mirrors/EWF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactored using an abstraction WSF_PROTECTION.

Browse Source 
This protection could be implemented with a regular expression,
    or using another solution (as manual parsing).
  Also, when a protection detects an issue, instead of returning empty string,
    it returns Void. If the value is a multiple string value, if an item is detected for an issue,
    the returned multiple string value is now Void.
  This abstraction will allow to return either Void, or a "corrected" value,
    for instance the string value, without the detected "<script..>..</script>" text.
  TODO: improve the WSF_PROTECTION_REGEXP to allow replacement strategy.
This commit is contained in:
Jocelyn Fiat
2017-11-27 15:44:19 +01:00
parent 4d79bba04b
commit 1037256ea6
7 changed files with 367 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
library/server/wsf/security/support/wsf_protection.e Normal file
View File

@@ -0,0 +1,76 @@
note
description: "Summary description for {WSF_PROTECTION}."
author: ""
date: "$Date$"
revision: "$Revision$"
deferred class
WSF_PROTECTION
feature -- Status report
is_valid: BOOLEAN
deferred
end
feature -- String Protection
string_8 (s: READABLE_STRING_8): detachable READABLE_STRING_8
require
is_valid: is_valid
deferred
end
feature -- Value Protection
value (v: WSF_VALUE): detachable WSF_VALUE
require
is_valid: is_valid
do
if attached {WSF_STRING} v as s then
Result := string_value (s)
elseif attached {WSF_MULTIPLE_STRING} v as ms then
Result := multiple_string_value (ms)
else
-- TODO
Result := v
end
end
string_value (v: WSF_STRING): detachable WSF_STRING
require
is_valid: is_valid
deferred
end
multiple_string_value (mv: WSF_MULTIPLE_STRING): detachable WSF_MULTIPLE_STRING
require
is_valid: is_valid
local
v: detachable WSF_STRING
do
across
mv as ic
loop
v := string_value (ic.item)
if v = Void then
Result := Void
elseif Result = Void then
create Result.make_with_value (v)
else
Result.add_value (v)
end
end
end
note
copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
source: "[
Eiffel Software
5949 Hollister Ave., Goleta, CA 93117 USA
Telephone 805-685-1006, Fax 805-685-6869
Website http://www.eiffel.com
Customer support http://support.eiffel.com
]"
end

186
library/server/wsf/security/support/wsf_protection_policy.e
View File

@@ -10,7 +10,7 @@ class
feature -- Query parameters
custom_query_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable WSF_VALUE
custom_query_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL; a_protections: ITERABLE [WSF_PROTECTION]): detachable WSF_VALUE
-- Filtered Query parameter name `a_name' with custom protections.
do
Result := custom_wsf_value (a_req.query_parameter (a_name), a_protections)
@@ -18,7 +18,7 @@ feature -- Query parameters
predefined_query_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
-- Filtered Query parameter name `a_name' with all predefined protections.
-- check {WSF_PROTECTION_PATTERNS} class.
-- check {WSF_PROTECTIONS} class.
do
Result := predefined_value (a_req.query_parameter (a_name))
end
@@ -61,7 +61,7 @@ feature -- Query parameters
feature -- Form Parameters
custom_form_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable WSF_VALUE
custom_form_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL; a_protections: ITERABLE [WSF_PROTECTION]): detachable WSF_VALUE
-- Filtered Form parameter name `a_name' with custom protections.
do
Result := custom_wsf_value (a_req.form_parameter (a_name), a_protections)
@@ -69,7 +69,7 @@ feature -- Form Parameters
predefined_form_parameter (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
-- Filtered Form parameter name `a_name' with all predefined protections.
-- check {WSF_PROTECTION_PATTERNS} class.
