tainted_love 0.1.5 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +2 -0
- data/bin/setup +3 -3
- data/bin/test +6 -2
- data/dev.yml +1 -1
- data/lib/tainted_love.rb +2 -2
- data/lib/tainted_love/replacer/base.rb +5 -1
- data/lib/tainted_love/replacer/replace_action_controller.rb +0 -4
- data/lib/tainted_love/replacer/replace_active_record.rb +21 -1
- data/lib/tainted_love/replacer/replace_graphql.rb +27 -0
- data/lib/tainted_love/replacer/replace_kernel.rb +1 -1
- data/lib/tainted_love/replacer/replace_object.rb +8 -2
- data/lib/tainted_love/replacer/replace_rack_builder.rb +51 -0
- data/lib/tainted_love/replacer/replace_rack_file.rb +25 -0
- data/lib/tainted_love/replacer/replace_rack_query_parser.rb +50 -0
- data/lib/tainted_love/replacer/replace_rails_user_input.rb +12 -27
- data/lib/tainted_love/replacer/replace_string.rb +69 -0
- data/lib/tainted_love/replacer/replace_tag_builder.rb +16 -0
- data/lib/tainted_love/reporter/base.rb +4 -1
- data/lib/tainted_love/reporter/stdout_reporter.rb +1 -0
- data/lib/tainted_love/utils.rb +4 -19
- data/lib/tainted_love/utils/proxy.rb +95 -0
- data/lib/tainted_love/validator/action_dispatch_diagnostics.rb +20 -0
- data/lib/tainted_love/validator/active_record_find.rb +15 -0
- data/lib/tainted_love/validator/erb_eval.rb +1 -3
- data/lib/tainted_love/validator/haml_eval.rb +25 -0
- data/lib/tainted_love/validator/i18n_load.rb +17 -0
- data/lib/tainted_love/validator/ignore.rb +21 -0
- data/lib/tainted_love/version.rb +1 -1
- data/service.yml +6 -0
- data/{example → tests/rails}/.gitignore +0 -0
- data/{example → tests/rails}/.ruby-version +0 -0
- data/{example → tests/rails}/Gemfile +5 -4
- data/{example → tests/rails}/Gemfile.lock +29 -32
- data/{example → tests/rails}/README.md +0 -0
- data/{example → tests/rails}/Rakefile +0 -0
- data/{example → tests/rails}/app/assets/config/manifest.js +0 -0
- data/{example → tests/rails}/app/assets/images/.keep +0 -0
- data/{example → tests/rails}/app/assets/javascripts/application.js +0 -0
- data/{example → tests/rails}/app/assets/javascripts/cable.js +0 -0
- data/{example → tests/rails}/app/assets/javascripts/channels/.keep +0 -0
- data/{example → tests/rails}/app/assets/javascripts/products.coffee +0 -0
- data/{example → tests/rails}/app/assets/stylesheets/application.css +0 -0
- data/{example → tests/rails}/app/assets/stylesheets/products.scss +0 -0
- data/{example → tests/rails}/app/assets/stylesheets/scaffolds.scss +0 -0
- data/{example → tests/rails}/app/channels/application_cable/channel.rb +0 -0
- data/{example → tests/rails}/app/channels/application_cable/connection.rb +0 -0
- data/{example → tests/rails}/app/controllers/application_controller.rb +0 -0
- data/{example → tests/rails}/app/controllers/concerns/.keep +0 -0
- data/tests/rails/app/controllers/graphql_controller.rb +43 -0
- data/{example → tests/rails}/app/controllers/products_controller.rb +0 -0
- data/tests/rails/app/controllers/test_cases_controller.rb +43 -0
- data/tests/rails/app/graphql/example_schema.rb +4 -0
- data/{example/app/models/concerns → tests/rails/app/graphql/mutations}/.keep +0 -0
- data/{example/lib/assets → tests/rails/app/graphql/types}/.keep +0 -0
- data/tests/rails/app/graphql/types/base_enum.rb +4 -0
- data/tests/rails/app/graphql/types/base_input_object.rb +4 -0
- data/tests/rails/app/graphql/types/base_interface.rb +5 -0
- data/tests/rails/app/graphql/types/base_object.rb +4 -0
- data/tests/rails/app/graphql/types/base_scalar.rb +4 -0
- data/tests/rails/app/graphql/types/base_union.rb +4 -0
- data/tests/rails/app/graphql/types/mutation_type.rb +10 -0
- data/tests/rails/app/graphql/types/product_type.rb +10 -0
- data/tests/rails/app/graphql/types/query_type.rb +46 -0
- data/tests/rails/app/graphql/types/taint_test_case_input.rb +8 -0
- data/{example → tests/rails}/app/helpers/application_helper.rb +0 -0
- data/{example → tests/rails}/app/helpers/products_helper.rb +0 -0
