This can be used to automatically untaint the return value of a specific function without having to wrap it manually.
We've dropped the ERB-specific tests in favor of ones focusing on ActionView::Template, converted everything to use the shiny new ActiveSupport::Test API, and generally tried to clean up a bit.
The classes in ActionView::Helpers have a nasty habit of loading translations and dropping the results straight into HTML without calling h(...). Since the various translation files aren't under user control, this can't easily be used as an attack method. So I'm going to go ahead and untaint all our translations up front, even though we really ought to leave them all tainted. This allows us to get rid of several ActionView::Helpers-related patches, but I left the corresponding test cases.
This patch also removes our Rails 1.* support, which probably doesn't work anymore.
We were applying safe_erb to all ERB invocations that weren't on our whitelisted set of file extensions. But this broke script/generate. So after a bit of tweaking, this patch limits safe_erb to all instances of ActionView::Renderable that aren't on our whitelist. I've done a fair bit of testing, using both automated tests and manual tests. So far, safe_erb seems to be working. This code is fairly fragile, because the internals of ActionView are pretty weird, especially when view caching is turned on. It's fairly hard to write a unit test which proves that safe_erb is actually working when config.action_controller.perform_caching is true.
Thanks to court3nay for catching this: ActionView::TemplateError (attempted to output tainted string: /Users/courtenay/dev/oss/mephisto) on line #10 of .../actionpack-2.2.2/lib/action_controller/templates/rescues/_trace.erb: 10: <p><code>RAILS_ROOT: <%= defined?(RAILS_ROOT) ? This needs to be fixed in upstream Rails by adding an h(...) there, but for now, we're just going to go ahead and untaint RAILS_ROOT because it isn't under the control of remote users.
This only worked if you were using SQLite3.
Maybe this will help github to build the gem.
This is just a trivial change to trigger an initial gem build at github.
This gemspec file (and the new tasks in the Rakefile) were generated using the gemhub library.
This will eventually allow us to use this plugin as a gem.
This is based on a patch by Koji Shimada. http://rubyforge.org/tracker/index.php?func=detail&aid=20325&group_id=254&atid=1045 Ideally, this code would eventually move into SQLite3 itself.
This helps make ActionMailer work out-of-the-box. We'll probably want to generalize this code quite a bit to cover other non-HTML, non-XML templates.
These two Rails helpers cause Mephisto to fail massively under SafeERB. I'm not quite sure what's going wrong internally, because both of these helpers should be escaping their HTML. I've read the source code, and I don't see where these helpers are picking up any kind of legitimate taint. Pending further investigation, I'm going to (perhaps unsafely) mark the return values of these two helpers as trusted.
SafeERB wasn't working reliably with modern versions of Rails, because it appears that not all templates were getting rendered via 'render'. After thinking about this problem for a while, I decided to flip around the defaults in SafeERB: Instead of only checking for tainting problems in a few places, SafeERB now checks everywhere, and must be explicitly disabled when not needed. This makes SafeERB more "intrusive", but it also means that security problems are less likely to slip through unnoticed. This will generally cause problems with ActionMailer and *.erb.txt files. For now, you can insert explicit ERB.without_checking_tainted blocks manually. In the longer run, we probably need to do something fancier.