tarantula 0.3.3 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.autotest +14 -0
- data/.gitignore +9 -0
- data/.rvmrc +1 -0
- data/DSL_EXAMPLES.md +120 -0
- data/Gemfile +2 -0
- data/Gemfile.lock +108 -0
- data/{MIT-LICENSE → LICENSE} +0 -0
- data/README.rdoc +3 -28
- data/Rakefile +27 -59
- data/lib/relevance/core_extensions/ellipsize.rb +23 -19
- data/lib/relevance/core_extensions/file.rb +10 -4
- data/lib/relevance/core_extensions/response.rb +9 -6
- data/lib/relevance/core_extensions/test_case.rb +14 -12
- data/lib/relevance/tarantula.rb +24 -25
- data/lib/relevance/tarantula/attack.rb +19 -15
- data/lib/relevance/tarantula/attack_handler.rb +32 -26
- data/lib/relevance/tarantula/basic_attack.rb +36 -32
- data/lib/relevance/tarantula/crawler.rb +222 -216
- data/lib/relevance/tarantula/form.rb +27 -21
- data/lib/relevance/tarantula/form_submission.rb +79 -73
- data/lib/relevance/tarantula/html_document_handler.rb +37 -31
- data/lib/relevance/tarantula/html_report_helper.rb +36 -29
- data/lib/relevance/tarantula/html_reporter.rb +105 -99
- data/lib/relevance/tarantula/invalid_html_handler.rb +21 -15
- data/lib/relevance/tarantula/io_reporter.rb +37 -31
- data/lib/relevance/tarantula/link.rb +97 -73
- data/lib/relevance/tarantula/log_grabber.rb +20 -14
- data/lib/relevance/tarantula/rails_integration_proxy.rb +64 -58
- data/lib/relevance/tarantula/response.rb +16 -10
- data/lib/relevance/tarantula/result.rb +69 -63
- data/lib/relevance/tarantula/tidy_handler.rb +22 -17
- data/lib/relevance/tarantula/transform.rb +18 -14
- data/lib/relevance/tarantula/version.rb +5 -0
- data/{tasks → lib/relevance/tasks}/tarantula_tasks.rake +1 -1
- data/lib/tarantula-rails3.rb +9 -0
- data/{examples/relevance/core_extensions/ellipsize_example.rb → spec/relevance/core_extensions/ellipsize_spec.rb} +2 -2
- data/{examples/relevance/core_extensions/file_example.rb → spec/relevance/core_extensions/file_spec.rb} +2 -2
- data/{examples/relevance/core_extensions/response_example.rb → spec/relevance/core_extensions/response_spec.rb} +2 -2
- data/{examples/relevance/core_extensions/test_case_example.rb → spec/relevance/core_extensions/test_case_spec.rb} +1 -1
- data/{examples/relevance/tarantula/attack_handler_example.rb → spec/relevance/tarantula/attack_handler_spec.rb} +1 -1
- data/{examples/relevance/tarantula/basic_attack_example.rb → spec/relevance/tarantula/basic_attack_spec.rb} +2 -2
- data/{examples/relevance/tarantula/crawler_example.rb → spec/relevance/tarantula/crawler_spec.rb} +2 -2
- data/{examples/relevance/tarantula/form_example.rb → spec/relevance/tarantula/form_spec.rb} +2 -2
- data/{examples/relevance/tarantula/form_submission_example.rb → spec/relevance/tarantula/form_submission_spec.rb} +3 -3
- data/{examples/relevance/tarantula/html_document_handler_example.rb → spec/relevance/tarantula/html_document_handler_spec.rb} +1 -1
- data/{examples/relevance/tarantula/html_report_helper_example.rb → spec/relevance/tarantula/html_report_helper_spec.rb} +1 -1
- data/{examples/relevance/tarantula/html_reporter_example.rb → spec/relevance/tarantula/html_reporter_spec.rb} +1 -1
- data/{examples/relevance/tarantula/invalid_html_handler_example.rb → spec/relevance/tarantula/invalid_html_handler_spec.rb} +1 -1
- data/{examples/relevance/tarantula/io_reporter_example.rb → spec/relevance/tarantula/io_reporter_spec.rb} +1 -1
- data/{examples/relevance/tarantula/link_example.rb → spec/relevance/tarantula/link_spec.rb} +5 -5