-- check {WSF_PROTECTIONS} class.
do
Result := predefined_value (a_req.form_parameter (a_name))
end
@@ -112,7 +112,7 @@ feature -- Form Parameters
feature -- Meta Variables
custom_meta_variable (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable WSF_VALUE
custom_meta_variable (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL; a_protections: ITERABLE [WSF_PROTECTION]): detachable WSF_VALUE
-- Filtered CGI Meta variable name `a_name' with custom protections.
require
a_name_valid: a_name /= Void and then not a_name.is_empty
@@ -124,7 +124,7 @@ feature -- Meta Variables
predefined_meta_variable (a_req: WSF_REQUEST; a_name: READABLE_STRING_GENERAL): detachable WSF_VALUE
-- Filtered CGI Meta variable name `a_name' with predefined protections.
-- check {WSF_PROTECTION_PATTERNS} class.
-- check {WSF_PROTECTIONS} class.
require
a_name_valid: a_name /= Void and then not a_name.is_empty
do
@@ -194,7 +194,7 @@ feature -- Meta Variables
end
feature -- HTTP_*
custom_http_accept (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_accept (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_accept header with custom protections `a_protections`.
-- Contents of the Accept: header from the current wgi_request, if there is one.
-- Example: 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
@@ -202,7 +202,7 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_accept, a_protections)
end
custom_http_accept_charset (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_accept_charset (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_accept_charset header with custom protections `a_protections`.
-- Contents of the Accept-Charset: header from the current wgi_request, if there is one.
-- Example: 'iso-8859-1,*,utf-8'.
@@ -211,7 +211,7 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_accept_charset, a_protections)
end
custom_http_accept_encoding (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_accept_encoding (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_accept_encoding header with custom protections `a_protections`.
-- Contents of the Accept-Encoding: header from the current wgi_request, if there is one.
-- Example: 'gzip'.
@@ -219,7 +219,7 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_accept_encoding, a_protections)
end
custom_http_accept_language (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_accept_language (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_accept_language header with custom protections `a_protections`.
-- Contents of the Accept-Language: header from the current wgi_request, if there is one.
-- Example: 'en'.
@@ -227,7 +227,7 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_accept_language, a_protections)
end
custom_http_connection (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_connection (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_connection header with custom protections `a_protections`.
-- Contents of the Connection: header from the current wgi_request, if there is one.
-- Example: 'keep-alive'.
@@ -235,7 +235,7 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_connection, a_protections)
end
custom_http_expect (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_expect (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_expect header with custom protections `a_protections`.
-- The Expect request-header field is used to indicate that particular server behaviors are required by the client.
-- Example: '100-continue'.
@@ -243,14 +243,14 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_expect, a_protections)
end
custom_http_host (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_host (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_host header with custom protections `a_protections`.
-- Contents of the Host: header from the current wgi_request, if there is one.
do
Result := custom_string_value (a_req.http_host, a_protections)
end
custom_http_referer (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_referer (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_referer header with custom protections `a_protections`.
-- The address of the page (if any) which referred the user agent to the current page.
-- This is set by the user agent.
@@ -260,7 +260,7 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_referer, a_protections)
end
custom_http_user_agent (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_user_agent (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_user_agent header with custom protections `a_protections`.
-- Contents of the User-Agent: header from the current wgi_request, if there is one.
-- This is a string denoting the user agent being which is accessing the page.
@@ -271,14 +271,14 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_user_agent, a_protections)
end
custom_http_authorization (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_authorization (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_authorization header with custom protections `a_protections`.
-- Contents of the Authorization: header from the current wgi_request, if there is one.
do
Result := custom_string_value (a_req.http_authorization, a_protections)
end
custom_http_transfer_encoding (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_transfer_encoding (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_transfer_encoding header with custom protections `a_protections`.
-- Transfer-Encoding
-- for instance chunked.
@@ -286,7 +286,7 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_transfer_encoding, a_protections)
end
custom_http_access_control_request_headers (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_access_control_request_headers (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_access_control_request_headers header with custom protections `a_protections`.
-- Indicates which headers will be used in the actual request
-- as part of the preflight request
@@ -294,63 +294,63 @@ feature -- HTTP_*
Result := custom_string_value (a_req.http_access_control_request_headers, a_protections)
end
custom_http_if_match (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_if_match (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_if_match header with custom protections `a_protections`.
