib/tainted_love/validator/action_view_object_send.rb
+- lib/tainted_love/validator/active_record_find.rb
 - lib/tainted_love/validator/base.rb
 - lib/tainted_love/validator/erb_eval.rb
+- lib/tainted_love/validator/haml_eval.rb
+- lib/tainted_love/validator/i18n_load.rb
+- lib/tainted_love/validator/ignore.rb
 - lib/tainted_love/validator/rack_builder_eval.rb
 - lib/tainted_love/validator/railties_yaml_load.rb
 - lib/tainted_love/validator/rake_testtask.rb
@@ -240,13 +145,144 @@ files:
 - lib/tainted_love/validator/webpacker_yaml.rb
 - lib/tainted_love/version.rb
 - lib/tainted_love/warning.rb
+- service.yml
 - tainted_love.gemspec
+- tests/rails/.gitignore
+- tests/rails/.ruby-version
+- tests/rails/Gemfile
+- tests/rails/Gemfile.lock
+- tests/rails/README.md
+- tests/rails/Rakefile
+- tests/rails/app/assets/config/manifest.js
+- tests/rails/app/assets/images/.keep
+- tests/rails/app/assets/javascripts/application.js
+- tests/rails/app/assets/javascripts/cable.js
+- tests/rails/app/assets/javascripts/channels/.keep
+- tests/rails/app/assets/javascripts/products.coffee
+- tests/rails/app/assets/stylesheets/application.css
+- tests/rails/app/assets/stylesheets/products.scss
+- tests/rails/app/assets/stylesheets/scaffolds.scss
+- tests/rails/app/channels/application_cable/channel.rb
+- tests/rails/app/channels/application_cable/connection.rb
+- tests/rails/app/controllers/application_controller.rb
+- tests/rails/app/controllers/concerns/.keep
+- tests/rails/app/controllers/graphql_controller.rb
+- tests/rails/app/controllers/products_controller.rb
+- tests/rails/app/controllers/test_cases_controller.rb
+- tests/rails/app/graphql/example_schema.rb
+- tests/rails/app/graphql/mutations/.keep
+- tests/rails/app/graphql/types/.keep
+- tests/rails/app/graphql/types/base_enum.rb
+- tests/rails/app/graphql/types/base_input_object.rb
+- tests/rails/app/graphql/types/base_interface.rb
+- tests/rails/app/graphql/types/base_object.rb
+- tests/rails/app/graphql/types/base_scalar.rb
+- tests/rails/app/graphql/types/base_union.rb
+- tests/rails/app/graphql/types/mutation_type.rb
+- tests/rails/app/graphql/types/product_type.rb
+- tests/rails/app/graphql/types/query_type.rb
+- tests/rails/app/graphql/types/taint_test_case_input.rb
+- tests/rails/app/helpers/application_helper.rb
+- tests/rails/app/helpers/products_helper.rb
+- tests/rails/app/helpers/test_cases_helper.rb
+- tests/rails/app/jobs/application_job.rb
+- tests/rails/app/mailers/application_mailer.rb
+- tests/rails/app/models/application_record.rb
+- tests/rails/app/models/concerns/.keep
+- tests/rails/app/models/product.rb
+- tests/rails/app/views/layouts/application.html.erb
+- tests/rails/app/views/layouts/mailer.html.erb
+- tests/rails/app/views/layouts/mailer.text.erb
+- tests/rails/app/views/products/_form.html.erb
+- tests/rails/app/views/products/_product.json.jbuilder
+- tests/rails/app/views/products/edit.html.erb
+- tests/rails/app/views/products/index.html.erb
+- tests/rails/app/views/products/index.json.jbuilder
+- tests/rails/app/views/products/new.html.erb
+- tests/rails/app/views/products/show.html.erb
+- tests/rails/app/views/products/show.json.jbuilder
+- tests/rails/app/views/test_cases/xss.html.erb
+- tests/rails/bin/bundle