- data/{examples/relevance/tarantula/log_grabber_example.rb → spec/relevance/tarantula/log_grabber_spec.rb} +1 -1
- data/{examples/relevance/tarantula/rails_integration_proxy_example.rb → spec/relevance/tarantula/rails_integration_proxy_spec.rb} +1 -1
- data/{examples/relevance/tarantula/result_example.rb → spec/relevance/tarantula/result_spec.rb} +1 -1
- data/{examples/relevance/tarantula/tidy_handler_example.rb → spec/relevance/tarantula/tidy_handler_spec.rb} +1 -1
- data/{examples/relevance/tarantula/transform_example.rb → spec/relevance/tarantula/transform_spec.rb} +2 -2
- data/{examples/relevance/tarantula_example.rb → spec/relevance/tarantula_spec.rb} +1 -1
- data/{examples/example_helper.rb → spec/spec_helper.rb} +6 -14
- data/tarantula.gemspec +31 -0
- data/template/tarantula_test.rb +1 -1
- data/vendor/xss-shield/MIT-LICENSE +20 -0
- data/vendor/xss-shield/README +76 -0
- data/vendor/xss-shield/init.rb +16 -0
- data/vendor/xss-shield/lib/xss_shield.rb +6 -0
- data/vendor/xss-shield/lib/xss_shield/erb_hacks.rb +111 -0
- data/vendor/xss-shield/lib/xss_shield/haml_hacks.rb +42 -0
- data/vendor/xss-shield/lib/xss_shield/safe_string.rb +47 -0
- data/vendor/xss-shield/lib/xss_shield/secure_helpers.rb +40 -0
- data/vendor/xss-shield/test/test_actionview_integration.rb +40 -0
- data/vendor/xss-shield/test/test_erb.rb +44 -0
- data/vendor/xss-shield/test/test_haml.rb +43 -0
- data/vendor/xss-shield/test/test_helpers.rb +25 -0
- data/vendor/xss-shield/test/test_safe_string.rb +55 -0
- metadata +170 -99
- data/VERSION.yml +0 -4
|
@@ -1,13 +1,19 @@
|
|
|
1
1
|
# Used to create a stub response when we didn't get back a real response
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
2
|
+
module Relevance
|
|
3
|
+
module Tarantula
|
|
4
|
+
|
|
5
|
+
class Response
|
|
6
|
+
HASHABLE_ATTRS = [:code, :body, :content_type]
|
|
7
|
+
attr_accessor *HASHABLE_ATTRS
|
|
8
|
+
|
|
9
|
+
def initialize(hash)
|
|
10
|
+
hash.each do |k,v|
|
|
11
|
+
raise ArgumentError, k unless HASHABLE_ATTRS.member?(k)
|
|
12
|
+
self.instance_variable_set("@#{k}", v)
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
|
|
10
16
|
end
|
|
17
|
+
|
|
11
18
|
end
|
|
12
|
-
|
|
13
|
-
end
|
|
19
|
+
end
|
|
@@ -1,77 +1,83 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
DEFAULT_LOCALHOST = "http://localhost:3000"
|
|
4
|
-
attr_accessor *HASHABLE_ATTRS
|
|
5
|
-
include Relevance::Tarantula
|
|
6
|
-
include Relevance::Tarantula::HtmlReportHelper
|
|
7
|
-
|
|
8
|
-
def initialize(hash)
|
|
9
|
-
hash.each do |k,v|
|
|
10
|
-
raise ArgumentError, k unless HASHABLE_ATTRS.member?(k)
|
|
11
|
-
self.instance_variable_set("@#{k}", v)
|
|
12
|
-
end
|
|
13
|
-
end
|
|
1
|
+
module Relevance
|
|
2
|
+
module Tarantula
|
|
14
3
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
4
|
+
class Result
|
|
5
|
+
HASHABLE_ATTRS = [:success, :method, :url, :response, :referrer, :data, :description, :log, :test_name]
|
|
6
|
+
DEFAULT_LOCALHOST = "http://localhost:3000"
|
|
7
|
+
attr_accessor *HASHABLE_ATTRS
|
|
8
|
+
include Relevance::Tarantula
|
|
9
|
+
include Relevance::Tarantula::HtmlReportHelper
|
|
18
10
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
11
|
+
def initialize(hash)
|
|
12
|
+
hash.each do |k,v|
|
|
13
|
+
raise ArgumentError, k unless HASHABLE_ATTRS.member?(k)
|
|
14
|
+
self.instance_variable_set("@#{k}", v)
|
|
15
|
+
end
|
|
16
|
+
end
|
|
22
17
|
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
18
|
+