-- Existence check on resource.
do
Result := custom_string_value (a_req.http_if_match, a_protections)
end
custom_http_if_modified_since (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_if_modified_since (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_if_modified_since header with custom protections `a_protections`.
-- Modification check on resource.
do
Result := custom_string_value (a_req.http_if_modified_since, a_protections)
end
custom_http_if_none_match (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_if_none_match (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_if_none_match header with custom protections `a_protections`.
-- Existence check on resource.
do
Result := custom_string_value (a_req.http_if_none_match, a_protections)
end
custom_http_if_range (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_if_range (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_if_range header with custom protections `a_protections`.
-- Existence check on resource.
do
Result := custom_string_value (a_req.http_if_range, a_protections)
end
custom_http_if_unmodified_since (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_if_unmodified_since (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_if_unmodified_since header with custom protections `a_protections`.
-- Modification check on resource.
do
Result := custom_string_value (a_req.http_if_unmodified_since, a_protections)
end
custom_http_last_modified (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_last_modified (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_last_modified header with custom protections `a_protections`.
-- Modification check on resource.
do
Result := custom_string_value (a_req.http_last_modified, a_protections)
end
custom_http_range (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_range (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_range header with custom protections `a_protections`.
-- Requested byte-range of resource.
do
Result := custom_string_value (a_req.http_range, a_protections)
end
custom_http_content_range (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_content_range (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_content_range header with custom protections `a_protections`.
-- Partial range of selected representation enclosed in message payload.
do
Result := custom_string_value (a_req.http_content_range, a_protections)
end
custom_http_content_encoding (a_req: WSF_REQUEST; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_http_content_encoding (a_req: WSF_REQUEST; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Filtered http_content_encoding header with custom protections `a_protections`.
-- Encoding (usually compression) of message payload.
do
@@ -359,18 +359,14 @@ feature -- HTTP_*
feature {NONE} -- Implementation
custom_wsf_value (a_value: detachable WSF_VALUE; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable WSF_VALUE
custom_wsf_value (a_value: detachable WSF_VALUE; a_protections: ITERABLE [WSF_PROTECTION]): detachable WSF_VALUE
-- Return value `a_value` filtered by all protections policy.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
do
Result := filter_wsf_value (a_value, a_protections )
end
custom_string_value (a_value: detachable READABLE_STRING_8; a_protections: ARRAY [REGULAR_EXPRESSION]): detachable READABLE_STRING_8
custom_string_value (a_value: detachable READABLE_STRING_8; a_protections: ITERABLE [WSF_PROTECTION]): detachable READABLE_STRING_8
-- Return value `a_value` filtered by all protections policy.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
do
Result := filter_string_value (a_value, a_protections )
end
@@ -378,132 +374,108 @@ feature {NONE} -- Implementation
predefined_value (a_value: detachable WSF_VALUE): detachable WSF_VALUE
-- Return value `a_value` filtered by all predefined protections policy.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
l_wsf_xss: WSF_PROTECTIONS
do
Result := filter_wsf_value (a_value,
{ARRAY [REGULAR_EXPRESSION]}<<
l_wsf_xss.XSS_regular_expression,
l_wsf_xss.server_side_expression,
l_wsf_xss.sql_injection_regular_expression,
l_wsf_xss.xpath_abbreviated_expression,