+- tests/rails/bin/rails
+- tests/rails/bin/rake
+- tests/rails/bin/setup
+- tests/rails/bin/spring
+- tests/rails/bin/update
+- tests/rails/bin/yarn
+- tests/rails/config.ru
+- tests/rails/config/application.rb
+- tests/rails/config/boot.rb
+- tests/rails/config/cable.yml
+- tests/rails/config/credentials.yml.enc
+- tests/rails/config/database.yml
+- tests/rails/config/environment.rb
+- tests/rails/config/environments/development.rb
+- tests/rails/config/environments/production.rb
+- tests/rails/config/environments/test.rb
+- tests/rails/config/initializers/application_controller_renderer.rb
+- tests/rails/config/initializers/assets.rb
+- tests/rails/config/initializers/backtrace_silencers.rb
+- tests/rails/config/initializers/content_security_policy.rb
+- tests/rails/config/initializers/cookies_serializer.rb
+- tests/rails/config/initializers/filter_parameter_logging.rb
+- tests/rails/config/initializers/inflections.rb
+- tests/rails/config/initializers/mime_types.rb
+- tests/rails/config/initializers/tainted_love.rb
+- tests/rails/config/initializers/wrap_parameters.rb
+- tests/rails/config/locales/en.yml
+- tests/rails/config/puma.rb
+- tests/rails/config/routes.rb
+- tests/rails/config/spring.rb
+- tests/rails/config/storage.yml
+- tests/rails/db/migrate/20190311220346_create_products.rb
+- tests/rails/db/schema.rb
+- tests/rails/db/seeds.rb
+- tests/rails/lib/assets/.keep
+- tests/rails/lib/tasks/.keep
+- tests/rails/log/.keep
+- tests/rails/package.json
+- tests/rails/public/404.html
+- tests/rails/public/422.html
+- tests/rails/public/500.html
+- tests/rails/public/apple-touch-icon-precomposed.png
+- tests/rails/public/apple-touch-icon.png
+- tests/rails/public/favicon.ico
+- tests/rails/public/robots.txt
+- tests/rails/storage/.keep
+- tests/rails/test.sh
+- tests/rails/test/application_system_test_case.rb
+- tests/rails/test/controllers/.keep
+- tests/rails/test/controllers/graphql_controller_test.rb
+- tests/rails/test/controllers/products_controller_test.rb
+- tests/rails/test/controllers/test_cases_controller_test.rb
+- tests/rails/test/fixtures/.keep
+- tests/rails/test/fixtures/files/.keep
+- tests/rails/test/fixtures/products.yml
+- tests/rails/test/helpers/.keep
+- tests/rails/test/integration/.keep
+- tests/rails/test/mailers/.keep
+- tests/rails/test/models/.keep
+- tests/rails/test/models/product_test.rb
+- tests/rails/test/replacers/replace_active_record_test.rb
+- tests/rails/test/replacers/replace_rails_user_input_test.rb
+- tests/rails/test/replacers/replace_sprokets_test.rb
+- tests/rails/test/system/.keep
+- tests/rails/test/system/products_test.rb
+- tests/rails/test/test_helper.rb
+- tests/rails/tmp/.keep
+- tests/rails/vendor/.keep
+- tests/sinatra/Gemfile
+- tests/sinatra/Gemfile.lock
+- tests/sinatra/app.rb
+- tests/sinatra/test.sh
+- tests/sinatra/views/xss.erb
 - tools/web/.gitignore
 - tools/web/Gemfile
 - tools/web/application.rb
 - tools/web/public/application.css
 - tools/web/public/application.js
 - tools/web/views/index.erb
+- tools/web/views/input.erb
 - tools/web/views/layout.erb
 - tools/web/views/line.erb
 - tools/web/views/warning.erb
@@ -270,8 +306,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: TaintedLove is a dynamic security analysis tool for Ruby