tarantula 0.0.5

data/tmp/test_output/test_user_pages/9.html

@@ -0,0 +1,71 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+
+<html>
+  <head>
+    <meta http-equiv="Content-type" content="text/html; charset=utf-8"/>
+    <title>Tarantula report detail get /widgets/9</title>
+    <script type="text/javascript" src="../javascripts/jquery-1.2.3.js"></script>
+    <script type="text/javascript" src="../javascripts/jquery.tablesorter.js"></script>
+    <script type="text/javascript" src="../javascripts/jquery-ui-tabs.js"></script>
+    <script type="text/javascript" src="../javascripts/tarantula.js"></script>
+    <link type="text/css" media="screen" rel="stylesheet" href="../stylesheets/tarantula.css"/>
+    <link type="text/css" media="screen" rel="stylesheet" href="../stylesheets/ui.tabs.css"/>
+
+  <!--[if lte IE 7]>
+    <link rel="stylesheet" href="jqeury.tabs-ie.css" type="text/css" media="projection, screen" />
+  <![endif]-->
+    
+  </head>
+
+  <body id="top">
+
+    <div id="container">
+
+      <div id="header">
+        <hr class="top"/>
+        <h1><span>Tarantula : Eight Legs, Two Fangs, and an Attitude</span></h1>
+      </div>
+
+      <div id="page-container">
+        <hr class="top"/>
+        <div id="page">
+          <h1>Tarantula report detail get /widgets/9</h1>
+          <p>Generated on Fri Sep 26 11:33:58 -0400 2008 (<a href="../index.html">Back</a>)</p>
+          <p>Visit <a href="http://localhost:3000/widgets/9">http://localhost:3000/widgets/9</a></p>
+          <p>Response: 200</p>
+          <p>Referrer: /random/62</p>
+          <div id="tabs-container">            
+            <ul>
+              <li><a href="#fragment-1"><span>Data</span></a></li>
+              <li><a href="#fragment-2"><span>Body</span></a></li>
+              <li><a href="#fragment-3"><span>Log</span></a></li>
+            </ul>
+            <div id="fragment-1">
+              
+                <table class="grid tablesorter"><thead><tr><th class="sort asc"><span>Line #</span><span class="sort"><em>&#8613;</em></span></th><th class="sort left"><span>Line</span><span class="sort"><em>&#8613;</em></span></th></tr></thead><tr><td>1</td><td>{:param1 =&gt; :value, :param2 =&gt; :another_value}</td></tr></table>
+              
+            </div>
+            <div id="fragment-2">
+              
+                <table class="grid tablesorter"><thead><tr><th class="sort asc"><span>Line #</span><span class="sort"><em>&#8613;</em></span></th><th class="sort left"><span>Line</span><span class="sort"><em>&#8613;</em></span></th></tr></thead><tr><td>1</td><td>&lt;h1&gt;header&lt;/h1&gt;</td></tr><tr><td>2</td><td>&lt;p&gt;text&lt;/p&gt;</td></tr></table>
+              
+            </div>
+            <div id="fragment-3">
+              
+                <table class="grid tablesorter"><thead><tr><th class="sort asc"><span>Line #</span><span class="sort"><em>&#8613;</em></span></th><th class="sort left"><span>Line</span><span class="sort"><em>&#8613;</em></span></th></tr></thead><tr><td>1</td><td>Made-up stack trace:</td></tr><tr><td>2</td><td><a href='txmt://open?url=file:///Users/rsanheim/src/relevance/tarantula/STUB_ROOT/some_module/some_class.rb&line_no=697'>/some_module/some_class.rb:697</a>:in `bad_method'</td></tr><tr><td>3</td><td><a href='txmt://open?url=file:///Users/rsanheim/src/relevance/tarantula/STUB_ROOT/some_module/other_class.rb&line_no=12345677'>/some_module/other_class.rb:12345677</a>:in `long_method'</td></tr><tr><td>4</td><td>this link should be &lt;a href=&quot;#&quot;&gt;escaped&lt;/a&gt;</td></tr><tr><td>5</td><td>blah blah blah</td></tr></table>
+              
+            </div>
+          </div>
+        </div>
+      </div>
+      <div id="sidebar">
+        <h3><span>Tarantula</span></h3>
+        <p>Tarantula is an open-source tool for testing Rails web applications. Tarantula is developed by <a href="http://thinkrelevance.com">Relevance, Inc.</a> and lives at <a href="http://opensource.thinkrelevance.com">http://opensource.thinkrelevance.com</a>.</p>
+      </div>
+    </div>
+  </body>
+
+</html>
+
+

data/uninstall.rb

@@ -0,0 +1 @@
+# Uninstall hook code here

data/vendor/xss-shield/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2007 Trampoline Systems
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/vendor/xss-shield/README

