Refactored using an abstraction WSF_PROTECTION.

This protection could be implemented with a regular expression, or using another solution (as manual parsing). Also, when a protection detects an issue, instead of returning empty string, it returns Void. If the value is a multiple string value, if an item is detected for an issue, the returned multiple string value is now Void. This abstraction will allow to return either Void, or a "corrected" value, for instance the string value, without the detected "<script..>..</script>" text. TODO: improve the WSF_PROTECTION_REGEXP to allow replacement strategy.
2017-11-27 15:44:19 +01:00
parent 4d79bba04b
commit 1037256ea6
7 changed files with 367 additions and 212 deletions
--- a/library/server/wsf/tests/src/test_wsf_protection_policy.e
+++ b/library/server/wsf/tests/src/test_wsf_protection_policy.e
@@ -37,7 +37,7 @@ feature -- Test
 		local
 			req: WSF_REQUEST
 			sec: WSF_PROTECTION_POLICY
-			l_protection: WSF_PROTECTION_PATTERNS
+			l_protection: WSF_PROTECTIONS
 		do
 			create sec
 			--| Case HTTP header expect attack, filtered using {xss_regular_expression}
@@ -48,7 +48,7 @@ feature -- Test
 						["HTTP_EXPECT", "<script>alert(XSS attack)</script>"]
 					>>
 				)
-			assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", attached {READABLE_STRING_8} sec.custom_http_expect (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>) as v and then v.is_empty )
+			assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", sec.custom_http_expect (req, <<l_protection.xss>>) = Void)
 		end


@@ -56,7 +56,7 @@ feature -- Test
 		local
 			req: WSF_REQUEST
 			sec: WSF_PROTECTION_POLICY
-			l_protection: WSF_PROTECTION_PATTERNS
+			l_protection: WSF_PROTECTIONS
 		do
 			create sec
 			--| Case HTTP header expect attack, filtered using {xss_javascript_expression}
@@ -67,14 +67,14 @@ feature -- Test
 						["HTTP_EXPECT", "<script>alert(XSS attack)</script>"]
 					>>
 				)
-			assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", attached {READABLE_STRING_8} sec.custom_http_expect (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_javascript_expression>>) as v and then v.is_empty )
+			assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", sec.custom_http_expect (req, <<l_protection.xss_javascript>>) = Void )
 		end

 	test_http_referer_attack_with_xss_js_protection_fails
 		local
 			req: WSF_REQUEST
 			sec: WSF_PROTECTION_POLICY
-			l_protection: WSF_PROTECTION_PATTERNS
+			l_protection: WSF_PROTECTIONS
 			l_str: STRING
 		do
 			l_str:= "[
@@ -89,7 +89,7 @@ feature -- Test
 						["HTTP_REFERER", l_str]
 					>>
 				)
-			assert ("HTTP_REFERER", attached {READABLE_STRING_8} sec.custom_http_referer (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_javascript_expression>>) as v and then not v.is_empty )
+			assert ("HTTP_REFERER", attached sec.custom_http_referer (req, <<l_protection.xss_javascript>>) as v and then not v.is_empty )
 		end


@@ -97,7 +97,7 @@ feature -- Test
 		local
 			req: WSF_REQUEST
 			sec: WSF_PROTECTION_POLICY
-			l_protection: WSF_PROTECTION_PATTERNS
+			l_protection: WSF_PROTECTIONS
 			l_str: STRING
 		do
 			l_str:= "[
@@ -112,7 +112,7 @@ feature -- Test
 						["HTTP_REFERER", l_str]
 					>>
 				)
-			assert ("HTTP_REFERER", attached {READABLE_STRING_8} sec.custom_http_referer (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>) as v and then not v.is_empty )
+			assert ("HTTP_REFERER", attached {READABLE_STRING_8} sec.custom_http_referer (req, <<l_protection.xss>>) as v and then not v.is_empty )
 		end


--- a/library/server/wsf/tests/src/test_xss_patterns.e
+++ b/library/server/wsf/tests/src/test_xss_patterns.e
@@ -14,6 +14,7 @@ feature -- Tests

 	test_xss_locator
 		local
+			xss: WSF_XSS_REQUEST
 			r: REGULAR_EXPRESSION
 			s: STRING
 		do
@@ -22,7 +23,7 @@ feature -- Tests
 alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
 			]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("XSS locator", r.has_matched)
 		end
@@ -35,7 +36,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 '';!--"<XSS>=&{()}
 			]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("XSS locator short", r.has_matched)
 		end
@@ -48,7 +49,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
 			]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("No filter evasion", r.has_matched)
 		end
@@ -65,7 +66,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 <img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id)>'">
 <img src="http://www.shellypalmer.com/wp-content/images/2015/07/hacked-compressor.jpg">
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Filter bypass based polyglot", r.has_matched)
 		end
@@ -79,7 +80,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC="javascript:alert('XSS');">
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Image XSS using the JavaScript directive", r.has_matched)
 		end
@@ -93,7 +94,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC=javascript:alert('XSS')>
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("No quotes and no semicolon", r.has_matched)
 		end
@@ -107,7 +108,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC=JaVaScRiPt:alert('XSS')>
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Case insensitive XSS attack vector", r.has_matched)
 		end
@@ -121,7 +122,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC=javascript:alert(&quot;XSS&quot;)>
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("HTML entities", r.has_matched)
 		end
@@ -134,7 +135,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Grave accent obfuscation", r.has_matched)
 		end
@@ -149,7 +150,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <a onmouseover="alert(document.cookie)">xxs link</a>
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Malformed A tags", r.has_matched)
 		end
@@ -164,7 +165,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <a onmouseover=alert(document.cookie)>xxs link</a>
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Malformed A tags", r.has_matched)
 		end
@@ -178,7 +179,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Malformed IMG tags", r.has_matched)
 		end
@@ -192,7 +193,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("fromCharCode", r.has_matched)
 		end
@@ -206,7 +207,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC=# onmouseover="alert('xxs')">
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Default SRC tag to get past filters that check SRC domain", r.has_matched)
 		end
@@ -220,7 +221,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG SRC= onmouseover="alert('xxs')">
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Default SRC tag by leaving it empty", r.has_matched)
 		end
@@ -233,7 +234,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 			s:="[
 <IMG onmouseover="alert('xxs')">
 ]"
-			r:= xss_pattern.XSS_regular_expression
+			r:= xss_pattern.XSS.regexp
 			r.match (s)
 			assert ("Default SRC tag by leaving it out entirely", r.has_matched)
 		end
@@ -246,6 +247,6 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--

 feature {NONE} -- Implementation

-	xss_pattern: WSF_PROTECTION_PATTERNS
+	xss_pattern: WSF_PROTECTIONS

 end