Permalink
Browse files

added os and javascript codecs. Added in spec file for thos codecs an…

…d updated encoder spec. TODO: add in some convience methods for encode_for_os and encode_for_js. Refactored some things inside pushable string to be more ruby like in method names. Will keep going over code and refactoing as time permits. Still need a vbscript, oracle, and mysql codecs
  • Loading branch information...
1 parent 6da21e5 commit 1d14f2d43ac4e73ed036a4d5f3875cfb3ede4b84 @washu washu committed Feb 21, 2011
@@ -52,7 +52,7 @@ def encode_char(immune, input)
=begin
helper method for codecs to get the hex value of a character
=end
- def hex_value(c)
+ def hex(c)
return nil if c.nil?
b = c[0].ord
if b < 0xff
@@ -17,7 +17,7 @@ def encode_char(immune, input)
# check immune
return input if immune.include?(input)
# check for alpha numeric
- hex = hex_value(input)
+ hex = hex(input)
# add a space at end to terminate under css
return "\\#{hex} " unless hex.nil? or hex.empty?
return input
@@ -86,15 +86,15 @@ def decode_char(input)
# handle the skip ahead. Ruby case doesnt allow for fall through so we inlined the small setup
return decode_char(input) if second == "\n" || second == "\f" || second == "\u0000" || fallthrough
# non hex test
- return second if !input.is_hex(second)
+ return second if !input.hex?(second)
# check for 6 hex digits for rule 3
tmp = second
for i in 1..5 do
c = input.next
if c.nil? or c =~ /\s/
break
end
- if input.is_hex(c)
+ if input.hex?(c)
tmp << c
else
input.push(c)
View
@@ -12,25 +12,34 @@ class Encoder
IMMUNE_OS = [ '-' ]
IMMUNE_XMLATTR = [ ',', '.', '-', '_' ]
IMMUNE_XPATH = [ ',', '.', '-', '_', ' ' ]
- @@codecs = []
- @@html_codec = Owasp::Esapi::Codec::HtmlCodec.new
- @@xml_codec = nil
- @@percent_codec = Owasp::Esapi::Codec::PercentCodec.new
- @@js_codec = nil
- @@vb_codec = nil
- @@css_codec = Owasp::Esapi::Codec::CssCodec.new
+ PASSWORD_SPECIALS = "!$*-.=?@_"
+ CHAR_LCASE = "abcdefghijklmnopqrstuvwxyz"
+ CHAR_UCASE = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ CHAR_DIGITS = "0123456789"
+ CHAR_SPECIALS = "!$*+-.=?@^_|~"
+ CHAR_LETTERS = "#{CHAR_LCASE}#{CHAR_UCASE}"
+ CHAR_ALPHANUMERIC = "#{CHAR_LETTERS}#{CHAR_DIGITS}"
# Create an encoder, optionally pass in a list of codecs to use
def initialize(configured_codecs = nil)
+ # codec list
+ @codecs = []
+ # default codecs
+ @html_codec = Owasp::Esapi::Codec::HtmlCodec.new
+ @percent_codec = Owasp::Esapi::Codec::PercentCodec.new
+ @js_codec = Owasp::Esapi::Codec::JavascriptCodec.new
+ @vb_codec = nil
+ @css_codec = Owasp::Esapi::Codec::CssCodec.new
unless configured_codecs.nil?
- configured_codes.each do |codec|
- @@codecs << codec
+ configured_codecs.each do |c|
+ @codecs << c
end
else
# setup some defaults codecs
- @@codecs << @@css_codec
- @@codecs << @@html_codec
- @@codecs << @@percent_codec
+ puts "Setting up Default Codecs"
+ @codecs << @html_codec
+ @codecs << @percent_codec
+ @codecs << @js_codec
end
end
=begin
@@ -61,7 +70,7 @@ def sanitize(input, strict)
clean = false
while !clean
clean = true
- @@codecs.each do |codec|
+ @codecs.each do |codec|
old = working
working = codec.decode(working)
if !old.eql?(working)
@@ -106,20 +115,25 @@ def sanitize(input, strict)
=end
def encode_for_css(input)
return nil if input.nil?
- @@css_codec.encode(IMMUNE_CSS,input)
+ @css_codec.encode(IMMUNE_CSS,input)
+ end
+
+ def encode_for_javascript(input)
+ return nil if input.nil?
+ @js_codec.encode(IMMUNE_JAVASCRIPT,input)
end
def encode_for_html(input)
return nil if input.nil?
- @@html_codec.encode(IMMUNE_HTML,input)
+ @html_codec.encode(IMMUNE_HTML,input)
end
def dencode_for_html(input)
return nil if input.nil?
- @@html_codec.decode(input)
+ @html_codec.decode(input)
end
def encode_for_html_attr(input)
return nil if input.nil?
- @@html_codec.encode(IMMUNE_HTMLATTR,input)
+ @html_codec.encode(IMMUNE_HTMLATTR,input)
end
end
@@ -19,7 +19,7 @@ def encode_char(immune, input)
c = input
return input if immune.include?(input)
# check for alpha numeric
- hex = hex_value(input)
+ hex = hex(input)
return input if hex.nil?
# check to see if we need to replace an entity
if ( c.ord <= 0x1f and c != '\t' and c != '\n' and c != '\r' ) || ( c.ord >= 0x7f and c.ord <= 0x9f )
@@ -0,0 +1,109 @@
+module Owasp
+ module Esapi
+ module Codec
+ class JavascriptCodec < BaseCodec
