tarantula 0.0.8.1 → 0.1.4

data/rails/init.rb

@@ -1,4 +0,0 @@
-if ENV["RAILS_ENV"] == "test"
-  path = File.expand_path(File.join(File.dirname(__FILE__), *%w[.. lib relevance tarantula]))
-  require path
-end

data/tarantula.gemspec

@@ -1,56 +0,0 @@
-# -*- encoding: utf-8 -*-
-
-Gem::Specification.new do |s|
-  s.name = %q{tarantula}
-  s.version = "0.0.8.1"
-
-  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Relevance"]
-  s.date = %q{2009-01-16}
-  s.description = %q{A big hairy fuzzy spider that crawls your site, wreaking havoc}
-  s.email = %q{opensource@thinkrelevance.com}
-  s.extra_rdoc_files = ["CHANGELOG", "lib/relevance/core_extensions/ellipsize.rb", "lib/relevance/core_extensions/file.rb", "lib/relevance/core_extensions/response.rb", "lib/relevance/core_extensions/test_case.rb", "lib/relevance/tarantula/attack.rb", "lib/relevance/tarantula/attack_form_submission.rb", "lib/relevance/tarantula/attack_handler.rb", "lib/relevance/tarantula/crawler.rb", "lib/relevance/tarantula/detail.html.erb", "lib/relevance/tarantula/form.rb", "lib/relevance/tarantula/form_submission.rb", "lib/relevance/tarantula/html_document_handler.rb", "lib/relevance/tarantula/html_report_helper.rb", "lib/relevance/tarantula/html_reporter.rb", "lib/relevance/tarantula/index.html.erb", "lib/relevance/tarantula/invalid_html_handler.rb", "lib/relevance/tarantula/io_reporter.rb", "lib/relevance/tarantula/link.rb", "lib/relevance/tarantula/log_grabber.rb", "lib/relevance/tarantula/rails_integration_proxy.rb", "lib/relevance/tarantula/recording.rb", "lib/relevance/tarantula/response.rb", "lib/relevance/tarantula/result.rb", "lib/relevance/tarantula/test_report.html.erb", "lib/relevance/tarantula/tidy_handler.rb", "lib/relevance/tarantula/transform.rb", "lib/relevance/tarantula.rb", "MIT-LICENSE", "README.rdoc", "vendor/xss-shield/MIT-LICENSE"]
-  s.files = ["CHANGELOG", "init.rb", "install.rb", "laf/images/background.jpg", "laf/images/relevance-os-logo.gif", "laf/images/tab.png", "laf/images/table-sort.gif", "laf/images/tarantula-sprites.png", "laf/javascripts/jquery-1.2.3.js", "laf/javascripts/jquery-ui-tabs.js", "laf/javascripts/jquery.tablesorter.js", "laf/javascripts/niftycube-details.js", "laf/javascripts/niftycube.js", "laf/javascripts/niftyLayout.js", "laf/javascripts/tarantula.js", "laf/stylesheets/niftyCorners.css", "laf/stylesheets/NiftyLayout.css", "laf/stylesheets/old.css", "laf/stylesheets/tarantula.css", "laf/stylesheets/tarantula.v2.css", "laf/stylesheets/ui.tabs.css", "laf/v2/detail.html", "laf/v2/images/button_active.png", "laf/v2/images/button_hover.png", "laf/v2/images/button_inactive.png", "laf/v2/images/header_bg.jpg", "laf/v2/images/logo.png", "laf/v2/images/tagline.png", "laf/v2/index.html", "laf/v2/stylesheets/tarantula.v2.css", "lib/relevance/core_extensions/ellipsize.rb", "lib/relevance/core_extensions/file.rb", "lib/relevance/core_extensions/response.rb", "lib/relevance/core_extensions/test_case.rb", "lib/relevance/tarantula/attack.rb", "lib/relevance/tarantula/attack_form_submission.rb", "lib/relevance/tarantula/attack_handler.rb", "lib/relevance/tarantula/crawler.rb", "lib/relevance/tarantula/detail.html.erb", "lib/relevance/tarantula/form.rb", "lib/relevance/tarantula/form_submission.rb", "lib/relevance/tarantula/html_document_handler.rb", "lib/relevance/tarantula/html_report_helper.rb", "lib/relevance/tarantula/html_reporter.rb", "lib/relevance/tarantula/index.html.erb", "lib/relevance/tarantula/invalid_html_handler.rb", "lib/relevance/tarantula/io_reporter.rb", "lib/relevance/tarantula/link.rb", "lib/relevance/tarantula/log_grabber.rb", "lib/relevance/tarantula/rails_integration_proxy.rb", "lib/relevance/tarantula/recording.rb", "lib/relevance/tarantula/response.rb", "lib/relevance/tarantula/result.rb", "lib/relevance/tarantula/test_report.html.erb", "lib/relevance/tarantula/tidy_handler.rb", "lib/relevance/tarantula/transform.rb", "lib/relevance/tarantula.rb", "manifest.txt", "MIT-LICENSE", "rails/init.rb", "Rakefile", "README.rdoc", "tarantula.gemspec", "tasks/tarantula_tasks.rake", "template/tarantula_test.rb", "test/relevance/core_extensions/ellipsize_test.rb", "test/relevance/core_extensions/file_test.rb", "test/relevance/core_extensions/response_test.rb", "test/relevance/core_extensions/test_case_test.rb", "test/relevance/tarantula/attack_form_submission_test.rb", "test/relevance/tarantula/attack_handler_test.rb", "test/relevance/tarantula/crawler_test.rb", "test/relevance/tarantula/form_submission_test.rb", "test/relevance/tarantula/form_test.rb", "test/relevance/tarantula/html_document_handler_test.rb", "test/relevance/tarantula/html_report_helper_test.rb", "test/relevance/tarantula/html_reporter_test.rb", "test/relevance/tarantula/invalid_html_handler_test.rb", "test/relevance/tarantula/io_reporter_test.rb", "test/relevance/tarantula/link_test.rb", "test/relevance/tarantula/log_grabber_test.rb", "test/relevance/tarantula/rails_init_test.rb", "test/relevance/tarantula/rails_integration_proxy_test.rb", "test/relevance/tarantula/result_test.rb", "test/relevance/tarantula/tidy_handler_test.rb", "test/relevance/tarantula/transform_test.rb", "test/relevance/tarantula_test.rb", "test/test_helper.rb", "uninstall.rb", "vendor/xss-shield/init.rb", "vendor/xss-shield/lib/xss_shield/erb_hacks.rb", "vendor/xss-shield/lib/xss_shield/haml_hacks.rb", "vendor/xss-shield/lib/xss_shield/safe_string.rb", "vendor/xss-shield/lib/xss_shield/secure_helpers.rb", "vendor/xss-shield/lib/xss_shield.rb", "vendor/xss-shield/MIT-LICENSE", "vendor/xss-shield/README", "vendor/xss-shield/test/test_actionview_integration.rb", "vendor/xss-shield/test/test_erb.rb", "vendor/xss-shield/test/test_haml.rb", "vendor/xss-shield/test/test_helpers.rb", "vendor/xss-shield/test/test_safe_string.rb"]
-  s.has_rdoc = true
-  s.homepage = %q{http://github.com/relevance/tarantula}
-  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Tarantula", "--main", "README.rdoc"]
-  s.require_paths = ["lib"]
-  s.rubyforge_project = %q{thinkrelevance}
-  s.rubygems_version = %q{1.3.1}
-  s.summary = %q{A big hairy fuzzy spider that crawls your site, wreaking havoc}
-  s.test_files = ["test/relevance/core_extensions/ellipsize_test.rb", "test/relevance/core_extensions/file_test.rb", "test/relevance/core_extensions/response_test.rb", "test/relevance/core_extensions/test_case_test.rb", "test/relevance/tarantula/attack_form_submission_test.rb", "test/relevance/tarantula/attack_handler_test.rb", "test/relevance/tarantula/crawler_test.rb", "test/relevance/tarantula/form_submission_test.rb", "test/relevance/tarantula/form_test.rb", "test/relevance/tarantula/html_document_handler_test.rb", "test/relevance/tarantula/html_report_helper_test.rb", "test/relevance/tarantula/html_reporter_test.rb", "test/relevance/tarantula/invalid_html_handler_test.rb", "test/relevance/tarantula/io_reporter_test.rb", "test/relevance/tarantula/link_test.rb", "test/relevance/tarantula/log_grabber_test.rb", "test/relevance/tarantula/rails_init_test.rb", "test/relevance/tarantula/rails_integration_proxy_test.rb", "test/relevance/tarantula/result_test.rb", "test/relevance/tarantula/tidy_handler_test.rb", "test/relevance/tarantula/transform_test.rb", "test/relevance/tarantula_test.rb"]
-
-  if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
-    s.specification_version = 2
-
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<htmlentities>, [">= 0"])
-      s.add_runtime_dependency(%q<hpricot>, [">= 0"])
-      s.add_runtime_dependency(%q<facets>, [">= 2.4.3"])
-      s.add_runtime_dependency(%q<actionpack>, [">= 0"])
-      s.add_runtime_dependency(%q<activesupport>, [">= 0"])
-      s.add_development_dependency(%q<ruby-debug>, [">= 0"])
-      s.add_development_dependency(%q<test-spec>, [">= 0"])
-      s.add_development_dependency(%q<mocha>, [">= 0"])
-    else
-      s.add_dependency(%q<htmlentities>, [">= 0"])
-      s.add_dependency(%q<hpricot>, [">= 0"])
-      s.add_dependency(%q<facets>, [">= 2.4.3"])
-      s.add_dependency(%q<actionpack>, [">= 0"])
-      s.add_dependency(%q<activesupport>, [">= 0"])
-      s.add_dependency(%q<ruby-debug>, [">= 0"])
-      s.add_dependency(%q<test-spec>, [">= 0"])
-      s.add_dependency(%q<mocha>, [">= 0"])
-    end
-  else
-    s.add_dependency(%q<htmlentities>, [">= 0"])
-    s.add_dependency(%q<hpricot>, [">= 0"])
-    s.add_dependency(%q<facets>, [">= 2.4.3"])
-    s.add_dependency(%q<actionpack>, [">= 0"])
-    s.add_dependency(%q<activesupport>, [">= 0"])
-    s.add_dependency(%q<ruby-debug>, [">= 0"])
-    s.add_dependency(%q<test-spec>, [">= 0"])
-    s.add_dependency(%q<mocha>, [">= 0"])
-  end
-end