def short_description
|
|
19
|
+
[method,url].join(" ")
|
|
20
|
+
end
|
|
26
21
|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
22
|
+
def sequence_number
|
|
23
|
+
@sequence_number ||= (self.class.next_number += 1)
|
|
24
|
+
end
|
|
30
25
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
26
|
+
def file_name
|
|
27
|
+
"#{sequence_number}.html"
|
|
28
|
+
end
|
|
34
29
|
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
30
|
+
def code
|
|
31
|
+
response && response.code
|
|
32
|
+
end
|
|
38
33
|
|
|
39
|
-
|
|
34
|
+
def body
|
|
35
|
+
response && response.body
|
|
36
|
+
end
|
|
40
37
|
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
def handle(result)
|
|
45
|
-
retval = result.dup
|
|
46
|
-
retval.success = successful?(result.response) || can_skip_error?(result)
|
|
47
|
-
retval.description = "Bad HTTP Response" unless retval.success
|
|
48
|
-
retval
|
|
49
|
-
end
|
|
38
|
+
def full_url
|
|
39
|
+
"#{DEFAULT_LOCALHOST}#{url}"
|
|
40
|
+
end
|
|
50
41
|
|
|
51
|
-
|
|
52
|
-
%w{200 201 302 401}
|
|
53
|
-
end
|
|
54
|
-
|
|
55
|
-
# allow_errors_for is a hash
|
|
56
|
-
# k=error code,
|
|
57
|
-
# v=array of matchers for urls that can skip said error
|
|
58
|
-
attr_accessor :allow_errors_for
|
|
59
|
-
def can_skip_error?(result)
|
|
60
|
-
coll = allow_errors_for[result.code]
|
|
61
|
-
return false unless coll
|
|
62
|
-
coll.any? {|item| item === result.url}
|
|
63
|
-
end
|
|
42
|
+
ALLOW_NNN_FOR = /^allow_(\d\d\d)_for$/
|
|
64
43
|
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
44
|
+
class << self
|
|
45
|
+
attr_accessor :next_number
|
|
46
|
+
|
|
47
|
+
def handle(result)
|
|
48
|
+
retval = result.dup
|
|
49
|
+
retval.success = successful?(result.response) || can_skip_error?(result)
|
|
50
|
+
retval.description = "Bad HTTP Response" unless retval.success
|
|
51
|
+
retval
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def success_codes
|
|
55
|
+
%w{200 201 302 401}
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
# allow_errors_for is a hash
|
|
59
|
+
# k=error code,
|
|
60
|
+
# v=array of matchers for urls that can skip said error
|
|
61
|
+
attr_accessor :allow_errors_for
|
|
62
|
+
def can_skip_error?(result)
|
|
63
|
+
coll = allow_errors_for[result.code]
|
|
64
|
+
return false unless coll
|
|
65
|
+
coll.any? {|item| item === result.url}
|
|
66
|
+
end
|
|
68
67
|
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
68
|
+
def successful?(response)
|
|
69
|
+
success_codes.member?(response.code)
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def method_missing(meth, *args)
|
|
73
|
+
super unless ALLOW_NNN_FOR =~ meth.to_s
|
|
74
|
+
(allow_errors_for[$1] ||= []).push(*args)
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
self.allow_errors_for = {}
|
|
79
|
+
self.next_number = 0
|
|
72
80
|
end
|
|
73
|
-
end
|
|
74
81
|
|
|
75
|
-
|
|
76
|
-
self.next_number = 0
|
|
82
|
+
end
|
|
77
83
|
end
|
|
@@ -9,23 +9,28 @@ end
|
|
|
9
9
|
if defined? Tidy
|
|
10
10
|
Tidy.path = ENV['TIDY_PATH'] if ENV['TIDY_PATH']
|
|
11
11
|
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
12
|
+
module Relevance
|
|
13
|
+
module Tarantula
|
|
14
|
+
|
|
15
|
+
class TidyHandler
|
|
16
|
+
include Relevance::Tarantula
|
|
17
|
+
def initialize(options = {})
|
|
18
|
+
@options = {:show_warnings=>true}.merge(options)
|
|
19
|
+
end
|
|
20
|
+
def handle(result)
|
|
21
|
+
response = result.response
|
|
22
|
+
return unless response.html?
