From 6a9ed93c0f583dd636ce0b0a64bf40bb2c10748a Mon Sep 17 00:00:00 2001 From: Xavier Shay Date: Wed, 3 Dec 2008 09:22:52 +1100 Subject: [PATCH] Remove safe_erb. It's causing more trouble than it's worth at the moment --- vendor/plugins/safe_erb/MIT-LICENSE | 20 ---- vendor/plugins/safe_erb/README | 34 ------- vendor/plugins/safe_erb/Rakefile | 22 ----- vendor/plugins/safe_erb/init.rb | 3 - vendor/plugins/safe_erb/install.rb | 1 - vendor/plugins/safe_erb/lib/safe_erb.rb | 10 -- .../plugins/safe_erb/lib/safe_erb/common.rb | 93 ------------------- .../plugins/safe_erb/lib/safe_erb/rails_1.rb | 11 --- .../plugins/safe_erb/lib/safe_erb/rails_2.rb | 11 --- .../safe_erb/lib/safe_erb/tag_helper.rb | 11 --- .../safe_erb/tasks/safe_erb_tasks.rake | 4 - vendor/plugins/safe_erb/test/safe_erb_test.rb | 23 ----- .../plugins/safe_erb/test/tag_helper_test.rb | 17 ---- 13 files changed, 260 deletions(-) delete mode 100644 vendor/plugins/safe_erb/MIT-LICENSE delete mode 100644 vendor/plugins/safe_erb/README delete mode 100644 vendor/plugins/safe_erb/Rakefile delete mode 100644 vendor/plugins/safe_erb/init.rb delete mode 100644 vendor/plugins/safe_erb/install.rb delete mode 100644 vendor/plugins/safe_erb/lib/safe_erb.rb delete mode 100644 vendor/plugins/safe_erb/lib/safe_erb/common.rb delete mode 100644 vendor/plugins/safe_erb/lib/safe_erb/rails_1.rb delete mode 100644 vendor/plugins/safe_erb/lib/safe_erb/rails_2.rb delete mode 100644 vendor/plugins/safe_erb/lib/safe_erb/tag_helper.rb delete mode 100644 vendor/plugins/safe_erb/tasks/safe_erb_tasks.rake delete mode 100644 vendor/plugins/safe_erb/test/safe_erb_test.rb delete mode 100644 vendor/plugins/safe_erb/test/tag_helper_test.rb diff --git a/vendor/plugins/safe_erb/MIT-LICENSE b/vendor/plugins/safe_erb/MIT-LICENSE deleted file mode 100644 index 803f50793..000000000 --- a/vendor/plugins/safe_erb/MIT-LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -Copyright (c) 2006 Shinya Kasatani - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/vendor/plugins/safe_erb/README b/vendor/plugins/safe_erb/README deleted file mode 100644 index b7ddec401..000000000 --- a/vendor/plugins/safe_erb/README +++ /dev/null @@ -1,34 +0,0 @@ -= Safe ERB - -== Overview - -Safe ERB lets you make sure that the string written by "<%= %>" in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using "h" method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application. - -The check is done using "tainted?" method in Object class which is a standard feature provided by Ruby - the string is "tainted" when it is read from IO. When ERB::Util#h method is called, this plugin "untaints" the string, and when "<%= %>" is called in your rhtml template, it raises an exception if the string you are trying to show is tainted. - -== Installation - -Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed. - -Safe ERB works on Rails 1.2.x and 2.0.x. It has been tested using following database libraries: - -- PostgreSQL (postgres-0.7.1 gem) -- MySQL (mysql-2.7 gem) - -It does NOT work properly on SQLite (because the data read from SQLite driver is not tainted). - -== Details - -The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies. - -The returned values from the following methods become untainted: - -- ERB::Util#h -- ActionView::Helpers::TagHelper#escape -- ActionView::Helpers::TextHelper#strip_tags - -Also, you can always untaint any string manually by calling "untaint" method (standard Ruby feature). - -== Contact - -Shinya Kasatani diff --git a/vendor/plugins/safe_erb/Rakefile