data/test/test_helper.rb

@@ -1,34 +0,0 @@
-basedir = File.dirname(__FILE__)
-$:.unshift "#{basedir}/../lib"
-require 'rubygems' 
-gem 'ruby-debug'
-gem 'test-spec'
-gem 'actionpack'
-gem 'activerecord'
-gem 'activesupport'
-
-require 'test/spec'
-require 'mocha'    
-require 'ostruct'
-require 'ruby-debug'
-require 'activerecord'
-require 'relevance/tarantula'
-
-# needed for html-scanner, grr
-require 'active_support'
-require 'action_controller'
-
-require 'redgreen' unless (Object.const_defined?("TextMate") || ENV["EMACS"]) rescue nil # just a nice to have, don't blow up if not there
-
-class Test::Unit::TestCase 
-  def test_output_dir
-    File.join(File.dirname(__FILE__), "..", "tmp", "test_output")
-  end
-
-  # TODO change puts/print to use a single method for logging, which will then make the stubbing cleaner
-  def stub_puts_and_print(obj)
-    obj.stubs(:puts)
-    obj.stubs(:print)
-  end
-  
-end

data/uninstall.rb

@@ -1 +0,0 @@
-# Uninstall hook code here

data/vendor/xss-shield/MIT-LICENSE

@@ -1,20 +0,0 @@
-Copyright (c) 2007 Trampoline Systems
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/vendor/xss-shield/README

@@ -1,76 +0,0 @@
-FIXME: THIS README IS NOT UP-TO-DATE.
-
-This plugin provides XSS protection for views coded in HAML and RHTML.
-
-ERB templates are sometimes used for HTML, and sometimes for
-other kinds of languages (SQL, email templates, YAML etc.).
-XSS Shield protects only those templates with .rhtml extension,
-leaving templates with .erb extension unprotected.
-
-=== Quick start ===
-
-Assuming you're using HAML for all your templates.
-
-* Install plugin.
-* Edit all your layout files and change:
-    = @content_for_layout
-    = yield(:foo) # Foo being usually :js or :css
-  to:
-    = @content_for_layout.mark_as_xss_protected
-    = yield(:foo).mark_as_xss_protected
-* By this point your application should be runnanble,
-  but might need some tweaking here and there to avoid potential
-  double-escaping.
-
-=== How it works ===
-
-It works by subclassing String into SafeString.
-When HAML engine seems a "= foo" fragment it check if result of executing "foo"
-is a SafeString. If it is - it copies it to the output, if it's anything else
-(String, Integer, nil and so on) it HTML-escapes it first.
-
-To avoid double-escaping output of h is a SafeString, as is everything you
-mark as XSS-protected.
-  = h(@foo)
-  = @foo # fully equivalent to h(@foo)
-  = "X <br /> Y".mark_as_xss_protected
-
-It would be cumbersome to require mark_as_xss_protected every time you use
-some helper like render :partial or link_to, so some helpers are modified
-to return SafeString.
-
-  = render :partial => "foo"
-  = link_to "Bar", :action => :bar
-
-If you trust your helpers, make them as XSS-protected:
-
-  module Some::Module
-    mark_helpers_as_xss_protected :text_field, :check_box
-  end
-
-Because it is not possible to alter syntactic keywords like yield
-or instance variables like @content_for_layout to mark them automatically
-as secure, layout files need some manual tweaking.
-
-=== Other template engines ===
-
-If a templates uses some templating engine other than HAML or ERB,
-or it uses ERB but has extension .erb not .rhtml, XSS Shield does not protect it.
-
-However some helpers like link_to and button_to are patched by XSS Shield to
-make them more secure, and this extra security will be there even when used
-in an otherwise unprotected context.
-
-For example with XSS shield
-  link_to "A & B", "/foo"
-will return (marked as safe):
-  '<a href="/foo">A &amp; B</a>'
-not (plain String):
-  '<a href="/foo">A & B</a>'
-
-Also - RHTML protection only works with default ERB engine (erb.rb from Ruby base).
-If you use some alternative ERB engine it probably won't work.
-
-Adding support for alternative templating engine should be relatively straightforward.
-It's mostly a matter of changing to_s to to_s_xss_protected in a few places
-in their source.