+
+ def encode_char(immune,input)
+ return input if immune.include?(input)
+ return input if hex(input).nil?
+
+ temp = hex(input)
+ if temp.hex < 256
+ return "\\x#{'00'[temp.size,2-temp.size]}#{temp.upcase}"
+ end
+ return "\\u#{'0000'[temp.size,4-temp.size]}#{temp.upcase}"
+
+ end
+
+ def decode_char(input)
+
+ input.mark
+ first = input.next
+ if first.nil?
+ input.reset
+ return nil
+ end
+ # check to see if we are dealing with an encoded char
+ if first!= "\\"
+ input.reset
+ return nil
+ end
+ second = input.next
+ if second.nil?
+ input.reset
+ return nil
+ end
+
+ #Check octal codes
+ return 0x08.chr if second == "b"
+ return 0x09.chr if second == "t"
+ return 0x0a.chr if second == "n"
+ return 0x0b.chr if second == "v"
+ return 0x0c.chr if second == "f"
+ return 0x0d.chr if second == "r"
+ return 0x22.chr if second == "\""
+ return 0x27.chr if second == "\'"
+ return 0x5c.chr if second == "\\"
+ if second.downcase == "x" # Hex encoded value
+ temp = ''
+ for i in 0..1 do
+ c = input.next_hex
+ temp << c unless c.nil?
+ if c.nil?
+ input.reset
+ return nil
+ end
+ end
+ i = temp.hex
+ begin
+ return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+ rescue Exception => e
+ input.reset
+ return nil
+ end
+ elsif second.downcase == "u" # Unicode encoded value
+ temp = ''
+ for i in 0..3 do
+ c = input.next_hex
+ temp << c unless c.nil?
+ if c.nil?
+ input.reset
+ return nil
+ end
+ end
+ i = temp.hex
+ begin
+ return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+ rescue Exception => e
+ input.reset
+ return nil
+ end
+ elsif input.octal?(second) # Octal encoded value
+ temp = second
+ c = input.next
+ unless input.octal?(c)
+ input.push(c)
+ else
+ temp << c
+ c = input.next
+ unless input.octal?(c)
+ input.push(c)
+ else
+ temp << c
+ end
+ end
+ # build a number
+ i = temp.to_i(8)
+ begin
+ return i.chr(Encoding::UTF_8) if i >= START_CODE_POINT and i <= END_CODE_POINT
+ rescue Exception => e
+ input.reset
+ return nil
+ end
+ end
+ return second
+ end
+ end
+ end
+ end
+end
View
@@ -0,0 +1,73 @@
+class OSDetect
+
+ def self.os
+
+ end
+end
+require 'rbconfig'
+=begin
+ Operating system codec for escape characters for HOST commands
+ We look at Unix style (max, linux) and Windows style
+=end
+module Owasp
+ module Esapi
+ module Codec
+ class OsCodec < BaseCodec
+ WINDOWS_HOST = :Windows
+ UNIX_HOST = :Unix
+ def initialize(os = nil)
+ @host = nil
+ @escape_char = ''
+ host_os = os
+ if os.nil?
+ host_os = case Config::CONFIG['host_os']
+ when /mswin|windows/i then WINDOWS_HOST
+ when /linux/i then UNIX_HOST
+ when /darwin/i then UNIX_HOST
+ when /sunos|solaris/i then UNIX_HOST
+ else UNIX_HOST
+ end
+ end
+ if host_os == WINDOWS_HOST
+ @host = WINDOWS_HOST
+ @escape_char = '^'
+ elsif host_os == UNIX_HOST
+ @host = UNIX_HOST
+ @escape_char = '\\'
+ end
+ end
+
+=begin
+ get the host OS type
+=end
+ def os
+ @host
+ end
+
+ def encode_char(immune,input)
+ return input if immune.include?(input)
+ return input if hex(input).nil?
+ return "#{@escape_char}#{input}"
+ end
+
+ def decode_char(input)
+ input.mark
+ first = input.next
+ # check first char
+ if first.nil?
+ input.reset
+ return nil
+ end
+ # if it isnt escape return nil
+ if first != @escape_char
+ input.reset
+ return nil
+ end
+ # get teh escape value
+ return input.next
+ end
+
+ end
+ end
+ end
+end
@@ -1,5 +1,5 @@
#
-# Originally I was using teh cgi lib to encode and decode values
+# Originally I was using the cgi lib to encode and decode values
# however i changed that approach for more control
#
module Owasp
@@ -41,7 +41,7 @@ def next
def next_hex
c = self.next
return nil if c.nil?
- return c if is_hex(c)
+ return c if hex?(c)
return nil
end
=begin
@@ -50,7 +50,7 @@ def next_hex
def next_octal
c = self.next
return nil if c.nil?
- return c if is_octal(c)
+ return c if octal?(c)
return nil
end
=begin
@@ -96,15 +96,15 @@ def mark
check if a given character is a hexadecimal character
meaning a through f and 0 through 9
=end
- def is_hex(c)
+ def hex?(c)
return false if c.nil?
c =~ /[a-fA-F0-9]/
end
=begin
check if a given character is an octal character
means 0 through 7
=end
- def is_octal(c)
+ def octal?(c)
return false if c.nil?
c =~ /[0-7]/
end
Oops, something went wrong.

0 comments on commit 1d14f2d

Please sign in to comment.