f2712773d0f8beed1be8ec97fcd39a27f6ff4159 4f4e5a77b043d9626507548acd65ac6fe1839aa4 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/adaba9bc598e822903ed8c51280061933d5aad7a adaba9bc598e822903ed8c51280061933d5aad7a 2008-12-20T19:02:25-08:00 2008-12-20T19:02:25-08:00 Merge branch 'master' into new-plugins 45d62477c4e49e5547b5ab84bc39b303bb586eca Eric Kidd git@randomhacks.net 42ccdc10fe910e6ecb942f9d2d32e7c9afe785aa Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/4f4e5a77b043d9626507548acd65ac6fe1839aa4 4f4e5a77b043d9626507548acd65ac6fe1839aa4 2008-12-20T14:38:04-08:00 2008-12-20T14:38:04-08:00 Update to emk-safe_erb 0.1.2 This fixes script/generate and the standard Rails error page. 819f2850803d25c1f42673f94cec1fe7aede2073 Eric Kidd git@randomhacks.net e229865d6e63a6b6c0e6cb7aac21992ca303f94a Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/42ccdc10fe910e6ecb942f9d2d32e7c9afe785aa 42ccdc10fe910e6ecb942f9d2d32e7c9afe785aa 2008-12-20T12:50:29-08:00 2008-12-20T12:50:29-08:00 Test for safe_erb in ActionView::Template, not in ERB We've been installing safe_erb in all ERB templates, which breaks script/generate and lots of other important stuff. But before we can fix this bug in our custom-hacked safe_erb, we need to narrow our Mephisto unit tests down so that they only test ActionView::Template. A safe_erb update will be along shortly. d39ab5f9f1b48265116949835924fcfaecbf2403 Eric Kidd git@randomhacks.net 4aae70e165bd63602fb51ef44d516f9f67c3737a rick technoweenie@gmail.com http://github.com/emk/mephisto/commit/e229865d6e63a6b6c0e6cb7aac21992ca303f94a e229865d6e63a6b6c0e6cb7aac21992ca303f94a 2008-12-20T10:48:38-08:00 2008-12-20T10:48:38-08:00 catch tainted string in overview 7a580309ed604bf6eb679546848711d3a6202804 rick technoweenie@gmail.com c28eb75d64aab99c1832df257f3187974017cf32 rick technoweenie@gmail.com http://github.com/emk/mephisto/commit/4aae70e165bd63602fb51ef44d516f9f67c3737a 4aae70e165bd63602fb51ef44d516f9f67c3737a 2008-12-20T10:46:14-08:00 2008-12-20T10:46:14-08:00 add machinist to the tests 75fbe2a672e9b0b3524214c5e79b50e9cef1a530 rick technoweenie@gmail.com 8681b6419d3bbe53929dea28ede3d32553944832 rick technoweenie@gmail.com http://github.com/emk/mephisto/commit/c28eb75d64aab99c1832df257f3187974017cf32 c28eb75d64aab99c1832df257f3187974017cf32 2008-12-20T10:46:04-08:00 2008-12-20T10:46:04-08:00 add Event.make_from to the Event blueprint 4e7adbb9bc3b0c7380e2a5ee34ffc0236694dbad rick technoweenie@gmail.com 9c612f8c90ca2921086c123d5e574005d00a16b0 rick technoweenie@gmail.com http://github.com/emk/mephisto/commit/8681b6419d3bbe53929dea28ede3d32553944832 8681b6419d3bbe53929dea28ede3d32553944832 2008-12-20T10:45:38-08:00 2008-12-20T10:45:38-08:00 extract event mode logic to Event.mode_from 826d503b1227bb79877842b1811603ae5dc9ff7d rick technoweenie@gmail.com 24bfceaae2b1edf7c2f92fb9a7716a523ba7f417 rick technoweenie@gmail.com http://github.com/emk/mephisto/commit/9c612f8c90ca2921086c123d5e574005d00a16b0 9c612f8c90ca2921086c123d5e574005d00a16b0 2008-12-20T10:03:09-08:00 2008-12-20T10:01:04-08:00 add Event blueprint 2a3c619f862d285b94f71448d7b8c864c14755ea rick technoweenie@gmail.com 0c628dc7e2ff8b7529f43e4090d37adc8e86ba54 24bfceaae2b1edf7c2f92fb9a7716a523ba7f417 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/f2712773d0f8beed1be8ec97fcd39a27f6ff4159 f2712773d0f8beed1be8ec97fcd39a27f6ff4159 2008-12-20T08:04:57-08:00 2008-12-20T08:04:57-08:00 Merge branch 'master' into new-plugins Conflicts: lib/mephisto/plugin.rb 1e506c6f381b3ba951c3c9b76de90aeccf33aad0 Eric Kidd git@randomhacks.net 38348fb9236859143d79acba02388af617731204 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/24bfceaae2b1edf7c2f92fb9a7716a523ba7f417 