l_wsf_xss.xpath_expanded_expression>>)
<<
l_wsf_xss.XSS,
l_wsf_xss.server_side,
l_wsf_xss.sql_injection,
l_wsf_xss.xpath_abbreviated,
l_wsf_xss.xpath_expanded
>>)
end
xss_value (a_value: detachable WSF_VALUE): detachable WSF_VALUE
-- Return value `a_value` filtered by xss protection.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
l_wsf_xss: WSF_PROTECTIONS
do
Result := filter_wsf_value (a_value, {ARRAY [REGULAR_EXPRESSION]}<<l_wsf_xss.XSS_regular_expression>>)
Result := filter_wsf_value (a_value, <<l_wsf_xss.XSS>>)
end
xss_js_value (a_value: detachable WSF_VALUE): detachable WSF_VALUE
-- Return value `a_value` filtered by xss-javascript protection.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
l_wsf_xss: WSF_PROTECTIONS
do
Result := filter_wsf_value (a_value, {ARRAY [REGULAR_EXPRESSION]} <<l_wsf_xss.XSS_javascript_expression>>)
Result := filter_wsf_value (a_value, <<l_wsf_xss.XSS_javascript>>)
end
sql_value (a_value: detachable WSF_VALUE): detachable WSF_VALUE
-- Return value `a_value` filtered by sql injection protection.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
l_wsf_xss: WSF_PROTECTIONS
do
Result := filter_wsf_value (a_value, {ARRAY [REGULAR_EXPRESSION]} <<l_wsf_xss.SQL_injection_regular_expression>>)
Result := filter_wsf_value (a_value, <<l_wsf_xss.SQL_injection>>)
end
server_side_value (a_value: detachable WSF_VALUE): detachable WSF_VALUE
-- Return value `a_value` filtered by server side injection protection.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
l_wsf_xss: WSF_PROTECTIONS
do
Result := filter_wsf_value (a_value, {ARRAY [REGULAR_EXPRESSION]} <<l_wsf_xss.Server_side_expression>>)
Result := filter_wsf_value (a_value, <<l_wsf_xss.Server_side>>)
end
xpath_abbreviated_value (a_value: detachable WSF_VALUE): detachable WSF_VALUE
-- Return value `a_value` filtered by xpath_abbreviated injection protection.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
l_wsf_xss: WSF_PROTECTIONS
do
Result := filter_wsf_value (a_value, {ARRAY [REGULAR_EXPRESSION]} <<l_wsf_xss.Xpath_abbreviated_expression>>)
Result := filter_wsf_value (a_value, <<l_wsf_xss.Xpath_abbreviated>>)
end
xpath_expanded_value (a_value: detachable WSF_VALUE): detachable WSF_VALUE
-- Return value `a_value` filtered by Xpath expanded injection protection.
local
l_wsf_xss: WSF_PROTECTION_PATTERNS
l_wsf_xss: WSF_PROTECTIONS
do
Result := filter_wsf_value (a_value, {ARRAY [REGULAR_EXPRESSION]} <<l_wsf_xss.Xpath_expanded_expression>>)
Result := filter_wsf_value (a_value, <<l_wsf_xss.Xpath_expanded>>)
end
filter_wsf_value (a_value: detachable WSF_VALUE; a_regex: ARRAY [REGULAR_EXPRESSION] ): detachable WSF_VALUE
-- Filter value `a_value` with an array of protections policy `a_regex`.
filter_wsf_value (a_value: detachable WSF_VALUE; a_protections: ITERABLE [WSF_PROTECTION]): detachable WSF_VALUE
-- Filter value `a_value` with an array of protections policy `a_protections`.
require
a_protections_valid: across a_protections as ic all ic.item.is_valid end
local
not_first: BOOLEAN
prot: WSF_PROTECTION
do
if a_value /= Void then
Result := a_value
if Result /= Void then
if
attached {WSF_STRING} Result as str and then
a_regex.for_all (agent is_compiled)
then
a_regex.do_all (agent match (?, str.value))
if a_regex.there_exists (agent has_matched) then
create {WSF_STRING} Result.make (str.name, " ")
end
elseif
attached {WSF_MULTIPLE_STRING} Result as l_multi_str and then
a_regex.for_all (agent is_compiled)
then
across l_multi_str as ic loop
a_regex.do_all (agent match (?, ic.item.value))
if a_regex.there_exists (agent has_matched ) then
if not_first and then attached {WSF_MULTIPLE_STRING} Result as l_result then
l_result.add_value ( (create {WSF_STRING}.make (ic.item.name, " ")))
else
create {WSF_MULTIPLE_STRING} Result.make_with_string (ic.item.name, " ")
not_first := True
end
end
end
across
a_protections as ic
until
Result = Void
loop
prot := ic.item
check is_valid: prot.is_valid end
Result := prot.value (Result)
end
end
end
filter_string_value (a_value: detachable READABLE_STRING_8; a_regex: ARRAY [REGULAR_EXPRESSION] ): detachable READABLE_STRING_8
-- Filter value `a_value` with an array of protections policy `a_regex`.