b/vendor/plugins/safe_erb/Rakefile deleted file mode 100644 index a96205687..000000000 --- a/vendor/plugins/safe_erb/Rakefile +++ /dev/null @@ -1,22 +0,0 @@ -require 'rake' -require 'rake/testtask' -require 'rake/rdoctask' - -desc 'Default: run unit tests.' -task :default => :test - -desc 'Test the safe_erb plugin.' -Rake::TestTask.new(:test) do |t| - t.libs << 'lib' - t.pattern = 'test/**/*_test.rb' - t.verbose = true -end - -desc 'Generate documentation for the safe_erb plugin.' -Rake::RDocTask.new(:rdoc) do |rdoc| - rdoc.rdoc_dir = 'rdoc' - rdoc.title = 'SafeERB' - rdoc.options << '--line-numbers' << '--inline-source' - rdoc.rdoc_files.include('README') - rdoc.rdoc_files.include('lib/**/*.rb') -end diff --git a/vendor/plugins/safe_erb/init.rb b/vendor/plugins/safe_erb/init.rb deleted file mode 100644 index c9645ddfb..000000000 --- a/vendor/plugins/safe_erb/init.rb +++ /dev/null @@ -1,3 +0,0 @@ -# Include hook code here - -require 'safe_erb' diff --git a/vendor/plugins/safe_erb/install.rb b/vendor/plugins/safe_erb/install.rb deleted file mode 100644 index f7732d379..000000000 --- a/vendor/plugins/safe_erb/install.rb +++ /dev/null @@ -1 +0,0 @@ -# Install hook code here diff --git a/vendor/plugins/safe_erb/lib/safe_erb.rb b/vendor/plugins/safe_erb/lib/safe_erb.rb deleted file mode 100644 index cd790eb21..000000000 --- a/vendor/plugins/safe_erb/lib/safe_erb.rb +++ /dev/null @@ -1,10 +0,0 @@ -# SafeERB - -require 'safe_erb/common' -require 'safe_erb/tag_helper' - -if Rails::VERSION::MAJOR >= 2 - require 'safe_erb/rails_2' -else - require 'safe_erb/rails_1' -end diff --git a/vendor/plugins/safe_erb/lib/safe_erb/common.rb b/vendor/plugins/safe_erb/lib/safe_erb/common.rb deleted file mode 100644 index dec5f30cc..000000000 --- a/vendor/plugins/safe_erb/lib/safe_erb/common.rb +++ /dev/null @@ -1,93 +0,0 @@ -# SafeERB - -require 'erb' -require 'action_controller' -require 'action_view' - -class ActionController::Base - # Object#taint is set when the request comes from FastCGI or WEBrick, - # but it is not set in Mongrel and also functional / integration testing - # so we'll set it anyways in the filter - before_filter :taint_request - - def render_with_checking_tainted(*args, &blk) - if @skip_checking_tainted - render_without_checking_tainted(*args, &blk) - else - ERB.with_checking_tainted do - render_without_checking_tainted(*args, &blk) - end - end - end - - alias_method_chain :render, :checking_tainted - - private - - def taint_hash(hash) - hash.each do |k, v| - case v - when String - v.taint - when Hash - taint_hash(v) - end - end - end - - def taint_request - taint_hash(params) - cookies.each do |k, v| - v.taint - end - end -end - -class String - def concat_unless_tainted(str) - raise "attempted to output tainted string: #{str}" if str.is_a?(String) && str.tainted? - concat(str) - end -end - -class ERB - cattr_accessor :check_tainted - alias_method :original_set_eoutvar, :set_eoutvar - - def self.with_checking_tainted(&block) - # not thread safe - ERB.check_tainted = true - begin - yield - ensure - ERB.check_tainted = false - end - end - - def set_eoutvar(compiler, eoutvar = '_erbout') - original_set_eoutvar(compiler, eoutvar) - if check_tainted - if compiler.respond_to?