data/vendor/xss-shield/init.rb

@@ -1,16 +0,0 @@
-unless ENV['DISABLE_XSS_SHIELD']
-  puts "Loading XSS Shield"
-  require 'xss_shield'
-else
-  class ::String
-    def mark_as_xss_protected
-      self
-    end
-  end
-
-  class ::NilClass
-    def mark_as_xss_protected
-      self
-    end
-  end
-end

data/vendor/xss-shield/lib/xss_shield.rb

@@ -1,6 +0,0 @@
-require 'xss_shield/safe_string'
-# Tarantula doesn't use haml
-# require 'xss_shield/haml_hacks'
-# ERB hacks blow up Rails
-# require 'xss_shield/erb_hacks'
-require 'xss_shield/secure_helpers'

data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb

@@ -1,111 +0,0 @@
-class XSSProtectedERB < ERB
-  class Compiler < ::ERB::Compiler
-    def compile(s)
-      out = Buffer.new(self)
-
-      content = ''
-      scanner = make_scanner(s)
-      scanner.scan do |token|
-  if scanner.stag.nil?
-    case token
-          when PercentLine
-      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
-      content = ''
-            out.push(token.to_s)
-            out.cr
-    when :cr
-      out.cr
-    when '<%', '<%=', '<%#'
-      scanner.stag = token
-      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
-      content = ''
-    when "\n"
-      content << "\n"
-      out.push("#{@put_cmd} #{content.dump}")
-      out.cr
-      content = ''
-    when '<%%'
-      content << '<%'
-    else
-      content << token
-    end
-  else
-    case token
-    when '%>'
-      case scanner.stag
-      when '<%'
-        if content[-1] == ?\n
-    content.chop!
-    out.push(content)
-    out.cr
-        else
-    out.push(content)
-        end
-      when '<%='
-              # NOTE: Changed lines
-        out.push("#{@insert_cmd}((#{content}).to_s_xss_protected)")
-              # NOTE: End changed lines
-      when '<%#'
-        # out.push("# #{content.dump}")
-      end
-      scanner.stag = nil
-      content = ''
-    when '%%>'
-      content << '%>'
-    else
-      content << token
-    end
-  end
-      end
-      out.push("#{@put_cmd} #{content.dump}") if content.size > 0
-      out.close
-      out.script
-    end
-  end
-
-  def initialize(str, safe_level=nil, trim_mode=nil, eoutvar='_erbout')
-    @safe_level = safe_level
-    compiler = XSSProtectedERB::Compiler.new(trim_mode)
-    set_eoutvar(compiler, eoutvar)
-    @src = compiler.compile(str)
-    @filename = nil
-  end
-end
-
-module ActionView
-  class Base
-    private
-      def create_template_source(extension, template, render_symbol, locals)
-        if template_requires_setup?(extension)
-          body = case extension.to_sym
-            when :rxml, :builder
-              content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
-              "#{content_type_handler}.content_type ||= Mime::XML\n" +
-              "xml = Builder::XmlMarkup.new(:indent => 2)\n" +
-              template +
-              "\nxml.target!\n"
-            when :rjs
-              "controller.response.content_type ||= Mime::JS\n" +
-              "update_page do |page|\n#{template}\nend"
-          end
-        # NOTE: Changed lines
-        elsif extension.to_sym == :rhtml
-          body = XSSProtectedERB.new(template, nil, @@erb_trim_mode).src
-        # NOTE: End changed lines
-        else
-          body = ERB.new(template, nil, @@erb_trim_mode).src
-        end
-
-        @@template_args[render_symbol] ||= {}
-        locals_keys = @@template_args[render_symbol].keys | locals
-        @@template_args[render_symbol] = locals_keys.inject({}) { |h, k| h[k] = true; h }
-
-        locals_code = ""
-        locals_keys.each do |key|
-          locals_code << "#{key} = local_assigns[:#{key}]\n"
-        end
-
-        "def #{render_symbol}(local_assigns)\n#{locals_code}#{body}\nend"
-      end
-  end
-end

