unisec 0.0.4 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 207fef6efc641ecf3ba11879d368cd2c6ac54f4d7001d948428c32a67e992e05
-  data.tar.gz: bec8d1577d59b146747a1346794df62ea7928feb47ca3c64e669636f91cdb9fa
+  metadata.gz: 60d2859aca7324908f4894b8ca2cc99b145657e7ea68fbc51e11a1e787886a57
+  data.tar.gz: 4c426795faa520f02daec94f1cf14379a4a994a0902cc52640e2a358b210c28b
 SHA512:
-  metadata.gz: cb406f1c0b27575d84b497d5cec9a994f05a33f816630ebacd5013594997394c5b5473575d1a241193bb1e586bd3a7510c80a7597d9995f35cbb0f5b09882987
-  data.tar.gz: 994e93feae65577b462e85ac3450dbb4d8a7f6160d00f4a19fe21bae518de85846a2e4cb71668b7fee0c5afb2ea39932831d2e333e802ab048b6dbd5bd653cc1
+  metadata.gz: 8d5c67bf6bc1e76253971cc4b3bdccc513fb13fd3d3fa2dcdffa97329e09b45654b2f2f0a2c734e54c87bcffdb71adfa392a352ec757b6de0f761feaa8b73d28
+  data.tar.gz: 7be763bb5b2adb2139771c3e3f789c101f884209c7ca7e5488df18e97c6cac25578b11c34b451efaddeb11a9926fefeb935857da32a33e3de192b0e39cb46532

data/lib/unisec/bidi.rb

@@ -129,6 +129,7 @@ module Unisec
       #
       # The light version displays only the spoof payload for easy piping with other commands.
       # @param light [Boolean] `true` = light display (displays only the spoof payload for easy piping with other commands), `false` (default) = full display.
+      # @return [String] CLI-ready output
       # @example
       #   puts Unisec::Bidi::Spoof.new('noraj').display
       #   # Target string: noraj

data/lib/unisec/cli/cli.rb

@@ -3,6 +3,7 @@
 require 'unisec/cli/bidi'
 require 'unisec/cli/confusables'
 require 'unisec/cli/hexdump'
+require 'unisec/cli/normalization'
 require 'unisec/cli/properties'
 require 'unisec/cli/rugrep'
 require 'unisec/cli/size'
@@ -23,6 +24,8 @@ module Unisec
       register 'confusables randomize', Confusables::Randomize
       register 'grep', Grep
       register 'hexdump', Hexdump
+      register 'normalize all', Normalize::All
+      register 'normalize replace', Normalize::Replace
       register 'properties char', Properties::Char
       register 'properties codepoints', Properties::Codepoints
       register 'properties list', Properties::List

data/lib/unisec/cli/hexdump.rb

@@ -17,6 +17,9 @@ module Unisec
       # UTF-16LE: 4100 4300 4300 4500 4900 5300
       # UTF-32BE: 00000041 00000043 00000043 00000045 00000049 00000053
       # UTF-32LE: 41000000 43000000 43000000 45000000 49000000 53000000
+      #
+      # $unisec hexdump "ACCEIS" --enc utf16le
+      # 4100 4300 4300 4500 4900 5300
       # ```
       class Hexdump < Dry::CLI::Command
         desc 'Hexdump in all Unicode encodings'
@@ -35,7 +38,7 @@ module Unisec
             puts Unisec::Hexdump.new(input).display
           else
             # using send() is safe here thanks to the value whitelist
-            puts puts Unisec::Hexdump.send(options[:enc], input)
+            puts Unisec::Hexdump.send(options[:enc], input)
           end
         end
       end