(:insert_cmd) - compiler.insert_cmd = "#{eoutvar}.concat_unless_tainted" - else - compiler.put_cmd = "#{eoutvar}.concat_unless_tainted" - end - end - end - - module Util - alias_method :html_escape_without_untaint, :html_escape - - def html_escape(s) - h = html_escape_without_untaint(s) - h.untaint - h - end - - alias_method :h, :html_escape - - module_function :h - module_function :html_escape - module_function :html_escape_without_untaint - end -end diff --git a/vendor/plugins/safe_erb/lib/safe_erb/rails_1.rb b/vendor/plugins/safe_erb/lib/safe_erb/rails_1.rb deleted file mode 100644 index 30e362aa6..000000000 --- a/vendor/plugins/safe_erb/lib/safe_erb/rails_1.rb +++ /dev/null @@ -1,11 +0,0 @@ -# Rails 1.x dependent code (tested on 1.2.6) - -module ActionView::Helpers::TextHelper - alias_method :strip_tags_without_untaint, :strip_tags - - def strip_tags(html) - str = strip_tags_without_untaint(html) - str.untaint - str - end -end diff --git a/vendor/plugins/safe_erb/lib/safe_erb/rails_2.rb b/vendor/plugins/safe_erb/lib/safe_erb/rails_2.rb deleted file mode 100644 index 59c132534..000000000 --- a/vendor/plugins/safe_erb/lib/safe_erb/rails_2.rb +++ /dev/null @@ -1,11 +0,0 @@ -# Rails 2.0 dependent code (tested on 2.0.2) - -module ActionView::Helpers::SanitizeHelper - def strip_tags_with_untaint(html) - str = strip_tags_without_untaint(html) - str.untaint - str - end - - alias_method_chain :strip_tags, :untaint -end diff --git a/vendor/plugins/safe_erb/lib/safe_erb/tag_helper.rb b/vendor/plugins/safe_erb/lib/safe_erb/tag_helper.rb deleted file mode 100644 index fc963e457..000000000 --- a/vendor/plugins/safe_erb/lib/safe_erb/tag_helper.rb +++ /dev/null @@ -1,11 +0,0 @@ -module ActionView - module Helpers - module TagHelper - def escape_once_with_untaint(html) - escape_once_without_untaint(html).untaint - end - - alias_method_chain :escape_once, :untaint - end - end -end diff --git a/vendor/plugins/safe_erb/tasks/safe_erb_tasks.rake b/vendor/plugins/safe_erb/tasks/safe_erb_tasks.rake deleted file mode 100644 index 1f1145ff5..000000000 --- a/vendor/plugins/safe_erb/tasks/safe_erb_tasks.rake +++ /dev/null @@ -1,4 +0,0 @@ -# desc "Explaining what the task does" -# task :safe_erb do -# # Task goes here -# end \ No newline at end of file diff --git a/vendor/plugins/safe_erb/test/safe_erb_test.rb b/vendor/plugins/safe_erb/test/safe_erb_test.rb deleted file mode 100644 index ce4bcdaa4..000000000 --- a/vendor/plugins/safe_erb/test/safe_erb_test.rb +++ /dev/null @@ -1,23 +0,0 @@ -require File.expand_path(File.dirname(__FILE__) + '/../../../../config/environment') -require 'test_help' - -class SafeERBTest < Test::Unit::TestCase - def test_non_checking - src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src - eval(src) - end - - def test_checking - ERB.with_checking_tainted do - src = ERB.new("<%= File.open('#{__FILE__}'){|f| f.read} %>", nil, '-').src - assert_raise(RuntimeError) { eval(src) } - end - end - - def test_checking_non_tainted - ERB.with_checking_tainted do - src = ERB.new("<%= 'This string is not tainted' %>", nil, '-').src - eval(src) - end - end -end diff --git a/vendor/plugins/safe_erb/test/tag_helper_test.rb b/vendor/plugins/safe_erb/test/tag_helper_test.rb deleted file mode 100644 index f35ad7a3e..000000000 --- a/vendor/plugins/safe_erb/test/tag_helper_test.rb +++ /dev/null @@ -1,17 +0,0 @@ -require File.expand_path(File.dirname(__FILE__) + '/../../../../config/environment') -require 'test_help' - -class TagHelperTest < Test::Unit::TestCase - include ActionView::Helpers::TagHelper - - def test_inclusion_in_taghelper - assert self.respond_to?(:escape_once_with_untaint) - assert self.respond_to?(:escape_once_without_untaint) - end - - def test_taghelper_untaints - evil_str = "evil knievel".taint - assert !escape_once(evil_str).tainted? - assert escape_once_without_untaint(evil_str).tainted? - end -end