RubyGems - thumblemonks-inquisition - Versions diffs - 0.1.0 - Mend

thumblemonks-inquisition 0.1.0

Files changed (11) hide show

data/lib/inquisition.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'html5'
+require 'html5lib_sanitize'
+# == Introduction
+#
+# Inquisition will escape html included in specified attributes to
+# eliminate xss-style attacks.
+module Inquisition
+  def self.included(klass)
+    klass.extend(ClassMethods)
+  end
+  module ClassMethods
+    # cleanse_attr creates getters and setters for the specified list of attributes.
+    def cleanse_attr(*attributes)
+      cleanse_attr_reader(*attributes)
+      cleanse_attr_writer(*attributes)
+    end
+    def cleanse_attr_reader(*attributes)
+      attributes.each do |attr|
+        alias_method(:"#{attr}_without_cleansing", :"#{attr}")
+        define_method(:"#{attr}") do
+          HTML5libSanitize.sanitize_html(send(:"#{attr}_without_cleansing"))
+        end
+      end
+    end
+    def cleanse_attr_writer(*attributes)
+      attributes.each do |attr|
+        alias_method(:"#{attr}_without_cleansing=", :"#{attr}=")
+        define_method(:"#{attr}=") do |value|
+          send(:"#{attr}_without_cleansing=", HTML5libSanitize.sanitize_html(value))
+        end
+      end
+    end
+  end #Class Methods
+end #Inquisition
+class Object
+  include Inquisition
+end

data/test/inquisition_test.rb ADDED Viewed

@@ -0,0 +1,37 @@
+require 'test_helper'
+class InquisitionTest < Test::Unit::TestCase
+  context "a fine Whisky" do
+    setup do
+      @whisky = Whisky.new(:name => "<script>alert('Cragganmore')</script>",
+        :origin => "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", :abv => 42.0,
+        :description => %Q['';!--"<XSS>=&{()}a buttery scotch])
+    end
+    should "have heresy removed from name" do
+      assert_equal "&lt;script&gt;alert('Cragganmore')&lt;/script&gt;", @whisky.name
+    end
+    should "remove already-ingrained heresey" do
+      @whisky.instance_variable_set(:@name, "<script>alert('Cragganmore')</script>")
+      assert_equal "&lt;script&gt;alert('Cragganmore')&lt;/script&gt;", @whisky.name
+    end
+    should "cleanse heresy before setting" do
+      @whisky.name = "<script>alert('Cragganmore')</script>"
+      private_name = @whisky.instance_variable_get(:@name)
+      assert_equal "&lt;script&gt;alert('Cragganmore')&lt;/script&gt;", private_name
+    end
+    should "not cleanse fields not targeted for cleansing" do
+      assert_equal "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", @whisky.origin
+    end
+    should "not cleanse and set fields not targeted for cleansing" do
+      @whisky.origin = "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>"
+      private_origin = @whisky.instance_variable_get(:@origin)
+      assert_equal "<SCRIPT SRC=http://ha.ckers.org/xss.js>Scotland</SCRIPT>", @whisky.origin
+    end
+  end
+end

data/test/lib/animal.rb ADDED Viewed

@@ -0,0 +1,13 @@
+class Animal
+  attr_accessor :name, :noise
+  def initialize(attributes)
+    attributes.each_pair do |k,v|
+      self.send(:"#{k}=",v)
+    end
+  end
+  def bark
+    "#{noise.capitalize}! #{noise.capitalize}!"
+  end
+end

data/test/lib/whisky.rb ADDED Viewed

@@ -0,0 +1,14 @@
+class Whisky
+  attr_accessor :name, :origin, :abv, :description
+  cleanse_attr :name, :description
+  def initialize(attributes)
+    attributes.each_pair do |k,v|
+      self.send(:"#{k}=",v)
+    end
+  end
+  def drink
+    "You quaffed #{description}"
+  end
+end

data/test/performance.rb ADDED Viewed

@@ -0,0 +1,29 @@
+require 'benchmark'
+require File.join(File.dirname(__FILE__), 'test_helper')
+@whisky = Whisky.new({})
+Benchmark.bmbm do |x|
+  x.report("normal") do
+    1_000.times do
+      @whisky.origin = "<script>foo</script>"
+      @whisky.instance_variable_set(:@origin, "<script>foo</script>")
+      @whisky.origin
+    end
+  end
+  x.report("cleansed") do
+    1_000.times do
+      @whisky.name = "<script>foo</script>"
+      @whisky.instance_variable_set(:@name, "<script>foo</script>")
+      @whisky.name
+    end
+  end
+  x.report("writer only") do
+    1_000.times do @whisky.name = "<script>foo</script>" end
+  end
+  x.report("reader only") do
+    1_000.times do
+      @whisky.instance_variable_set(:@name, "<script>foo</script>")
+      @whisky.name = "<script>foo</script>"
+    end
+  end
+end

data/test/test_helper.rb ADDED Viewed

@@ -0,0 +1,14 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'inquisition'
+#Test models, yeah.
+require 'lib/animal'
+require 'lib/whisky'
+class Test::Unit::TestCase
+end

metadata ADDED Viewed

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification
+name: thumblemonks-inquisition
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- toothrot
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2009-03-27 00:00:00 -07:00
+default_executable:
+dependencies: []
+description:
+email: scissorjammer@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.rdoc
+- LICENSE
+files:
+- VERSION.yml
+- README.rdoc
+- lib/inquisition.rb
+- lib/html5lib_sanitize.rb
+- test/lib
+- test/lib/animal.rb
+- test/lib/whisky.rb
+- test/inquisition_test.rb
+- test/performance.rb
+- test/test_helper.rb
+- LICENSE
+has_rdoc: true
+homepage: http://github.com/thumblemonks/inquisition
+post_install_message: Choosy heretics choose Thumble Monks.
+rdoc_options:
+- --inline-source
+- --charset=UTF-8
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+requirements: []
+rubyforge_project:
+rubygems_version: 1.2.0
+signing_key:
+specification_version: 2
+summary: TODO
+test_files: []