Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

adding .gitignore

removing some xdmp:evals
fixing possible xqy injection hole
fixing path separator in windows vs *nix
  • Loading branch information...
commit 88899debce08530aec67f2bc33a804396b54b9a2 1 parent 333038b
@paxtonhare paxtonhare authored
View
6 .gitignore
@@ -0,0 +1,6 @@
+.DS_Store
+local.properties
+*.tmproj
+Thumbs.db
+.project
+.settings/
View
BIN  deploy/.DS_Store
Binary file not shown
View
2  deploy/default.properties
@@ -75,7 +75,7 @@ default-user=nobody
#
# the uris or IP addresses of your servers
# WARNING: if you are running these scripts on windows you may need to change localhost to 127.0.0.1
-# There have been reported issues with dns resolution when localhost wasn't int the hosts file.
+# There have been reported issues with dns resolution when localhost wasn't in the hosts file.
#
local-server=localhost
#dev-server=
View
4 deploy/lib/util.rb
@@ -13,6 +13,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
###############################################################################
+require 'rbconfig'
+
def find_arg(args = [])
args.each do |arg|
if (ARGV.include?(arg))
@@ -25,7 +27,7 @@ def find_arg(args = [])
end
def is_windows?
- RUBY_PLATFORM.downcase.include?("mswin")
+ return (Config::CONFIG['host_os'] =~ /mswin|mingw/).nil? == false
end
def path_separator
View
2  ml
@@ -33,7 +33,7 @@ then
git clone https://github.com/marklogic/roxy ${app_name}
cd ${app_name}
rm -rf .git*
- ml init
+ ./ml init
cd ..
printf " done\n"
if [ -e $app_name ]
View
12 src/default.xqy
@@ -22,7 +22,7 @@ import module namespace rh = "http://marklogic.com/roxy/routing-helper" at "/lib
declare option xdmp:mapping "false";
-declare variable $controller as xs:string := req:get("controller", "", "type=xs:string");
+declare variable $controller as xs:QName := req:get("controller", "type=xs:QName");
declare variable $controller-path as xs:string := fn:concat("/app/controllers/", $controller, ".xqy");
declare variable $func as xs:string := req:get("func", "index", "type=xs:string");
declare variable $format as xs:string := req:get("format", $config:DEFAULT-FORMAT, "type=xs:string");
@@ -34,15 +34,13 @@ declare variable $default-layout as xs:string? := map:get($config:DEFAULT-LAYOUT
try
{
let $map := map:map()
+ (: Ensure $type is a valid QName :)
+ let $_ := xs:QName($func)
let $eval-str :=
fn:concat('
import module namespace c="http://marklogic.com/roxy/controller/', $controller, '" at "', $controller-path, '";
- import module namespace ch = "http://marklogic.com/roxy/controller-helper" at "/lib/controller-helper.xqy";
- declare variable $map as map:map external;
- xdmp:set($ch:map, $map),
c:', $func, '()')
-
- let $data := xdmp:eval($eval-str, (xs:QName("map"), $map))
+ let $data := xdmp:eval($eval-str, (xs:QName("ch:map"), $map))
(: framework options :)
let $options :=
@@ -106,6 +104,8 @@ catch($ex)
{
if ($ex/error:code = "XDMP-UNDVAR" and $ex/error:data/error:datum = "$c:map") then
fn:error(xs:QName("MISSING-MAP"), fn:concat("Missing external map declaration in ", $controller-path), $controller-path)
+ else if ($ex/error:code eq "XDMP-CAST" and $ex/error:expr eq "xs:QName($func)") then
+ fn:error(xs:QName("four-o-four"))
else
xdmp:rethrow()
}
View
2  src/lib/controller-helper.xqy
@@ -21,7 +21,7 @@ declare option xdmp:mapping "false";
declare variable $ALL-FORMATS as xs:string+ := ("html", "xml", "json", "text");
-declare variable $ch:map as map:map? := ();
+declare variable $ch:map as map:map external;
declare function ch:use-view($view as xs:string?)