24bfceaae2b1edf7c2f92fb9a7716a523ba7f417 2008-12-20T08:00:20-08:00 2008-12-20T08:00:07-08:00 Security: Finish first stage of audit What we've done: We've tried to protect against attacks by the "public". Most of our attention has been directed towards XSS, CSRF and other attacks by users who aren't logged in. Our security audit was based on the following principles: 1) Users with access to /admin are (unfortunately) fully trusted. There are simply too many ways for them to escalate their privileges right now, if they're willing to use XSS and other attacks. 2) Things which look "suspicious" were simply fixed, without any attempt to determine whether they could be exploited in the wild. 3) Whenever possible, we instituted broad, automatic protections against entire classes of attacks. These include SafeERB and read-only GET requests. This means that we don't need to audit every single view, controller and plugin for subtle errors. What still needs work: My hacked version of SafeERB is currently breaking script/generate. f9560e5093f23d404356e97801060ac4a85c2669 Eric Kidd git@randomhacks.net 64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/38348fb9236859143d79acba02388af617731204 38348fb9236859143d79acba02388af617731204 2008-12-20T07:45:14-08:00 2008-12-20T07:45:14-08:00 Don't log "remember me" token This token can be trivially recovered from the database, so excluding it from the logs doesn't actually accomplish anything. But there's no reason to include it in the logs, either. e68e88c291aa443bb67f1469e003600c25d5abdf Eric Kidd git@randomhacks.net c500bf8e05c250d02672c30d079a0bdeb66f0569 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 64eff7f46ab8191d1dd766f7746f3a52d31fd7b3 2008-12-20T07:43:45-08:00 2008-12-20T07:43:45-08:00 Security: Attempt to block auth of nil tokens, etc. Some Rails authentication systems have suffered from a vulnerability involving nil or blank login tokens: http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/ This patch includes a bunch of test cases testing for possible attacks along these lines, and some sanity-checking code in our authentication methods. Note that the tests and the code don't really "line up" here--most of the test methods passed already, and most of the sanity-checking code is probably unnecessary. But again, better safe than sorry. 3b4e0fdd75748350aff26d604f7f5a7d6a61e552 Eric Kidd git@randomhacks.net ff0113a3c8ed63746af2a6c8398f29969330b439 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/c500bf8e05c250d02672c30d079a0bdeb66f0569 c500bf8e05c250d02672c30d079a0bdeb66f0569 2008-12-20T06:10:37-08:00 2008-12-20T06:10:37-08:00 Security: Force all GET requests to be read-only The W3C makes a clear distinction between GET and POST requests. GET requests should only cause "safe" actions, and the user should never be held accountable for making GET requests. See the following for an overview: http://www.w3.org/2001/tag/doc/whenToUseGet.html The Rails 'protect_against_forgery' function (and possibly some web browsers) rely on the distinction between GET and POST to provide protection against CSRF attacks. See: http://en.wikipedia.org/wiki/Cross-site_request_forgery http://guides.rubyonrails.org/security.html#_csrf_countermeasures Unfortunately, enforcing these rules in rather difficult, especially in a large application with lots of controllers and plugins. So this patch applies a rather heavy-handed fix: We globally block database writes during GET requests, and specifically override that policy in one or two places. All of our current overrides invoke User#reset_token!. I haven't performed a full security analysis of allowing User#reset_token! (or updates to session[:user] based on our "remember me" token) in a GET request. For now, I'm going to go ahead and allow this activity--if we actually have some sort of vulnerability here, it affects a wide range of web applications. Note that this patch may break some part of the /admin interface. I've tried posting articles and other basic stuff, but I haven't used the lesser-known corners of /admin since making these changes. Please report any problems. 58b206f97ec48143ffae2256ba548a18b1e21765 Eric Kidd git@randomhacks.net 284f1acd28abab4005f6388d095e9cd1cc2f52a0 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/ff0113a3c8ed63746af2a6c8398f29969330b439 ff0113a3c8ed63746af2a6c8398f29969330b439 2008-12-20T04:53:13-08:00 2008-12-20T04:53:13-08:00 Add unit test for img filtering Test case for a644733791f42edc5d15ac8409639050f5d0a155. 28ce1f8ddba42f39a90aed3c350ed36c3d90e2b9 Eric Kidd git@randomhacks.net a644733791f42edc5d15ac8409639050f5d0a155 b7cb8221e066cb55884bf941e1b421ccf6082404 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/284f1acd28abab4005f6388d095e9cd1cc2f52a0 284f1acd28abab4005f6388d095e9cd1cc2f52a0 2008-12-19T20:47:10-08:00 2008-12-19T20:47:10-08:00 Merge branch 'experimental' Conflicts: app/drops/comment_drop.rb 653b1d47ba2601a3523006e48c7110310d48f4df Eric Kidd git@randomhacks.net c8c4bcc772301abcee6735466df93b60291878aa Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/a644733791f42edc5d15ac8409639050f5d0a155 a644733791f42edc5d15ac8409639050f5d0a155 2008-12-19T20:34:23-08:00 2008-12-19T20:34:23-08:00 Security: Block <img ... /> tags when sanitizing A whole class of CSRF attacks uses the img tag: <img src="/admin/account/action_that_allows_get" /> This will invoke action_that_allows_get using a GET request and first- party cookies. There are some examples on Wikipedia: http://en.wikipedia.org/wiki/Cross-site_request_forgery Note that really solid enforcement of the "use GET only for queries" rule will also prevent this kind of attack. Also note that if you allow third-party cookies, this patch doesn't help you at all--any other site on the Internet could trigger this attack. 15ee9bf4677fe84ac634aa31dcf6cb539e6973fa Eric Kidd git@randomhacks.net 173c3b82e7dae0f7d616c5522104e48f76ef94ad Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/c8c4bcc772301abcee6735466df93b60291878aa c8c4bcc772301abcee6735466df93b60291878aa 2008-12-19T19:25:22-08:00 2008-12-19T19:25:22-08:00 Security: Fix many broken filter regexps In Ruby, "foo\nbar" =~ /^bar/ will result in a match, because ^ matches at the start of any line, not at the start of the string. In general, we want to use \A and \z in place of ^ and $, respectively. We rely heavily on regular expressions to filter untrusted data. And many of these regular expressions can be fooled easily because they rely on ^ and $ when they shouldn't. See comment_drop_test for a user-exploitable example. This patch does a bulk search-and-replace of the offending patterns. It may easily have missed something somewhere, but it's a good start. 7c76b84b39cf0d8fbaa0ec49c7c13251deb1f1d6 Eric Kidd git@randomhacks.net 06917544a35c178a5ab2c9ec61773693e4886d36 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/173c3b82e7dae0f7d616c5522104e48f76ef94ad 173c3b82e7dae0f7d616c5522104e48f76ef94ad 2008-12-19T15:05:56-08:00 2008-12-19T15:05:56-08:00 Attempt to escape strings in FlickrMacro This plugin had absolutely no HTML escaping. I've attempted to fix this, but since the API key has expired, this code has not been tested. af794530fc408a12fae29c5a22f833f4a7d51f1c Eric Kidd git@randomhacks.net