Updated xss support.

Added a new library wsf_security. Updated test cases to cover protections policy. Added a simple filter using an XSS implementation with WSF_XSS_REQUEST, but it's possible to build custom filters and request using different protection patterns.
2017-11-22 17:22:02 -03:00
parent 8b90241986
commit 5de024923e
11 changed files with 1036 additions and 220 deletions
--- a/library/server/wsf/extension/filter/wsf_xss_filter.e
+++ b/library/server/wsf/extension/filter/wsf_xss_filter.e
@@ -1,36 +0,0 @@
-note
-	description: "[
-		{WSF_XSS_FILTER}.
-		Simple anti cross-site scripting (XSS) filter.
-		Remove all suspicious strings from request parameters (query strings and form) before returning them to the application
-
-	]"
-	date: "$Date$"
-	revision: "$Revision$"
-
-class
-	WSF_XSS_FILTER
-
-inherit
-
-	WSF_FILTER
-
-feature -- Execution
-
-	execute (req: WSF_REQUEST; res: WSF_RESPONSE)
-			-- Execute the filter.
-		do
-			execute_next (create {WSF_XSS_REQUEST}.make_from_request (req), res)
-		end
-
-note
-	copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
-	license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
-	source: "[
-			Eiffel Software
-			5949 Hollister Ave., Goleta, CA 93117 USA
-			Telephone 805-685-1006, Fax 805-685-6869
-			Website http://www.eiffel.com
-			Customer support http://support.eiffel.com
-		]"
-end
--- a/library/server/wsf/extension/support/wsf_protection_patterns.e
+++ b/library/server/wsf/extension/support/wsf_protection_patterns.e
@@ -1,51 +0,0 @@
-note
-	description: "[
-		{WSF_PROTECTION_PATTERNS}
-		Provide application security parterns to assist in Cross Site Scripting
-	]"
-	date: "$Date$"
-	revision: "$Revision$"
-	EIS: "name=OWASP XSS", "src=https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet", "protocol=uri"
-	EIS: "name=Regular expression protection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
-
-expanded class
-	WSF_PROTECTION_PATTERNS
-
-
-feature -- xss PATTERNS
-
-	XSS_regular_expression: REGULAR_EXPRESSION
-		note
-			EIS: "name= XSS", "src=https://community.apigee.com/questions/27198/xss-threat-protection-patterns.html#answer-27465", "protocol=uri"
-		local
-			p: STRING_32
-		once
-			p := "((\%%3C)|<)[^\n]+((\%%3E)|>)"
-			Result := compiled_regexp (p, True)
-		end
-
-feature {NONE} -- Implementation
-
-	compiled_regexp (p: STRING; caseless: BOOLEAN): REGULAR_EXPRESSION
-		require
-			p /= Void
-		do
-			create Result
-			Result.set_caseless (caseless)
-			Result.compile (p)
-		ensure
-			Result.is_compiled
-		end
-
-
-note
-	copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
-	license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
-	source: "[
-			Eiffel Software
-			5949 Hollister Ave., Goleta, CA 93117 USA
-			Telephone 805-685-1006, Fax 805-685-6869
-			Website http://www.eiffel.com
-			Customer support http://support.eiffel.com
-		]"
-end
--- a/library/server/wsf/extension/support/wsf_xss_utilities.e
+++ b/library/server/wsf/extension/support/wsf_xss_utilities.e
@@ -1,108 +0,0 @@
-note
-	description: "Return safe (XSS protection) data for WSF_REQUEST query and form parameters."
-	date: "$Date$"
-	revision: "$Revision$"
-
-class
-	WSF_XSS_UTILITIES
-
-	-- TODO  add header protection.
-
-feature -- Query parameters
-
-	safe_query_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
-			-- Safe Query parameter for name `a_name'.