filter_string_value (a_value: detachable READABLE_STRING_8; a_protections: ITERABLE [WSF_PROTECTION] ): detachable READABLE_STRING_8
-- Filter value `a_value` with an array of protections policy `a_protections`.
require
all_protections_valid: across a_protections as ic all ic.item.is_valid end
local
v: WSF_STRING
prot: WSF_PROTECTION
do
if a_value /= Void then
Result := a_value
if Result /= Void then
if
attached a_value as l_value and then
a_regex.for_all (agent is_compiled)
then
a_regex.do_all (agent match (?, l_value))
if a_regex.there_exists (agent has_matched) then
create {STRING_8} Result.make_empty
across
a_protections as ic
until
Result = Void
loop
prot := ic.item
check is_valid: prot.is_valid end
Result := prot.string_8 (Result)
end
end
end
end
is_compiled (a_regex: REGULAR_EXPRESSION): BOOLEAN
-- Is the regular expression 'a_regex' compiled?
do
Result := a_regex.is_compiled
end
match (a_regex: REGULAR_EXPRESSION; a_value: READABLE_STRING_32)
do
a_regex.match (a_value)
end
has_matched (a_regex: REGULAR_EXPRESSION): BOOLEAN
do
Result := a_regex.has_matched
end
note
copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"

112
library/server/wsf/security/support/wsf_protection_regexp.e Normal file
View File

@@ -0,0 +1,112 @@
note
description: "Summary description for {WSF_PROTECTION_REGEXP}."
author: ""
date: "$Date$"
revision: "$Revision$"
class
WSF_PROTECTION_REGEXP
inherit
WSF_PROTECTION
create
make,
make_caseless,
make_with_regexp
convert
make_with_regexp ({REGULAR_EXPRESSION})
feature {NONE} -- Initialization
make (a_regexp_pattern: READABLE_STRING_8; a_caseless: BOOLEAN)
local
r: REGULAR_EXPRESSION
do
create r
r.set_caseless (a_caseless)
r.compile (a_regexp_pattern)
make_with_regexp (r)
end
make_caseless (a_regexp_pattern: READABLE_STRING_8)
do
make (a_regexp_pattern, True)
end
make_with_regexp (a_regexp: REGULAR_EXPRESSION)
do
regexp := a_regexp
end
feature -- Access
regexp: REGULAR_EXPRESSION
feature -- String Protection
string_8 (s: READABLE_STRING_8): detachable READABLE_STRING_8
local
reg: like regexp
do
reg := regexp
reg.match (s)
if reg.has_matched then
Result := Void
else
Result := s
end
end
string_value (v: WSF_STRING): detachable WSF_STRING
local
vs: READABLE_STRING_8
do
vs := v.url_encoded_value
if attached string_8 (vs) as s then
if vs = s then
Result := v
else
create Result.make (v.name, s)
end
end
end
feature -- Status report
is_valid: BOOLEAN
do
Result := is_compiled
end
is_compiled: BOOLEAN
do
Result := regexp.is_compiled
end
feature {NONE} -- Implementation
compiled_regexp (p: STRING; caseless: BOOLEAN): REGULAR_EXPRESSION
require
p /= Void
do
create Result
Result.set_caseless (caseless)
Result.compile (p)
ensure
is_compiled: Result.is_compiled
end
note
copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
source: "[
Eiffel Software
5949 Hollister Ave., Goleta, CA 93117 USA
Telephone 805-685-1006, Fax 805-685-6869
Website http://www.eiffel.com
Customer support http://support.eiffel.com
]"
end

64
library/server/wsf/security/support/wsf_protection_patterns.e → library/server/wsf/security/support/wsf_protections.e
View File

@@ -1,6 +1,6 @@
note
description: "[
{WSF_PROTECTION_PATTERNS}
{WSF_PROTECTIONS}
Provide application security parterns to assist in Cross Site Scripting
]"
date: "$Date$"