|
|
23
|
+
tidy = Tidy.open(@options) do |tidy|
|
|
24
|
+
xml = tidy.clean(response.body)
|
|
25
|
+
tidy
|
|
26
|
+
end
|
|
27
|
+
unless tidy.errors.blank?
|
|
28
|
+
error_result = result.dup
|
|
29
|
+
error_result.description = "Bad HTML (Tidy)"
|
|
30
|
+
error_result.data = tidy.errors.inspect
|
|
31
|
+
error_result
|
|
32
|
+
end
|
|
33
|
+
end
|
|
29
34
|
end
|
|
30
35
|
end
|
|
31
36
|
end
|
|
@@ -1,17 +1,21 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
string
|
|
11
|
-
|
|
12
|
-
|
|
1
|
+
module Relevance
|
|
2
|
+
module Tarantula
|
|
3
|
+
|
|
4
|
+
class Transform
|
|
5
|
+
attr_accessor :from, :to
|
|
6
|
+
def initialize(from, to)
|
|
7
|
+
@from = from
|
|
8
|
+
@to = to
|
|
9
|
+
end
|
|
10
|
+
def [](string)
|
|
11
|
+
case to
|
|
12
|
+
when Proc
|
|
13
|
+
string.gsub(from, &to)
|
|
14
|
+
else
|
|
15
|
+
string.gsub(from, to)
|
|
16
|
+
end
|
|
17
|
+
end
|
|
13
18
|
end
|
|
19
|
+
|
|
14
20
|
end
|
|
15
21
|
end
|
|
16
|
-
|
|
17
|
-
|
|
@@ -36,7 +36,7 @@ namespace :tarantula do
|
|
|
36
36
|
desc 'Generate a default tarantula test'
|
|
37
37
|
task :setup do
|
|
38
38
|
mkdir_p "test/tarantula"
|
|
39
|
-
template_path = File.expand_path(File.join(File.dirname(__FILE__), "
|
|
39
|
+
template_path = File.expand_path(File.join(File.dirname(__FILE__), "../../..", "template", "tarantula_test.rb"))
|
|
40
40
|
cp template_path, "test/tarantula/"
|
|
41
41
|
end
|
|
42
42
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
|
|
3
3
|
describe "Relevance::CoreExtensions::Object#ellipsize" do
|
|
4
4
|
it "converts nil to empty string" do
|
|
@@ -16,4 +16,4 @@ describe "Relevance::CoreExtensions::Object#ellipsize" do
|
|
|
16
16
|
it "shortens long strings and adds ..." do
|
|
17
17
|
"long-string".ellipsize(5).should == "long-..."
|
|
18
18
|
end
|
|
19
|
-
end
|
|
19
|
+
end
|
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
require 'relevance/core_extensions/file'
|
|
3
3
|
|
|
4
4
|
describe "Relevance::CoreExtensions::File#extension" do
|
|
5
5
|
it "should return the extension without the leading dot" do
|
|
6
6
|
File.extension("foo.bar").should == "bar"
|
|
7
7
|
end
|
|
8
|
-
end
|
|
8
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
require 'relevance/core_extensions/file'
|
|
3
3
|
|
|
4
4
|
describe "Relevance::CoreExtensions::Response#html?" do
|
|
@@ -26,4 +26,4 @@ describe "Relevance::CoreExtensions::Response#html?" do
|
|
|
26
26
|
@response.should be_html
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
end
|
|
29
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
|
|
3
3
|
describe Relevance::Tarantula::BasicAttack do
|
|
4
4
|
before do
|
|
@@ -9,4 +9,4 @@ describe Relevance::Tarantula::BasicAttack do
|
|
|
9
9
|
@attack.random_whole_number.should >= 0
|
|
10
10
|
Fixnum.should === @attack.random_whole_number
|
|
11
11
|
end
|
|
12
|
-
end
|
|
12
|
+
end
|
data/{examples/relevance/tarantula/crawler_example.rb → spec/relevance/tarantula/crawler_spec.rb}
RENAMED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
|
|
3
3
|
describe Relevance::Tarantula::Crawler do
|
|
4
4
|
|