data/lib/unisec/cli/normalization.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'dry/cli'
+require 'unisec'
+require 'unisec/utils'
+
+module Unisec
+  module CLI
+    module Commands
+      # CLI sub-commands `unisec normalize xxx` for the class {Unisec::Normalization} from the lib.
+      module Normalize
+        # Command `unisec normalize all "example"`
+        #
+        # Example:
+        #
+        # ```plaintext
+        # ➜ unisec normalize all ẛ̣
+        # Original: ẛ̣
+        #   U+1E9B U+0323
+        # NFC: ẛ̣
+        #   U+1E9B U+0323
+        # NFKC: ṩ
+        #   U+1E69
+        # NFD: ẛ̣
+        #   U+017F U+0323 U+0307
+        # NFKD: ṩ
+        #   U+0073 U+0323 U+0307
+        #
+        # ➜ unisec normalize all ẛ̣  --form nfkd
+        # ṩ
+        # ```
+        class All < Dry::CLI::Command
+          desc 'Normalize in all forms'
+
+          argument :input, required: true,
+                           desc: 'String input. Read from STDIN if equal to -.'
+
+          option :form, default: nil, values: %w[nfc nfkc nfd nfkd],
+                        desc: 'Output only in the specified normalization form.'
+
+          # Normalize in all forms
+          # @param input [String] Input string to normalize
+          def call(input: nil, **options)
+            input = $stdin.read.chomp if input == '-'
+            if options[:form].nil?
+              puts Unisec::Normalization.new(input).display
+            else
+              # using send() is safe here thanks to the value whitelist
+              puts Unisec::Normalization.send(options[:form], input)
+            end
+          end
+        end
+
+        # Command `unisec normalize replace "example"`
+        #
+        # Example:
+        #
+        # ```plaintext
+        # ➜ unisec normalize replace "<svg onload=\"alert('XSS')\">"
+        # Original: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        # Bypass payload: ﹤svg onload=＂alert(＇XSS＇)＂﹥
+        #   U+FE64 U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+FF02 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+FF07 U+0058 U+0053 U+0053 U+FF07 U+0029 U+FF02 U+FE65
+        # NFKC: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        # NFKD: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        #
+        # ➜ echo -n "<svg onload=\"alert('XSS')\">" | unisec normalize replace -
+        # ```
+        class Replace < Dry::CLI::Command
+          desc 'Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)'
+
+          argument :input, required: true,
+                           desc: 'String input. Read from STDIN if equal to -.'
+
+          # Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)
+          # @param input [String] Input string to normalize
+          def call(input: nil, **_options)
+            input = $stdin.read.chomp if input == '-'
+            puts Unisec::Normalization.new(input).display_replace
+          end
+        end
+      end
+    end
+  end
+end

data/lib/unisec/hexdump.rb

@@ -86,6 +86,7 @@ module Unisec
     end
 
     # Display a CLI-friendly output summurizing the hexdump in all Unicode encodings
+    # @return [String] CLI-ready output
     # @example
     #   puts Unisec::Hexdump.new('K').display # =>
     #   # UTF-8: e2 84 aa