@@ -9,75 +9,69 @@ note
EIS: "name=Regular expression protection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
expanded class
WSF_PROTECTION_PATTERNS
WSF_PROTECTIONS
feature -- XSS patterns
feature -- xss PATTERNS
XSS_regular_expression: REGULAR_EXPRESSION
XSS: WSF_PROTECTION_REGEXP
note
EIS: "name= XSS", "src=https://community.apigee.com/questions/27198/xss-threat-protection-patterns.html#answer-27465", "protocol=uri"
local
p: STRING_32
once
p := "((\%%3C)|<)[^\n]+((\%%3E)|>)"
Result := compiled_regexp (p, True)
create Result.make_caseless ("((\%%3C)|<)[^\n]+((\%%3E)|>)")
ensure
is_compiled: Result.is_compiled
end
XSS_javascript_expression: REGULAR_EXPRESSION
XSS_javascript: WSF_PROTECTION_REGEXP
note
EIS: "name=JavaScript Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
local
p: STRING_32
once
p := "<\s*script\b[^>]*>[^<]+<\s*/\s*script\s*>"
Result := compiled_regexp (p, True)
Result := compiled_regexp ("<\s*script\b[^>]*>[^<]+<\s*/\s*script\s*>", True)
ensure
is_compiled: Result.is_compiled
end
feature -- XPath injections Patterns
XPath_abbreviated_expression: REGULAR_EXPRESSION
XPath_abbreviated: WSF_PROTECTION_REGEXP
note
EIS: "name=XPath Abbreviated Syntax Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
local
p: STRING_32
once
p := "(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+"
Result := compiled_regexp (p, True)
Result := compiled_regexp ("(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+", True)
ensure
is_compiled: Result.is_compiled
end
XPath_expanded_expression: REGULAR_EXPRESSION
XPath_expanded: WSF_PROTECTION_REGEXP
note
EIS: "name=XPath Expanded Syntax Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
local
p: STRING_32
once
p := "/?(ancestor(-or-self)?|descendant(-or-self)?|following(-sibling))"
Result := compiled_regexp (p, True)
Result := compiled_regexp ("/?(ancestor(-or-self)?|descendant(-or-self)?|following(-sibling))", True)
ensure
is_compiled: Result.is_compiled
end
feature -- Server side injection
Server_side_expression: REGULAR_EXPRESSION
Server_side: WSF_PROTECTION_REGEXP
note
EIS: "name=Server-Side Include Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
local
p: STRING_32
once
p := "<!--#(include|exec|echo|config|printenv)\s+.*"
Result := compiled_regexp (p, True)
Result := compiled_regexp ("<!--#(include|exec|echo|config|printenv)\s+.*", True)
ensure
is_compiled: Result.is_compiled
end
feature -- SQL injection Patterns
SQL_injection_regular_expression: REGULAR_EXPRESSION
SQL_injection: WSF_PROTECTION_REGEXP
note
EIS: "name= SQL Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
local
p: STRING_32
once
p := "[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))"
Result := compiled_regexp (p, True)
Result := compiled_regexp ("[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))", True)
ensure
is_compiled: Result.is_compiled
end
feature {NONE} -- Implementation
@@ -90,7 +84,7 @@ feature {NONE} -- Implementation
Result.set_caseless (caseless)
Result.compile (p)
ensure
Result.is_compiled
is_compiled: Result.is_compiled
end
note

86
library/server/wsf/security/wsf_xss_request.e
View File

@@ -2,7 +2,7 @@ note
description: "[
XSS request, redefine query_parameter and form_parameters filtering the data (using XSS protection)
before return the value.