@@ -0,0 +1,76 @@
+FIXME: THIS README IS NOT UP-TO-DATE.
+
+This plugin provides XSS protection for views coded in HAML and RHTML.
+
+ERB templates are sometimes used for HTML, and sometimes for
+other kinds of languages (SQL, email templates, YAML etc.).
+XSS Shield protects only those templates with .rhtml extension,
+leaving templates with .erb extension unprotected.
+
+=== Quick start ===
+
+Assuming you're using HAML for all your templates.
+
+* Install plugin.
+* Edit all your layout files and change:
+    = @content_for_layout
+    = yield(:foo) # Foo being usually :js or :css
+  to:
+    = @content_for_layout.mark_as_xss_protected
+    = yield(:foo).mark_as_xss_protected
+* By this point your application should be runnanble,
+  but might need some tweaking here and there to avoid potential
+  double-escaping.
+
+=== How it works ===
+
+It works by subclassing String into SafeString.
+When HAML engine seems a "= foo" fragment it check if result of executing "foo"
+is a SafeString. If it is - it copies it to the output, if it's anything else
+(String, Integer, nil and so on) it HTML-escapes it first.
+
+To avoid double-escaping output of h is a SafeString, as is everything you
+mark as XSS-protected.
+  = h(@foo)
+  = @foo # fully equivalent to h(@foo)
+  = "X <br /> Y".mark_as_xss_protected
+
+It would be cumbersome to require mark_as_xss_protected every time you use
+some helper like render :partial or link_to, so some helpers are modified
+to return SafeString.
+
+  = render :partial => "foo"
+  = link_to "Bar", :action => :bar
+
+If you trust your helpers, make them as XSS-protected:
+
+  module Some::Module
+    mark_helpers_as_xss_protected :text_field, :check_box
+  end
+
+Because it is not possible to alter syntactic keywords like yield
+or instance variables like @content_for_layout to mark them automatically
+as secure, layout files need some manual tweaking.
+
+=== Other template engines ===
+
+If a templates uses some templating engine other than HAML or ERB,
+or it uses ERB but has extension .erb not .rhtml, XSS Shield does not protect it.
+
+However some helpers like link_to and button_to are patched by XSS Shield to
+make them more secure, and this extra security will be there even when used
+in an otherwise unprotected context.
+
+For example with XSS shield
+  link_to "A & B", "/foo"
+will return (marked as safe):
+  '<a href="/foo">A &amp; B</a>'
+not (plain String):
+  '<a href="/foo">A & B</a>'
+
+Also - RHTML protection only works with default ERB engine (erb.rb from Ruby base).
+If you use some alternative ERB engine it probably won't work.
+
+Adding support for alternative templating engine should be relatively straightforward.
+It's mostly a matter of changing to_s to to_s_xss_protected in a few places
+in their source.

data/vendor/xss-shield/init.rb

@@ -0,0 +1,16 @@
+unless ENV['DISABLE_XSS_SHIELD']
+  puts "Loading XSS Shield"
+  require 'xss_shield'
+else
+  class ::String
+    def mark_as_xss_protected
+      self
+    end
+  end
+
+  class ::NilClass
+    def mark_as_xss_protected
+      self
+    end
+  end
+end

data/vendor/xss-shield/lib/xss_shield.rb

@@ -0,0 +1,6 @@
+require 'xss_shield/safe_string'
+# Tarantula doesn't use haml
+# require 'xss_shield/haml_hacks'
+# ERB hacks blow up Rails
+# require 'xss_shield/erb_hacks'
+require 'xss_shield/secure_helpers'