bf1a5deb79007d56901984d70eb3ad0f8122ef7a Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/06917544a35c178a5ab2c9ec61773693e4886d36 06917544a35c178a5ab2c9ec61773693e4886d36 2008-12-19T14:53:05-08:00 2008-12-19T14:53:05-08:00 Only accept known comment fields The comment form is most-exposed attack point in all of Mephisto, because it doesn't require an authenticity_token and can be used by anybody on the internet. In the interests of paranoia, this patch removes bulk assignment from the comment-posting code. I don't see any way to exploit the previous code (several attr_accessible fields looked vulnerable, but don't actually exist any more). But better safe than sorry. 69c93bc46f89eb83bf1bce71c0615c77bfc357df Eric Kidd git@randomhacks.net bf1a5deb79007d56901984d70eb3ad0f8122ef7a Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/b7cb8221e066cb55884bf941e1b421ccf6082404 b7cb8221e066cb55884bf941e1b421ccf6082404 2008-12-19T06:26:23-08:00 2008-12-19T06:26:23-08:00 Security: Fix XSS attack against new comment form WARNING: If you're one of the first people testing this commit, please use a backup database. How to reproduce: Create a new comment, and set all fields to <script>alert("Pwned")</script>. Submit it. You will see a JavaScript alert dialog, which is bad. What's happening: Untrusted fields in Comment objects are sanitized immediately before they're written to the database for the first time. But if validation fails, it leaves the application with an unsanitized comment object. When the "can't submit comment" error is displayed, this unsanitized comment object can be passed straight throught to Liquid, which assumes that all HTML tags have been escaped. (This may look like "self XSS" attack only, but hostile pages can trigger it by tricking you into submitting a comment form back to your own site, preloaded with malicious data.) How we fix it: We make HTML escaping the responsibility of CommentDrop, not the Comment model. This means that we need to unescape several existing fields in the database. Possible issues: This means that we're storing dangerous, untrusted data in our database, and that we need to rely on the proper use of 'h' and 'CGI.escapeHTML'. In the case of 'h', we're already using SafeERB, so insecure admin templates will be caught automatically, and dangerous data should never be sent to the user. In the case of Liquid, we need to carefully examine our CommentDrop class to make sure that we're not passing any unescaped data through to the Liquid templates. But this is a pretty manageable "proof obligation"--and remember that the old "sanitize on create" code actually suffered from XSS attacks, because it was too easy to do the sanitization in the wrong place. 0703ba7b1fb18d1eae97eb5c7a0537cffa8fb2eb Eric Kidd git@randomhacks.net 9b5e2f5a84b1acd4b2c0cf443f99af864c1e3d4b isaac isaackearse@gmail.com http://github.com/emk/mephisto/commit/0c628dc7e2ff8b7529f43e4090d37adc8e86ba54 0c628dc7e2ff8b7529f43e4090d37adc8e86ba54 2008-12-18T05:57:04-08:00 2008-12-13T15:05:21-08:00 Removed mephisto plugin generator => not the right time for this [Note from Eric: I hadn't intended to pull the first part of this patch, but since I did, I'm going to go ahead and pull the second.] e5f587c16e6b85f24097cb73a5475cfad0507893 Eric Kidd git@randomhacks.net f7b275e720ae402befc2615095aa89c36e1e3397 bf1a5deb79007d56901984d70eb3ad0f8122ef7a Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/9b5e2f5a84b1acd4b2c0cf443f99af864c1e3d4b 9b5e2f5a84b1acd4b2c0cf443f99af864c1e3d4b 2008-12-18T05:52:14-08:00 2008-12-18T05:52:14-08:00 Merge branch 'master' into new-plugins Conflicts: app/views/layouts/application.rhtml I also fixed two unit test failures caused by SafeERB in the plugins controller. 