1037256ea6
This protection could be implemented with a regular expression,
or using another solution (as manual parsing).
Also, when a protection detects an issue, instead of returning empty string,
it returns Void. If the value is a multiple string value, if an item is detected for an issue,
the returned multiple string value is now Void.
This abstraction will allow to return either Void, or a "corrected" value,
for instance the string value, without the detected "<script..>..</script>" text.
TODO: improve the WSF_PROTECTION_REGEXP to allow replacement strategy.
101 lines
3.1 KiB
Plaintext
101 lines
3.1 KiB
Plaintext
note
|
|
description: "[
|
|
{WSF_PROTECTIONS}
|
|
Provide application security parterns to assist in Cross Site Scripting
|
|
]"
|
|
date: "$Date$"
|
|
revision: "$Revision$"
|
|
EIS: "name=OWASP XSS", "src=https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet", "protocol=uri"
|
|
EIS: "name=Regular expression protection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
|
|
|
|
expanded class
|
|
WSF_PROTECTIONS
|
|
|
|
feature -- XSS patterns
|
|
|
|
XSS: WSF_PROTECTION_REGEXP
|
|
note
|
|
EIS: "name= XSS", "src=https://community.apigee.com/questions/27198/xss-threat-protection-patterns.html#answer-27465", "protocol=uri"
|
|
once
|
|
create Result.make_caseless ("((\%%3C)|<)[^\n]+((\%%3E)|>)")
|
|
ensure
|
|
is_compiled: Result.is_compiled
|
|
end
|
|
|
|
XSS_javascript: WSF_PROTECTION_REGEXP
|
|
note
|
|
EIS: "name=JavaScript Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
|
|
once
|
|
Result := compiled_regexp ("<\s*script\b[^>]*>[^<]+<\s*/\s*script\s*>", True)
|
|
ensure
|
|
is_compiled: Result.is_compiled
|
|
end
|
|
|
|
feature -- XPath injections Patterns
|
|
|
|
XPath_abbreviated: WSF_PROTECTION_REGEXP
|
|
note
|
|
EIS: "name=XPath Abbreviated Syntax Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
|
|
once
|
|
Result := compiled_regexp ("(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+", True)
|
|
ensure
|
|
is_compiled: Result.is_compiled
|
|
end
|
|
|
|
XPath_expanded: WSF_PROTECTION_REGEXP
|
|
note
|
|
EIS: "name=XPath Expanded Syntax Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
|
|
once
|
|
Result := compiled_regexp ("/?(ancestor(-or-self)?|descendant(-or-self)?|following(-sibling))", True)
|
|
ensure
|
|
is_compiled: Result.is_compiled
|
|
end
|
|
|
|
feature -- Server side injection
|
|
|
|
Server_side: WSF_PROTECTION_REGEXP
|
|
note
|
|
EIS: "name=Server-Side Include Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
|
|
once
|
|
|
|
Result := compiled_regexp ("<!--#(include|exec|echo|config|printenv)\s+.*", True)
|
|
ensure
|
|
is_compiled: Result.is_compiled
|
|
end
|
|
|
|
feature -- SQL injection Patterns
|
|
|
|
SQL_injection: WSF_PROTECTION_REGEXP
|
|
note
|
|
EIS: "name= SQL Injection", "src=https://docs.apigee.com/api-services/reference/regular-expression-protection", "protocol=uri"
|
|
once
|
|
Result := compiled_regexp ("[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))", True)
|
|
ensure
|
|
is_compiled: Result.is_compiled
|
|
end
|
|
|
|
feature {NONE} -- Implementation
|
|
|
|
compiled_regexp (p: STRING; caseless: BOOLEAN): REGULAR_EXPRESSION
|
|
require
|
|
p /= Void
|
|
do
|
|
create Result
|
|
Result.set_caseless (caseless)
|
|
Result.compile (p)
|
|
ensure
|
|
is_compiled: Result.is_compiled
|
|
end
|
|
|
|
note
|
|
copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Olivier Ligot, Colin Adams, Eiffel Software and others"
|
|
license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
|
|
source: "[
|
|
Eiffel Software
|
|
5949 Hollister Ave., Goleta, CA 93117 USA
|
|
Telephone 805-685-1006, Fax 805-685-6869
|
|
Website http://www.eiffel.com
|
|
Customer support http://support.eiffel.com
|
|
]"
|
|
end
|