data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb

@@ -1,42 +0,0 @@
-raise "Haml not loaded" unless Haml::Engine.instance_method(:push_script)
-
-module Haml
-  class Engine
-    def push_script(text, flattened)
-      unless options[:suppress_eval]
-        push_silent("haml_temp = #{text}", true)
-        push_silent("haml_temp = haml_temp.to_s_xss_protected", true)
-        out = "haml_temp = _hamlout.push_script(haml_temp, #{@output_tabs}, #{flattened})\n"
-        if @block_opened
-          push_and_tabulate([:loud, out])
-        else
-          @precompiled << out
-        end
-      end
-    end
-
-    def build_attributes(attributes = {})
-      # We ignore @options[:attr_wrapper] because ERB::Util.h does not espace ' to &apos;
-      # making ' as attribute quote not workable
-      result = attributes.map do |a,v|
-        v = v.to_s_xss_protected
-        unless v.blank?
-          " #{a}=\"#{v}\""
-        end
-      end
-      result.sort.join
-    end
-  end
-
-  class Buffer
-    def build_attributes(attributes = {})
-      result = attributes.map do |a,v|
-        v = v.to_s_xss_protected
-        unless v.blank?
-          " #{a}=\"#{v}\""
-        end
-      end
-      result.sort.join
-    end
-  end
-end

data/vendor/xss-shield/lib/xss_shield/safe_string.rb

@@ -1,47 +0,0 @@
-class SafeString < String
-  def to_s
-    self
-  end
-  def to_s_xss_protected
-    self
-  end
-end
-
-class String
-  def mark_as_xss_protected
-    SafeString.new(self)
-  end
-end
-
-class NilClass
-  def mark_as_xss_protected
-    self
-  end
-end
-
-# ERB::Util.h and (include ERB::Util; h) are different methods
-module ERB::Util
-  class <<self
-    def h_with_xss_protection(*args)
-      h_without_xss_protection(*args).mark_as_xss_protected
-    end
-    alias_method_chain :h, :xss_protection
-  end
-  
-    def h_with_xss_protection(*args)
-      h_without_xss_protection(*args).mark_as_xss_protected
-    end
-    alias_method_chain :h, :xss_protection
-end
-
-class Object
-  def to_s_xss_protected
-    ERB::Util.h(to_s).mark_as_xss_protected
-  end
-end
-
-class Array
-  def join_xss_protected(sep="")
-    map(&:to_s_xss_protected).join(sep.to_s_xss_protected).mark_as_xss_protected
-  end
-end

data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb

@@ -1,40 +0,0 @@
-class Module
-  def mark_helpers_as_xss_protected(*ms)
-    ms.each do |m|
-      begin
-        instance_method("#{m}_with_xss_protection")
-      rescue NameError
-        define_method :"#{m}_with_xss_protection" do |*args|
-          send(:"#{m}_without_xss_protection", *args).mark_as_xss_protected
-        end
-        alias_method_chain m, :xss_protection
-      end
-    end
-  end
-end
-
-class ActionView::Base
-  mark_helpers_as_xss_protected :javascript_include_tag,
-                                :stylesheet_link_tag,
-                                :render,
-                                :text_field_tag,
-                                :submit_tag,
-                                :radio_button,
-                                :text_area,
-                                :auto_discovery_link_tag,
-                                :image_tag
-
-  def link_to_with_xss_protection(text, *args)
-    link_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
-  end
-  alias_method_chain :link_to, :xss_protection
-
-  def button_to_with_xss_protection(text, *args)
-    button_to_without_xss_protection(text.to_s_xss_protected, *args).mark_as_xss_protected
-  end
-  alias_method_chain :button_to, :xss_protection
-end
-
-module ActionView::Helpers::FormHelper
-  mark_helpers_as_xss_protected :text_field, :check_box
-end