The XSS protection pattern used is defined here :{WSF_PROTECTION_PATTERNS}.XSS_regular_expression: REGULAR_EXPRESSION
The XSS protection pattern used is defined here :{WSF_PROTECTIONS}.XSS: WSF_PROTECTION
]"
date: "$Date$"
@@ -83,169 +83,169 @@ feature -- HTTP_*
http_accept: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_accept (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_accept (Current, <<l_protection.xss>>)
end
http_accept_charset: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_accept_charset (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_accept_charset (Current, <<l_protection.xss>>)
end
http_accept_encoding: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_accept_encoding (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_accept_encoding (Current, <<l_protection.xss>>)
end
http_accept_language: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_accept_language (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_accept_language (Current, <<l_protection.xss>>)
end
http_connection: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_connection (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_connection (Current, <<l_protection.xss>>)
end
http_expect: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_expect (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_expect (Current, <<l_protection.xss>>)
end
http_host: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_host (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_host (Current, <<l_protection.xss>>)
end
http_referer: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_referer (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_referer (Current, <<l_protection.xss>>)
end
http_user_agent: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_user_agent (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_user_agent (Current, <<l_protection.xss>>)
end
http_authorization: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_authorization (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_authorization (Current, <<l_protection.xss>>)
end
http_transfer_encoding: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_transfer_encoding (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_transfer_encoding (Current, <<l_protection.xss>>)
end
http_access_control_request_headers: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_access_control_request_headers (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_access_control_request_headers (Current, <<l_protection.xss>>)
end
http_if_match: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_if_match (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_if_match (Current, <<l_protection.xss>>)
end
http_if_modified_since: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_if_modified_since (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_if_modified_since (Current, <<l_protection.xss>>)
end
http_if_none_match: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_if_none_match (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_if_none_match (Current, <<l_protection.xss>>)
end
http_if_range: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_if_range (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_if_range (Current, <<l_protection.xss>>)
end
http_if_unmodified_since: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_if_unmodified_since (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_if_unmodified_since (Current, <<l_protection.xss>>)
end
http_last_modified: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_last_modified (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_last_modified (Current, <<l_protection.xss>>)
end
http_range: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_range (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_range (Current, <<l_protection.xss>>)
end
http_content_range: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_content_range (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_content_range (Current, <<l_protection.xss>>)
end
http_content_encoding: detachable READABLE_STRING_8
-- <Precursor>
local
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
Result := custom_http_content_encoding (Current, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>)
Result := custom_http_content_encoding (Current, <<l_protection.xss>>)
end
note
copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"

16
library/server/wsf/tests/src/test_wsf_protection_policy.e
View File

@@ -37,7 +37,7 @@ feature -- Test
local
req: WSF_REQUEST
sec: WSF_PROTECTION_POLICY
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
create sec
--| Case HTTP header expect attack, filtered using {xss_regular_expression}
@@ -48,7 +48,7 @@ feature -- Test
["HTTP_EXPECT", "<script>alert(XSS attack)</script>"]
>>
)
assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", attached {READABLE_STRING_8} sec.custom_http_expect (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>) as v and then v.is_empty )
assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", sec.custom_http_expect (req, <<l_protection.xss>>) = Void)