|
@@ -372,4 +372,4 @@ describe Relevance::Tarantula::Crawler do
|
|
|
372
372
|
|
|
373
373
|
end
|
|
374
374
|
|
|
375
|
-
end
|
|
375
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
|
|
3
3
|
describe "Relevance::Tarantula::Form large example" do
|
|
4
4
|
before do
|
|
@@ -47,4 +47,4 @@ END
|
|
|
47
47
|
@form.method.should == "put"
|
|
48
48
|
end
|
|
49
49
|
|
|
50
|
-
end
|
|
50
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
|
|
3
3
|
describe Relevance::Tarantula::FormSubmission do
|
|
4
4
|
|
|
@@ -53,7 +53,7 @@ describe Relevance::Tarantula::FormSubmission do
|
|
|
53
53
|
end
|
|
54
54
|
|
|
55
55
|
it "can mutate selects" do
|
|
56
|
-
Hpricot::Elements.any_instance.stubs(:
|
|
56
|
+
Hpricot::Elements.any_instance.stubs(:sample).returns(stub(:[] => "2006-stub"))
|
|
57
57
|
@fs.mutate_selects(@form).should == {"foo[opened_on(1i)]" => "2006-stub"}
|
|
58
58
|
end
|
|
59
59
|
|
|
@@ -91,7 +91,7 @@ describe Relevance::Tarantula::FormSubmission do
|
|
|
91
91
|
end
|
|
92
92
|
|
|
93
93
|
it "can mutate selects" do
|
|
94
|
-
Hpricot::Elements.any_instance.stubs(:
|
|
94
|
+
Hpricot::Elements.any_instance.stubs(:sample).returns(stub(:[] => "2006-stub"))
|
|
95
95
|
@fs.mutate_selects(@form).should == {"foo[opened_on(1i)]" => "2006-stub"}
|
|
96
96
|
end
|
|
97
97
|
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "spec_helper"
|
|
2
2
|
|
|
3
3
|
describe "Relevance::Tarantula::Link" do
|
|
4
4
|
include ActionView::Helpers::UrlHelper
|
|
@@ -16,19 +16,19 @@ describe "Relevance::Tarantula::Link" do
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
it "parses anchor tags with POST 'method'" do
|
|
19
|
-
link = make_link(Hpricot(%Q{<a href="/foo" onclick="#{method_javascript_function(:post)}">foo</a>}).at('a'))
|
|
19
|
+
link = make_link(Hpricot(%Q{<a href="/foo" onclick="#{Relevance::Tarantula::Link.method_javascript_function(:post)}">foo</a>}).at('a'))
|
|
20
20
|
link.href.should == '/foo'
|
|
21
21
|
link.method.should == :post
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
it "parses anchor tags with PUT 'method'" do
|
|
25
|
-
link = make_link(Hpricot(%Q{<a href="/foo" onclick="#{method_javascript_function(:put)}">foo</a>}).at('a'))
|
|
25
|
+
link = make_link(Hpricot(%Q{<a href="/foo" onclick="#{Relevance::Tarantula::Link.method_javascript_function(:put)}">foo</a>}).at('a'))
|
|
26
26
|
link.href.should == '/foo'
|
|
27
27
|
link.method.should == :put
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
it "parses anchor tags with DELETE 'method'" do
|
|
31
|
-
link = make_link(Hpricot(%Q{<a href="/foo" onclick="#{method_javascript_function(:delete)}">foo</a>}).at('a'))
|
|
31
|
+
link = make_link(Hpricot(%Q{<a href="/foo" onclick="#{Relevance::Tarantula::Link.method_javascript_function(:delete)}">foo</a>}).at('a'))
|
|
32
32
|
link.href.should == '/foo'
|
|
33
33
|
link.method.should == :delete
|
|
34
34
|
end
|
|
@@ -81,4 +81,4 @@ describe "possible conflict when user has an AR model named Link" do
|
|
|
81
81
|
}.should_not raise_error
|
|
82
82
|
end
|
|
83
83
|
|
|
84
|
-
end
|
|
84
|
+
end
|