data/lib/unisec/normalization.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+require 'ctf_party'
+
+module Unisec
+  # Normalization Forms
+  class Normalization
+    # HTML escapable characters mapped with their Unicode counterparts that will
+    # cast to themself after applying normalization forms using compatibility mode.
+    HTML_ESCAPE_BYPASS = {
+      '<' => ['﹤', '＜'],
+      '>' => ['﹥', '＞'],
+      '"' => ['＂'],
+      "'" => ['＇'],
+      '&' => ['﹠', '＆']
+    }.freeze
+
+    # Original input
+    # @return [String] untouched input
+    attr_reader :original
+
+    # Normalization Form C (NFC) - Canonical Decomposition, followed by Canonical Composition
+    # @return [String] input normalized with NFC
+    attr_reader :nfc
+
+    # Normalization Form KC (NFKC) - Compatibility Decomposition, followed by Canonical Composition
+    # @return [String] input normalized with NFKC
+    attr_reader :nfkc
+
+    # Normalization Form D (NFD) - Canonical Decomposition
+    # @return [String] input normalized with NFD
+    attr_reader :nfd
+
+    # Normalization Form KD (NFKD) - Compatibility Decomposition
+    # @return [String] input normalized with NFKD
+    attr_reader :nfkd
+
+    # Generate all normilzation forms for a given input
+    # @param str [String] the target string
+    # @return [nil]
+    def initialize(str)
+      @original = str
+      @nfc = Normalization.nfc(str)
+      @nfkc = Normalization.nfkc(str)
+      @nfd = Normalization.nfd(str)
+      @nfkd = Normalization.nfkd(str)
+    end
+
+    # Normalization Form C (NFC) - Canonical Decomposition, followed by Canonical Composition
+    # @param str [String] the target string
+    # @return [String] input normalized with NFC
+    def self.nfc(str)
+      str.unicode_normalize(:nfc)
+    end
+
+    # Normalization Form KC (NFKC) - Compatibility Decomposition, followed by Canonical Composition
+    # @param str [String] the target string
+    # @return [String] input normalized with NFKC
+    def self.nfkc(str)
+      str.unicode_normalize(:nfkc)
+    end
+
+    # Normalization Form D (NFD) - Canonical Decomposition
+    # @param str [String] the target string
+    # @return [String] input normalized with NFD
+    def self.nfd(str)
+      str.unicode_normalize(:nfd)
+    end
+
+    # Normalization Form KD (NFKD) - Compatibility Decomposition
+    # @param str [String] the target string
+    # @return [String] input normalized with NFKD
+    def self.nfkd(str)
+      str.unicode_normalize(:nfkd)
+    end
+
+    # Replace HTML escapable characters with their Unicode counterparts that will
+    # cast to themself after applying normalization forms using compatibility mode.
+    # Usefull for XSS, to bypass HTML escape.
+    # If several values are possible, one is picked randomly.
+    # @param str [String] the target string
+    # @return [String] escaped input
+    def self.replace_bypass(str)
+      str = str.dup
+      HTML_ESCAPE_BYPASS.each do |k, v|
+        str.gsub!(k, v.sample)
+      end
+      str
+    end
+
+    # Instance version of {Normalization.replace_bypass}.
+    def replace_bypass
+      Normalization.replace_bypass(@original)
+    end
+
+    # Display a CLI-friendly output summurizing all normalization forms
+    # @return [String] CLI-ready output
+    # @example
+    #   puts Unisec::Normalization.new("\u{1E9B 0323}").display
+    #   # =>
+    #   # Original: ẛ̣
+    #   #   U+1E9B U+0323
+    #   # NFC: ẛ̣
+    #   #   U+1E9B U+0323
+    #   # NFKC: ṩ
+    #   #   U+1E69
+    #   # NFD: ẛ̣
+    #   #   U+017F U+0323 U+0307
+    #   # NFKD: ṩ
+    #   #   U+0073 U+0323 U+0307
+    def display
+      colorize = lambda { |form_title, form_attr|
+        "#{Paint[form_title.to_s, :underline,
+                 :bold]}: #{form_attr}\n  #{Paint[Unisec::Properties.chars2codepoints(form_attr), :red]}\n"
+      }
+      colorize.call('Original', @original) +
+        colorize.call('NFC', @nfc) +
+        colorize.call('NFKC', @nfkc) +
+        colorize.call('NFD', @nfd) +
+        colorize.call('NFKD', @nfkd)
+    end
+
+    # Display a CLI-friendly output of the XSS payload to bypass HTML escape and
+    # what it does once normalized in NFKC & NFKD.
+    def display_replace
+      colorize = lambda { |form_title, form_attr|
+        "#{Paint[form_title.to_s, :underline,
+                 :bold]}: #{form_attr}\n  #{Paint[Unisec::Properties.chars2codepoints(form_attr), :red]}\n"
+      }
+      payload = replace_bypass
+      colorize.call('Original', @original) +
+        colorize.call('Bypass payload', payload) +
+        colorize.call('NFKC', Normalization.nfkc(payload)) +
+        colorize.call('NFKD', Normalization.nfkd(payload))
+    end
+  end
+end