- data/{example → tests/rails}/app/helpers/test_cases_helper.rb +0 -0
- data/{example → tests/rails}/app/jobs/application_job.rb +0 -0
- data/{example → tests/rails}/app/mailers/application_mailer.rb +0 -0
- data/{example → tests/rails}/app/models/application_record.rb +0 -0
- data/{example/lib/tasks → tests/rails/app/models/concerns}/.keep +0 -0
- data/{example → tests/rails}/app/models/product.rb +0 -0
- data/{example → tests/rails}/app/views/layouts/application.html.erb +0 -0
- data/{example → tests/rails}/app/views/layouts/mailer.html.erb +0 -0
- data/{example → tests/rails}/app/views/layouts/mailer.text.erb +0 -0
- data/{example → tests/rails}/app/views/products/_form.html.erb +0 -0
- data/{example → tests/rails}/app/views/products/_product.json.jbuilder +0 -0
- data/{example → tests/rails}/app/views/products/edit.html.erb +0 -0
- data/{example → tests/rails}/app/views/products/index.html.erb +0 -0
- data/{example → tests/rails}/app/views/products/index.json.jbuilder +0 -0
- data/{example → tests/rails}/app/views/products/new.html.erb +0 -0
- data/{example → tests/rails}/app/views/products/show.html.erb +0 -0
- data/{example → tests/rails}/app/views/products/show.json.jbuilder +0 -0
- data/{example → tests/rails}/app/views/test_cases/xss.html.erb +0 -0
- data/{example → tests/rails}/bin/bundle +0 -0
- data/{example → tests/rails}/bin/rails +0 -0
- data/{example → tests/rails}/bin/rake +0 -0
- data/{example → tests/rails}/bin/setup +0 -0
- data/{example → tests/rails}/bin/spring +0 -0
- data/{example → tests/rails}/bin/update +0 -0
- data/{example → tests/rails}/bin/yarn +0 -0
- data/{example → tests/rails}/config.ru +0 -0
- data/{example → tests/rails}/config/application.rb +0 -0
- data/{example → tests/rails}/config/boot.rb +0 -0
- data/{example → tests/rails}/config/cable.yml +0 -0
- data/{example → tests/rails}/config/credentials.yml.enc +0 -0
- data/{example → tests/rails}/config/database.yml +0 -0
- data/{example → tests/rails}/config/environment.rb +0 -0
- data/{example → tests/rails}/config/environments/development.rb +0 -0
- data/{example → tests/rails}/config/environments/production.rb +0 -0
- data/{example → tests/rails}/config/environments/test.rb +0 -0
- data/{example → tests/rails}/config/initializers/application_controller_renderer.rb +0 -0
- data/{example → tests/rails}/config/initializers/assets.rb +0 -0
- data/{example → tests/rails}/config/initializers/backtrace_silencers.rb +0 -0
- data/{example → tests/rails}/config/initializers/content_security_policy.rb +0 -0
- data/{example → tests/rails}/config/initializers/cookies_serializer.rb +0 -0
- data/{example → tests/rails}/config/initializers/filter_parameter_logging.rb +0 -0
- data/{example → tests/rails}/config/initializers/inflections.rb +0 -0
- data/{example → tests/rails}/config/initializers/mime_types.rb +0 -0
- data/{example → tests/rails}/config/initializers/tainted_love.rb +0 -0
- data/{example → tests/rails}/config/initializers/wrap_parameters.rb +0 -0
- data/{example → tests/rails}/config/locales/en.yml +0 -0
- data/{example → tests/rails}/config/puma.rb +0 -0
- data/{example → tests/rails}/config/routes.rb +6 -0
- data/{example → tests/rails}/config/spring.rb +0 -0
- data/{example → tests/rails}/config/storage.yml +0 -0
- data/{example → tests/rails}/db/migrate/20190311220346_create_products.rb +0 -0
- data/{example → tests/rails}/db/schema.rb +0 -0
- data/{example → tests/rails}/db/seeds.rb +0 -0
- data/{example/log → tests/rails/lib/assets}/.keep +0 -0
- data/{example/storage → tests/rails/lib/tasks}/.keep +0 -0
- data/{example/test/controllers → tests/rails/log}/.keep +0 -0
- data/{example → tests/rails}/package.json +0 -0
- data/{example → tests/rails}/public/404.html +0 -0
- data/{example → tests/rails}/public/422.html +0 -0
- data/{example → tests/rails}/public/500.html +0 -0
- data/{example → tests/rails}/public/apple-touch-icon-precomposed.png +0 -0