{
View
13 src/lib/request.xqy
@@ -96,10 +96,15 @@ declare function req:get($name as xs:string, $default as item()*, $options as xs
if (fn:exists($v)) then $v/*
else $default
else if ($value and $type) then
- try {
- xdmp:eval(fn:concat('"', fn:replace(fn:replace($value, '"', '""'), "&", "&"), '" cast as ', $type))
+ try
+ {
+ (: Ensure $type is a valid QName before putting it through xdmp:value() :)
+ let $_ := xs:QName($type)
+ return
+ xdmp:value(fn:concat('"', fn:replace(fn:replace($value, '"', '""'), "&", "&"), '" cast as ', $type))
}
- catch($ex) {
+ catch($ex)
+ {
req:assert-max-count($name, $value, $max-count),
if ($validate eq fn:true()) then
fn:error(xs:QName("INVALID-REQUEST-PARAMETER"), fn:concat($name, "=", $value), "response-code=400")
@@ -156,7 +161,7 @@ declare private function req:get-option($options as xs:string*, $name as xs:stri
return
if ($value) then
try {
- xdmp:eval(fn:concat('"', $value, '" cast as ', $type))
+ xdmp:value(fn:concat('"', $value, '" cast as ', $type))
}
catch($ex) {()}
else ()
View
21 src/test/suites/Framework Tests/routing.xqy
@@ -192,4 +192,23 @@ let $response := xdmp:http-get(test:easy-url("/not-real/at-all"), $options-non-x
return
(
test:assert-equal(404, fn:data($response[1]/*:code))
-)
+),
+
+(: test for xquery injection via evil urls :)
+let $url := "default.xqy?func=main(),%20xdmp:document-insert(%22foo.xml%22,%20%3Cboo/%3E),%20&controller=appbuilder"
+let $url := fn:concat("http://localhost:", fn:tokenize(xdmp:get-request-header("Host"), ":")[2], if (fn:starts-with($url, "/")) then () else "/", $url)
+let $response := xdmp:http-get($url, $options-non-xml)
+return
+(
+ test:assert-equal(404, fn:data($response[1]/*:code))
+),
+
+
+let $response := xdmp:http-get(test:easy-url("/tester/update"), $options-non-xml)
+return
+ test:assert-equal(200, fn:data($response[1]/*:code));
+
+import module namespace test="http://marklogic.com/ps/test-helper" at "/test/test-helper.xqy";
+let $doc := xdmp:eval('fn:doc("/test-insert.xml")/*')
+return
+ test:assert-equal(<test/>, $doc)
View
8 src/test/suites/Framework Tests/suite-teardown.xqy
@@ -11,4 +11,10 @@ if (xdmp:modules-database() ne 0) then
<options xmlns="xdmp:eval">
<database>{xdmp:modules-database()}</database>
</options>)
-else ()
+else (),
+
+try
+{
+ xdmp:document-delete("/test-insert.xml")
+}
+catch($ex){()}
View
7 src/test/suites/Framework Tests/test-data/tester.xqy
@@ -88,4 +88,11 @@ declare function c:view-that-returns-the-input()
{
ch:add-value("title", "view-that-returns-the-input"),
ch:use-layout("test-layout")
+};
+declare function c:update()
+{
+ xdmp:document-insert("/test-insert.xml", <test/>),
+ ch:use-layout(()),
+ ch:use-view(()),
+ ch:add-value("test", "done")
};
View
11 src/test/suites/Framework Tests/util.xqy
@@ -0,0 +1,11 @@
+xquery version "1.0-ml";
+
+import module namespace test="http://marklogic.com/ps/test-helper" at "/test/test-helper.xqy";
+
+import module namespace c = "http://marklogic.com/ns/test-config" at "/test/test-config.xqy";
+
+import module namespace u = "http://marklogic.com/framework/util" at "/lib/util.xqy";
+
+declare namespace html = "http://www.w3.org/1999/xhtml";
+
+test:assert-equal(fn:true(), u:module-file-exists("/test/suites/Framework Tests/util.xqy"))
Please sign in to comment.
Something went wrong with that request. Please try again.