Updated xss support.

Added a new library wsf_security. Updated test cases to cover protections policy. Added a simple filter using an XSS implementation with WSF_XSS_REQUEST, but it's possible to build custom filters and request using different protection patterns.
2017-11-22 17:22:02 -03:00
parent 8b90241986
commit 5de024923e
11 changed files with 1036 additions and 220 deletions
--- a/library/server/wsf/security/wsf_xss_request.e
+++ b/library/server/wsf/security/wsf_xss_request.e
@@ -0,0 +1,260 @@
+note
+	description: "[
+		XSS request, redefine query_parameter and form_parameters filtering the data (using XSS protection)
+		before return the value.
+		The XSS protection pattern used is defined here :{WSF_PROTECTION_PATTERNS}.XSS_regular_expression: REGULAR_EXPRESSION
+
+	]"
+	date: "$Date$"
+	revision: "$Revision$"
+
+class
+	WSF_XSS_REQUEST
+
+inherit
+	WSF_REQUEST
+		redefine
+			query_parameter,
+			form_parameter,
+			meta_variable,
+			http_accept,
+			http_accept_charset,
+			http_accept_encoding,
+			http_accept_language,
+			http_connection,
+			http_expect,
+			http_host,
+			http_referer,
+			http_user_agent,
+			http_authorization,
+			http_transfer_encoding,
+			http_access_control_request_headers,
+			http_if_match,
+			http_if_modified_since,
+			http_if_none_match,
+			http_if_range,
+			http_if_unmodified_since,
+			http_last_modified,
+			http_range,
+			http_content_range,
+			http_content_encoding
+		end
+
+	WSF_REQUEST_EXPORTER
+
+	WSF_PROTECTION_POLICY
+
+create
+	make_from_request
+
+feature {NONE} -- Creation
+
+	make_from_request (req: WSF_REQUEST)
+		do
+			make_from_wgi (req.wgi_request)
+		end
+
+feature -- Query parameters
+
+	query_parameter (a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
+			-- <Precursor>
+		do
+			Result := xss_query_parameter (Current, a_name)
+		end
+
+feature -- Form Parameters
+
+	form_parameter (a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
+			-- <Precursor>
+		do
+			Result := xss_form_parameter (Current, a_name)
+		end
+
+feature -- Meta Variable
+
+	meta_variable (a_name: READABLE_STRING_GENERAL): detachable WSF_STRING
+			-- <Precursor>
+		do
+			Result := xss_meta_variable (Current, a_name)
+		end
+
+feature -- HTTP_*
+
+	http_accept: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_accept (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_accept_charset: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_accept_charset (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_accept_encoding: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_accept_encoding (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_accept_language: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_accept_language (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_connection: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_connection (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_expect: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_expect (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_host: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_host (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_referer: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_referer (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_user_agent: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_user_agent (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_authorization: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_authorization (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_transfer_encoding: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_transfer_encoding (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_access_control_request_headers: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_access_control_request_headers (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_if_match: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_if_match (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_if_modified_since: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_if_modified_since (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_if_none_match: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_if_none_match (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_if_range: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_if_range (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_if_unmodified_since: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_if_unmodified_since (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_last_modified: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_last_modified (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_range: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_range (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_content_range: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_content_range (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+
+	http_content_encoding: detachable READABLE_STRING_8
+			-- <Precursor>
+		local
+			l_protection: WSF_PROTECTION_PATTERNS
+		do
+			Result := custom_http_content_encoding (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
+		end
+note
+	copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
+	license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
+	source: "[
+			Eiffel Software
+			5949 Hollister Ave., Goleta, CA 93117 USA
+			Telephone 805-685-1006, Fax 805-685-6869
+			Website http://www.eiffel.com
+			Customer support http://support.eiffel.com
+		]"
+end