- data/{example → tests/rails}/public/apple-touch-icon.png +0 -0
- data/{example → tests/rails}/public/favicon.ico +0 -0
- data/{example → tests/rails}/public/robots.txt +0 -0
- data/{example/test/fixtures → tests/rails/storage}/.keep +0 -0
- data/tests/rails/test.sh +1 -0
- data/{example → tests/rails}/test/application_system_test_case.rb +0 -0
- data/{example/test/fixtures/files → tests/rails/test/controllers}/.keep +0 -0
- data/tests/rails/test/controllers/graphql_controller_test.rb +28 -0
- data/{example → tests/rails}/test/controllers/products_controller_test.rb +0 -0
- data/tests/rails/test/controllers/test_cases_controller_test.rb +54 -0
- data/{example/test/helpers → tests/rails/test/fixtures}/.keep +0 -0
- data/{example/test/integration → tests/rails/test/fixtures/files}/.keep +0 -0
- data/{example → tests/rails}/test/fixtures/products.yml +0 -0
- data/{example/test/mailers → tests/rails/test/helpers}/.keep +0 -0
- data/{example/test/models → tests/rails/test/integration}/.keep +0 -0
- data/{example/test/system → tests/rails/test/mailers}/.keep +0 -0
- data/{example/tmp → tests/rails/test/models}/.keep +0 -0
- data/{example → tests/rails}/test/models/product_test.rb +0 -0
- data/{example → tests/rails}/test/replacers/replace_active_record_test.rb +28 -0
- data/tests/rails/test/replacers/replace_rails_user_input_test.rb +13 -0
- data/{example → tests/rails}/test/replacers/replace_sprokets_test.rb +0 -0
- data/{example/vendor → tests/rails/test/system}/.keep +0 -0
- data/{example → tests/rails}/test/system/products_test.rb +0 -0
- data/{example → tests/rails}/test/test_helper.rb +0 -0
- data/tests/rails/tmp/.keep +0 -0
- data/tests/rails/vendor/.keep +0 -0
- data/tests/sinatra/Gemfile +3 -0
- data/tests/sinatra/Gemfile.lock +29 -0
- data/tests/sinatra/app.rb +26 -0
- data/tests/sinatra/test.sh +1 -0
- data/tests/sinatra/views/xss.erb +1 -0
- data/tools/web/Gemfile +1 -1
- data/tools/web/application.rb +17 -2
- data/tools/web/public/application.css +38 -2
- data/tools/web/views/index.erb +5 -11
- data/tools/web/views/input.erb +4 -0
- data/tools/web/views/line.erb +2 -2
- metadata +146 -111
- data/example/app/controllers/test_cases_controller.rb +0 -20
- data/example/test/controllers/test_cases_controller_test.rb +0 -39
|
@@ -1,20 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
class TestCasesController < ApplicationController
|
|
4
|
-
layout false
|
|
5
|
-
|
|
6
|
-
def xss
|
|
7
|
-
end
|
|
8
|
-
|
|
9
|
-
def unsafe_render
|
|
10
|
-
render(params[:file])
|
|
11
|
-
end
|
|
12
|
-
|
|
13
|
-
def render_inline
|
|
14
|
-
render(inline: params[:template])
|
|
15
|
-
end
|
|
16
|
-
|
|
17
|
-
def unsafe_redirect
|
|
18
|
-
redirect_to(params[:to])
|
|
19
|
-
end
|
|
20
|
-
end
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require 'test_helper'
|
|
4
|
-
|
|
5
|
-
class TestCasesControllerTest < ActionDispatch::IntegrationTest
|
|
6
|
-
include TaintedLoveHelpers
|
|
7
|
-
|
|
8
|
-
test "should get xss" do
|
|
9
|
-
assert_report do
|
|
10
|
-
get test_cases_xss_url(search: '<img src=x oenrror=alert(1)>')
|
|
11
|
-
end
|
|
12
|
-
|
|
13
|
-
assert_response :success
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
test "should get unsafe_render" do
|
|
17
|
-
assert_report do
|
|
18
|
-
get test_cases_unsafe_render_url(file: 'xss')
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
assert_response :success
|
|
22
|
-
end
|
|
23
|
-
|
|
24
|
-
test "should get render_inline" do
|
|
25
|
-
assert_report do
|
|
26
|
-
get test_cases_render_inline_url(template: '<%= `id` %>')
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
assert_response :success
|
|
30
|
-
end
|
|
31
|
-
|
|
32
|
-
test "should get unsafe_redirect" do
|
|
33
|
-
assert_report do
|
|
34
|
-
get test_cases_unsafe_redirect_url(to: 'http://evil.com')
|
|
35
|
-
end
|
|
36
|
-
|
|
37
|
-
assert_response :redirect
|
|
38
|
-
end
|
|
39
|
-
end
|