-		local
-			l_wsf_xss: WSF_PROTECTION_PATTERNS
-			r: REGULAR_EXPRESSION
-		do
-			r := l_wsf_xss.XSS_regular_expression
-			Result := a_req.query_parameter (a_name)
-			if Result /= Void then
-				if
-					attached {WSF_STRING} Result as str and then
-					r.is_compiled
-				then
-					r.match (str.value)
-					if r.has_matched then
-						create {WSF_STRING} Result.make (str.name, " ")
-					end
-				end
-			end
-		end
-
-feature -- Form Parameters
-
-	safe_form_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
-			-- Safe Form parameter for name `a_name'.
-		local
-			l_wsf_xss: WSF_PROTECTION_PATTERNS
-			r: REGULAR_EXPRESSION
-			not_first: BOOLEAN
-		do
-			r := l_wsf_xss.XSS_regular_expression
-			Result := a_req.form_parameter (a_name)
-			if Result /= Void then
-				if
-					attached {WSF_STRING} Result as str and then
-					r.is_compiled
-				then
-					r.match (str.value)
-					if r.has_matched then
-						create {WSF_STRING} Result.make (str.name, " ")
-					end
-				elseif
-					attached {WSF_MULTIPLE_STRING} Result as l_multi_str and then
-					r.is_compiled
-				then
-					across l_multi_str as ic  loop
-						r.match (ic.item.value)
-						if r.has_matched then
-							if not_first and then attached  {WSF_MULTIPLE_STRING} Result as l_result then
-								 l_result.add_value ( (create {WSF_STRING}.make (ic.item.name, " ")))
-							else
-								create {WSF_MULTIPLE_STRING} Result.make_with_string (ic.item.name, " ")
-								not_first := True
-							end
-						end
-					end
-				end
-
-			end
-		end
-
-feature -- Meta Variables		
-
-	safe_meta_variable (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL): detachable WSF_STRING
-			-- CGI Meta variable related to `a_name'
-		require
-			a_name_valid: a_name /= Void and then not a_name.is_empty
-		local
-			l_wsf_xss: WSF_PROTECTION_PATTERNS
-			r: REGULAR_EXPRESSION
-		do
-			r := l_wsf_xss.XSS_regular_expression
-			Result := a_req.meta_variable (a_name)
-			if Result /= Void then
-				if
-					attached {WSF_STRING} Result as str and then
-					r.is_compiled
-				then
-					r.match (str.value)
-					if r.has_matched then
-						create {WSF_STRING} Result.make (str.name, " ")
-					end
-				end
-			end
-		end
-note
-	copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
-	license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
-	source: "[
-			Eiffel Software
-			5949 Hollister Ave., Goleta, CA 93117 USA
-			Telephone 805-685-1006, Fax 805-685-6869
-			Website http://www.eiffel.com
-			Customer support http://support.eiffel.com
-		]"
-end
--- a/library/server/wsf/extension/wsf_xss_request.e
+++ b/library/server/wsf/extension/wsf_xss_request.e
@@ -1,59 +0,0 @@
-note
-	description: "[
-		XSS request, redefine query_parameter and form_parameters filtering the data (using XSS protection)
-		before return the value.
-	]"
-	date: "$Date$"
-	revision: "$Revision$"
-
-class
-	WSF_XSS_REQUEST
-
-inherit
-	WSF_REQUEST
-		redefine
-			query_parameter,
-			form_parameter
-		end
-
-	WSF_REQUEST_EXPORTER
-
-	WSF_XSS_UTILITIES
-
-create
-	make_from_request
-
-feature {NONE} -- Creation
-
-	make_from_request (req: WSF_REQUEST)
-		do
-			make_from_wgi (req.wgi_request)
-		end
-
-feature -- Query parameters
-
-	query_parameter (a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
-			-- Query parameter for name `a_name'.
-		do
-			Result := safe_query_parameter (Current, a_name)
-		end
-
-feature -- Form Parameters
-
-	form_parameter (a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
-		do
-			Result := safe_form_parameter (Current, a_name)
-		end
-
-
-note
-	copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
-	license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
-	source: "[
-			Eiffel Software
-			5949 Hollister Ave., Goleta, CA 93117 USA
-			Telephone 805-685-1006, Fax 805-685-6869
-			Website http://www.eiffel.com
-			Customer support http://support.eiffel.com
-		]"
-end