data/lib/unisec/surrogates.rb

@@ -102,6 +102,7 @@ module Unisec
     # Display a CLI-friendly output summurizing everithing about the surrogates:
     # the corresponding character, code point, high and low surrogates
     # (each displayed as hexadecimal, decimal and binary).
+    # @return [String] CLI-ready output
     # @example
     #   surr = Unisec::Surrogates.new(128169)
     #   puts surr.display # =>

data/lib/unisec/version.rb

@@ -2,5 +2,5 @@
 
 module Unisec
   # Version of unisec library and app
-  VERSION = '0.0.4'
+  VERSION = '0.0.6'
 end

data/lib/unisec/versions.rb

@@ -72,19 +72,19 @@ module Unisec
     #   # …
     def self.display # rubocop:disable Metrics/AbcSize
       data = versions
-      display = ->(node) { puts Paint[data[node][:label], :red, :bold].ljust(44) + " #{data[node][:version]}" }
-      puts Paint['Unicode:', :underline]
-      display.call(:ruby_unicode)
-      display.call(:twittercldr_unicode)
-      display.call(:unicodeconfusable_unicode)
-      display.call(:twittercldr_icu)
-      display.call(:twittercldr_cldr)
-      display.call(:ruby_unicode_emoji)
-      display.call(:ucd_derivedname)
-      puts Paint["\nGems:", :underline]
-      display.call(:unisec)
-      display.call(:twittercldr)
-      display.call(:unicodeconfusable)
+      colorize = ->(node) { Paint[data[node][:label], :red, :bold].ljust(44) + " #{data[node][:version]}\n" }
+      Paint["Unicode:\n", :underline] +
+        colorize.call(:ruby_unicode) +
+        colorize.call(:twittercldr_unicode) +
+        colorize.call(:unicodeconfusable_unicode) +
+        colorize.call(:twittercldr_icu) +
+        colorize.call(:twittercldr_cldr) +
+        colorize.call(:ruby_unicode_emoji) +
+        colorize.call(:ucd_derivedname) +
+        Paint["\nGems:\n", :underline] +
+        colorize.call(:unisec) +
+        colorize.call(:twittercldr) +
+        colorize.call(:unicodeconfusable)
     end
   end
 end

data/lib/unisec.rb

@@ -5,6 +5,7 @@ require 'unisec/version'
 require 'unisec/bidi'
 require 'unisec/confusables'
 require 'unisec/hexdump'
+require 'unisec/normalization'
 require 'unisec/properties'
 require 'unisec/rugrep'
 require 'unisec/size'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unisec
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.6
 platform: ruby
 authors:
 - Alexandre ZANNI
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-23 00:00:00.000000000 Z
+date: 2024-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ctf-party
@@ -88,7 +88,7 @@ dependencies:
         version: '1.9'
 description: 'Toolkit for security research manipulating Unicode: confusables, homoglyphs,
   hexdump, code point, UTF-8, UTF-16, UTF-32, properties, regexp search, size, grapheme,
-  surrogates, version, ICU, CLDR, UCD'
+  surrogates, version, ICU, CLDR, UCD, BiDi, normalization'
 email: alexandre.zanni@europe.com
 executables:
 - unisec
@@ -104,6 +104,7 @@ files:
 - lib/unisec/cli/cli.rb
 - lib/unisec/cli/confusables.rb
 - lib/unisec/cli/hexdump.rb
+- lib/unisec/cli/normalization.rb
 - lib/unisec/cli/properties.rb
 - lib/unisec/cli/rugrep.rb
 - lib/unisec/cli/size.rb
@@ -111,6 +112,7 @@ files:
 - lib/unisec/cli/versions.rb
 - lib/unisec/confusables.rb
 - lib/unisec/hexdump.rb
+- lib/unisec/normalization.rb
 - lib/unisec/properties.rb
 - lib/unisec/rugrep.rb
 - lib/unisec/size.rb