data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb

@@ -0,0 +1,111 @@
+class XSSProtectedERB < ERB
+  class Compiler < ::ERB::Compiler
+    def compile(s)
+      out = Buffer.new(self)
+
+      content = ''
+      scanner = make_scanner(s)
+      scanner.scan do |token|
+  if scanner.stag.nil?
+    case token
+          when PercentLine
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      content = ''
+            out.push(token.to_s)
+            out.cr
+    when :cr
+      out.cr
+    when '<%', '<%=', '<%#'
+      scanner.stag = token
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      content = ''
+    when "\n"
+      content << "\n"
+      out.push("#{@put_cmd} #{content.dump}")
+      out.cr
+      content = ''
+    when '<%%'
+      content << '<%'
+    else
+      content << token
+    end
+  else
+    case token
+    when '%>'
+      case scanner.stag
+      when '<%'
+        if content[-1] == ?\n
+    content.chop!
+    out.push(content)
+    out.cr
+        else
+    out.push(content)
+        end
+      when '<%='
+              # NOTE: Changed lines
+        out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
+              # NOTE: End changed lines
+      when '<%#'
+        # out.push("# #{content.dump}")
+      end
+      scanner.stag = nil
+      content = ''
+    when '%%>'
+      content << '%>'
+    else
+      content << token
+    end
+  end
+      end
+      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
+      out.close
+      out.script
+    end
+  end
+
+  def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
+    @safe_level = safe_level
+    compiler = XSSProtectedERB::Compiler.new(trim_mode)
+    set_eoutvar(compiler, eoutvar)
+    @src = compiler.compile(str)
+    @filename = nil
+  end
+end
+
+module ActionView
+  class Base
+    private
+      def create_template_source(extension, template, render_symbol, locals)
+        if template_requires_setup?(extension)
+          body = case extension.to_sym
+            when :rxml, :builder
+              content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
+              "#{content_type_handler}.content_type ||= Mime::XML\n" +
+              "xml = Builder::XmlMarkup.new(:indent => 2)\n" +
+              template +
+              "\nxml.target!\n"
+            when :rjs
+              "controller.response.content_type ||= Mime::JS\n" +
+              "update_page do |page|\n#{template}\nend"
+          end
+        # NOTE: Changed lines
+        elsif extension.to_sym == :rhtml
+          body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
+        # NOTE: End changed lines
+        else
+          body = ERB.new(template, nil, @@erb_trim_mode).src
+        end
+
+        @@template_args[render_symbol] ||= {}
+        locals_keys = @@template_args[render_symbol].keys | locals
+        @@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
+
+        locals_code = ""
+        locals_keys.each do |key|
+          locals_code << "#{key} = local_assigns[:#{key}]\n"
+        end
+
+        "def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
+      end
+  end
+end

data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb

@@ -0,0 +1,42 @@
+raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
+
+module Haml
+  class Engine
+    def push_script(text, flattened)
+      unless options[:suppress_eval]
+        push_silent("haml_temp = #{text}", true)
+        push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
+        out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
+        if @block_opened
+          push_and_tabulate([:loud, out])
+        else
+          @precompiled << out
+        end
+      end
+    end
+
+    def build_attributes(attributes = {})
+      # We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to &apos;
+      # making ' as attribute quote not workable
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+
+  class Buffer
+    def build_attributes(attributes = {})
+      result = attributes.map do |a,v|
+        v = v.to_s_xss_protected
+        unless v.blank?
+          " #{a}=\"#{v}\""
+        end
+      end
+      result.sort.join
+    end
+  end
+end

data/vendor/xss-shield/lib/xss_shield/safe_string.rb

@@ -0,0 +1,47 @@
+class SafeString < String
+  def to_s
+    self
+  end
+  def to_s_xss_protected
+    self
+  end
+end
+
+class String
+  def mark_as_xss_protected
+    SafeString.new(self)
+  end
+end
+
+class NilClass
+  def mark_as_xss_protected
+    self
+  end
+end
+
+# ERB::Util.h and (include ERB::Util; h) are different methods
+module ERB::Util
+  class <<self
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+  end
+  
+    def h_with_xss_protection(*args)
+      h_without_xss_protection(*args).mark_as_xss_protected
+    end
+    alias_method_chain :h, :xss_protection
+end
+
+class Object
+  def to_s_xss_protected
+    ERB::Util.h(to_s).mark_as_xss_protected
+  end
+end
+
+class Array
+  def join_xss_protected(sep="")
+    map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
+  end
+end

data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb

@@ -0,0 +1,40 @@
+class Module
+  def mark_helpers_as_xss_protected(*ms)
+    ms.each do |m|
+      begin
+        instance_method("#{m}_with_xss_protection")
+      rescue NameError
+        define_method :"#{m}_with_xss_protection" do |*args|
+          send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
+        end
+        alias_method_chain m, :xss_protection
+      end
+    end
+  end
+end
+
+class ActionView::Base
+  mark_helpers_as_xss_protected :javascript_include_tag,
+                                :stylesheet_link_tag,
+                                :render,
+                                :text_field_tag,
+                                :submit_tag,
+                                :radio_button,
+                                :text_area,
+                                :auto_discovery_link_tag,
+                                :image_tag
+
+  def link_to_with_xss_protection(text, *args)
+    link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :link_to, :xss_protection
+
+  def button_to_with_xss_protection(text, *args)
+    button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
+  end
+  alias_method_chain :button_to, :xss_protection
+end
+
+module ActionView::Helpers::FormHelper
+  mark_helpers_as_xss_protected :text_field, :check_box
+end