end
@@ -56,7 +56,7 @@ feature -- Test
local
req: WSF_REQUEST
sec: WSF_PROTECTION_POLICY
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
do
create sec
--| Case HTTP header expect attack, filtered using {xss_javascript_expression}
@@ -67,14 +67,14 @@ feature -- Test
["HTTP_EXPECT", "<script>alert(XSS attack)</script>"]
>>
)
assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", attached {READABLE_STRING_8} sec.custom_http_expect (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_javascript_expression>>) as v and then v.is_empty )
assert ("HTTP_EXPECT <script>alert(XSS attack)</script>", sec.custom_http_expect (req, <<l_protection.xss_javascript>>) = Void )
end
test_http_referer_attack_with_xss_js_protection_fails
local
req: WSF_REQUEST
sec: WSF_PROTECTION_POLICY
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
l_str: STRING
do
l_str:= "[
@@ -89,7 +89,7 @@ feature -- Test
["HTTP_REFERER", l_str]
>>
)
assert ("HTTP_REFERER", attached {READABLE_STRING_8} sec.custom_http_referer (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_javascript_expression>>) as v and then not v.is_empty )
assert ("HTTP_REFERER", attached sec.custom_http_referer (req, <<l_protection.xss_javascript>>) as v and then not v.is_empty )
end
@@ -97,7 +97,7 @@ feature -- Test
local
req: WSF_REQUEST
sec: WSF_PROTECTION_POLICY
l_protection: WSF_PROTECTION_PATTERNS
l_protection: WSF_PROTECTIONS
l_str: STRING
do
l_str:= "[
@@ -112,7 +112,7 @@ feature -- Test
["HTTP_REFERER", l_str]
>>
)
assert ("HTTP_REFERER", attached {READABLE_STRING_8} sec.custom_http_referer (req, {ARRAY [REGULAR_EXPRESSION]}<<l_protection.xss_regular_expression>>) as v and then not v.is_empty )
assert ("HTTP_REFERER", attached {READABLE_STRING_8} sec.custom_http_referer (req, <<l_protection.xss>>) as v and then not v.is_empty )
end

35
library/server/wsf/tests/src/test_xss_patterns.e
View File

@@ -14,6 +14,7 @@ feature -- Tests
test_xss_locator
local
xss: WSF_XSS_REQUEST
r: REGULAR_EXPRESSION
s: STRING
do
@@ -22,7 +23,7 @@ feature -- Tests
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("XSS locator", r.has_matched)
end
@@ -35,7 +36,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
'';!--"<XSS>=&{()}
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("XSS locator short", r.has_matched)
end
@@ -48,7 +49,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("No filter evasion", r.has_matched)
end
@@ -65,7 +66,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
<img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id)>'">
<img src="http://www.shellypalmer.com/wp-content/images/2015/07/hacked-compressor.jpg">
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Filter bypass based polyglot", r.has_matched)
end
@@ -79,7 +80,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC="javascript:alert('XSS');">
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Image XSS using the JavaScript directive", r.has_matched)
end
@@ -93,7 +94,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC=javascript:alert('XSS')>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("No quotes and no semicolon", r.has_matched)
end
@@ -107,7 +108,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC=JaVaScRiPt:alert('XSS')>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Case insensitive XSS attack vector", r.has_matched)
end
@@ -121,7 +122,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("HTML entities", r.has_matched)
end
@@ -134,7 +135,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Grave accent obfuscation", r.has_matched)
end
@@ -149,7 +150,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<a onmouseover="alert(document.cookie)">xxs link</a>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Malformed A tags", r.has_matched)
end
@@ -164,7 +165,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<a onmouseover=alert(document.cookie)>xxs link</a>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Malformed A tags", r.has_matched)
end
@@ -178,7 +179,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Malformed IMG tags", r.has_matched)
end
@@ -192,7 +193,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("fromCharCode", r.has_matched)
end
@@ -206,7 +207,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC=# onmouseover="alert('xxs')">
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Default SRC tag to get past filters that check SRC domain", r.has_matched)
end
@@ -220,7 +221,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG SRC= onmouseover="alert('xxs')">
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Default SRC tag by leaving it empty", r.has_matched)
end
@@ -233,7 +234,7 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
s:="[
<IMG onmouseover="alert('xxs')">
]"
r:= xss_pattern.XSS_regular_expression
r:= xss_pattern.XSS.regexp
r.match (s)
assert ("Default SRC tag by leaving it out entirely", r.has_matched)
end
@@ -246,6 +247,6 @@ alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
feature {NONE} -- Implementation
xss_pattern: WSF_PROTECTION_PATTERNS
xss_pattern: WSF_PROTECTIONS
end