Merge branch 'master-sec'

* master-sec:
  fix protocol checking in sanitization [CVE-2013-1857]
  JDOM XXE Protection [CVE-2013-1856]
  fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
  stop calling to_sym when building arel nodes [CVE-2013-1854]

Author: tenderlove

actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb

@@ -77,7 +77,7 @@ class WhiteListSanitizer < Sanitizer
 
     # A regular expression of the valid characters used to separate protocols like
     # the ':' in 'http://foo.com'
-    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(%|&#37;)3A/
+    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
 
     # Specifies a Set of HTML attributes that can have URIs.
     self.uri_attributes         = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
@@ -121,8 +121,8 @@ def sanitize_css(style)
       style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
 
       # gauntlet
-      if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
-          style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
+      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
+          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
         return ''
       end
 
@@ -133,7 +133,7 @@ def sanitize_css(style)
         elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
           unless val.split().any? do |keyword|
             !allowed_css_keywords.include?(keyword) &&
-              keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+              keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
           end
             clean << prop + ': ' + val + ';'
           end
@@ -182,7 +182,7 @@ def process_attributes_for(node, options)
 
     def contains_bad_protocols?(attr_name, value)
       uri_attributes.include?(attr_name) &&
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
     end
   end
 end

actionpack/test/template/html-scanner/sanitizer_test.rb

@@ -200,6 +200,7 @@ def test_should_block_script_tag
    %(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
    %(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
    %(<IMG SRC=" &#14;  javascript:alert('XSS');">),
+   %(<IMG SRC="javascript&#x3a;alert('XSS');">),
    %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
     define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
       assert_sanitized img_hack, "<img>"
@@ -279,6 +280,11 @@ def test_should_sanitize_div_style_expression
     assert_equal '', sanitize_css(raw)
   end
 
+  def test_should_sanitize_across_newlines
+    raw = %(\nwidth:\nexpression(alert('XSS'));\n)
+    assert_equal '', sanitize_css(raw)
+  end
+
   def test_should_sanitize_img_vbscript
     assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
   end
@@ -299,6 +305,15 @@ def test_should_sanitize_neverending_attribute
     assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
   end
 
+  def test_x03a
+    assert_sanitized %(<a href="javascript&#x3a;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="javascript&#x003a;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
+    assert_sanitized %(<a href="javascript&#x3A;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="javascript&#x003A;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
+  end
+
 protected
   def assert_sanitized(input, expected = nil)
     @sanitizer ||= HTML::WhiteListSanitizer.new

activerecord/lib/active_record/relation/predicate_builder.rb

@@ -48,7 +48,7 @@ def self.expand(klass, table, column, value)
         column = reflection.foreign_key
       end
 
-      queries << build(table[column.to_sym], value)
+      queries << build(table[column], value)
       queries
     end
 

activerecord/test/cases/relation/where_chain_test.rb

@@ -6,47 +6,52 @@ module ActiveRecord
   class WhereChainTest < ActiveRecord::TestCase
     fixtures :posts
 
+    def setup
+      super
+      @name = 'title'
+    end
+
     def test_not_eq
-      expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'hello')
+      expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'hello')
       relation = Post.where.not(title: 'hello')
       assert_equal([expected], relation.where_values)
     end
 
     def test_not_null
-      expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], nil)
+      expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], nil)
       relation = Post.where.not(title: nil)
       assert_equal([expected], relation.where_values)
     end
 
     def test_not_in
-      expected = Arel::Nodes::NotIn.new(Post.arel_table[:title], %w[hello goodbye])
+      expected = Arel::Nodes::NotIn.new(Post.arel_table[@name], %w[hello goodbye])
       relation = Post.where.not(title: %w[hello goodbye])
       assert_equal([expected], relation.where_values)
     end
 
     def test_association_not_eq
-      expected = Arel::Nodes::NotEqual.new(Comment.arel_table[:title], 'hello')
+      expected = Arel::Nodes::NotEqual.new(Comment.arel_table[@name], 'hello')
       relation = Post.joins(:comments).where.not(comments: {title: 'hello'})
       assert_equal(expected.to_sql, relation.where_values.first.to_sql)
     end
 
     def test_not_eq_with_preceding_where
       relation = Post.where(title: 'hello').where.not(title: 'world')
 
-      expected = Arel::Nodes::Equality.new(Post.arel_table[:title], 'hello')
+      expected = Arel::Nodes::Equality.new(Post.arel_table[@name], 'hello')
       assert_equal(expected, relation.where_values.first)
 
-      expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'world')
+      expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'world')
       assert_equal(expected, relation.where_values.last)
     end
 
     def test_not_eq_with_succeeding_where
       relation = Post.where.not(title: 'hello').where(title: 'world')
 
-      expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'hello')
+      expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'hello')
       assert_equal(expected, relation.where_values.first)
 
-      expected = Arel::Nodes::Equality.new(Post.arel_table[:title], 'world')
+      expected = Arel::Nodes::Equality.new(Post.arel_table[@name], 'world')
       assert_equal(expected, relation.where_values.last)
     end
 
@@ -65,10 +70,10 @@ def test_not_eq_with_array_parameter
     def test_chaining_multiple
       relation = Post.where.not(author_id: [1, 2]).where.not(title: 'ruby on rails')
 
-      expected = Arel::Nodes::NotIn.new(Post.arel_table[:author_id], [1, 2])
+      expected = Arel::Nodes::NotIn.new(Post.arel_table['author_id'], [1, 2])
       assert_equal(expected, relation.where_values[0])
 
-      expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'ruby on rails')
+      expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'ruby on rails')
       assert_equal(expected, relation.where_values[1])
     end
   end

activesupport/lib/active_support/xml_mini/jdom.rb

@@ -37,6 +37,12 @@ def parse(data)
         {}
       else
         @dbf = DocumentBuilderFactory.new_instance
+        # secure processing of java xml
+        # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
+        @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+        @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
         xml_string_reader = StringReader.new(data)
         xml_input_source = InputSource.new(xml_string_reader)
         doc = @dbf.new_document_builder.parse(xml_input_source)

activesupport/test/fixtures/xml/jdom_doctype.dtd

@@ -0,0 +1 @@
+<!ENTITY a "external entity">

activesupport/test/fixtures/xml/jdom_entities.txt

@@ -0,0 +1 @@
+<!ENTITY a "hello">

activesupport/test/fixtures/xml/jdom_include.txt

@@ -0,0 +1 @@
+include me

activesupport/test/xml_mini/jdom_engine_test.rb

@@ -3,9 +3,12 @@
   require 'active_support/xml_mini'
   require 'active_support/core_ext/hash/conversions'
 
+
   class JDOMEngineTest < ActiveSupport::TestCase
     include ActiveSupport
 
+    FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'
+
     def setup
       @default_backend = XmlMini.backend
       XmlMini.backend = 'JDOM'
@@ -30,10 +33,41 @@ def test_file_from_xml
        assert_equal 'image/png', file.content_type
     end
 
+    def test_not_allowed_to_expand_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
+  def test_not_allowed_to_expand_parameter_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
+        %b;
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_raise Java::OrgXmlSax::SAXParseException do
+        assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+      end
+    end
+
+
+    def test_not_allowed_to_load_external_doctypes
+      attack_xml = <<-EOT
+      <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
     def test_exception_thrown_on_expansion_attack
-      assert_raise NativeException do
+      assert_raise Java::OrgXmlSax::SAXParseException do
         attack_xml = <<-EOT
-      <?xml version="1.0" encoding="UTF-8"?>
       <!DOCTYPE member [
         <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
         <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">