4af7d0c55461436074a7533b1752ac2c28511438 Eric Kidd git@randomhacks.net fab1cd638b4f84e604cdc7457fac8fe721e89341 isaac isaackearse@gmail.com http://github.com/emk/mephisto/commit/f7b275e720ae402befc2615095aa89c36e1e3397 f7b275e720ae402befc2615095aa89c36e1e3397 2008-12-18T05:40:04-08:00 2008-12-12T19:33:18-08:00 Removed last traces of engines_config v2 (Eric Kidd): Removed unrelated changes 25f74ffc1e1c7427ad0b70497eedab82f8e53d5f Eric Kidd git@randomhacks.net b7a7ef77ad8a6c3a3f1caa9d25fc7023b9accc45 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/bf1a5deb79007d56901984d70eb3ad0f8122ef7a bf1a5deb79007d56901984d70eb3ad0f8122ef7a 2008-12-18T05:33:52-08:00 2008-12-18T05:33:52-08:00 Ignore .DS_Store files Everybody keeps adding this ignore rule to their github branches, so let's just go ahead and add it to master .gitignore file. The .DS_Store file is created by MacOS X. c8ca1594dbfa65096a69de4ad8b7060a07af1ca4 Eric Kidd git@randomhacks.net 20c73690f9c960ed40ca5269f5153e4fc4ac118a Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/b7a7ef77ad8a6c3a3f1caa9d25fc7023b9accc45 b7a7ef77ad8a6c3a3f1caa9d25fc7023b9accc45 2008-12-18T05:30:12-08:00 2008-12-18T05:30:12-08:00 Update security audit TODO list 38e7c50968e59a0e3038f84a2eb34fa1488dc07a Eric Kidd git@randomhacks.net 1f8e9e6d382994c72a6a796024d159fb03eb242f ae89ef893a13e9c38c587c164db6ff528725df35 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/20c73690f9c960ed40ca5269f5153e4fc4ac118a 20c73690f9c960ed40ca5269f5153e4fc4ac118a 2008-12-18T05:26:43-08:00 2008-12-18T05:26:43-08:00 Merge branch 'master' of git://github.com/isaac/mephisto 8082f7cee67436781329336dd5c96a776375613d Eric Kidd git@randomhacks.net 32efdb57be0a3f8abd1b90f9f9108ce477615906 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/1f8e9e6d382994c72a6a796024d159fb03eb242f 1f8e9e6d382994c72a6a796024d159fb03eb242f 2008-12-18T05:18:40-08:00 2008-12-18T05:18:40-08:00 Add test cases verifying that SafeERB works If an upgrade to Rails breaks SafeERB, we'd like to find out. 75f3eb61db7b45dbdd4aecdea71f1758c69d49c8 Eric Kidd git@randomhacks.net 677c0bcb4c5d5f42710734d2e5bf93b695b6641b Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/32efdb57be0a3f8abd1b90f9f9108ce477615906 32efdb57be0a3f8abd1b90f9f9108ce477615906 2008-12-17T06:29:17-08:00 2008-12-17T06:29:17-08:00 Test whether database adapter supports safe_erb We need to make sure that whatever data we receive from the database is properly marked as tainted. 4dcd05ff350488707d207a00d5554a1405271cf8 Eric Kidd git@randomhacks.net 098bb13f543c47e652442e65c1402eb563ba99b8 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/677c0bcb4c5d5f42710734d2e5bf93b695b6641b 677c0bcb4c5d5f42710734d2e5bf93b695b6641b 2008-12-17T06:29:11-08:00 2008-12-17T06:29:11-08:00 Add highly-experimental safe_erb support This should help prevent unescaped text from being displayed in ERB templates, which should in turn help prevent XSS attacks. This code is based on the safe_erb plugin, written by Shinya Kasatani and updated by Matthew Bass, with a whole bunch of changes to better support Mephisto and Rails 2.2. v2: Freeze emk-safe_erb 0.1.1, with MySQL support 8a8a9468fa1815905d6b44af04d042e6c430d677 Eric Kidd git@randomhacks.net 87b221f3914e412f4d376591240ea62a88b58785 isaac isaackearse@gmail.com http://github.com/emk/mephisto/commit/ae89ef893a13e9c38c587c164db6ff528725df35 ae89ef893a13e9c38c587c164db6ff528725df35 2008-12-16T21:07:55-08:00 2008-12-16T21:07:55-08:00 don't forget to change the default theme path here also 1d9376ff1eb86a6d084555fe2e2bc1b7a2b8f779 isaac isaackearse@gmail.com