008filter.t 7.64 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
# License Version 1.1 (the "License"); you may not use this file
# except in compliance with the License. You may obtain a copy of
# the License at http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS
# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
# implied. See the License for the specific language governing
# rights and limitations under the License.
#
# The Original Code are the Bugzilla tests.
#
# The Initial Developer of the Original Code is Jacob Steenhagen.
# Portions created by Jacob Steenhagen are
# Copyright (C) 2001 Jacob Steenhagen. All
# Rights Reserved.
#
# Contributor(s): Gervase Markham <gerv@gerv.net>

#################
#Bugzilla Test 8#
#####filter######

# This test scans all our templates for every directive. Having eliminated
# those which cannot possibly cause XSS problems, it then checks the rest
# against the safe list stored in the filterexceptions.pl file. 

# Sample exploit code: '>"><script>alert('Oh dear...')</script>

use strict;
33
use lib qw(. lib t);
34 35 36

use vars qw(%safe);

37
use Bugzilla::Constants;
38
use Support::Templates;
39
use File::Spec;
40 41 42 43 44 45
use Test::More tests => $Support::Templates::num_actual_files;
use Cwd;

# Undefine the record separator so we can read in whole files at once
my $oldrecsep = $/;
my $topdir = cwd;
46
$/ = undef;
47 48

foreach my $path (@Support::Templates::include_paths) {
49
    $path =~ s|\\|/|g if ON_WINDOWS;  # convert \ to / in path if on windows
50
    $path =~ m|template/([^/]+)/([^/]+)|;
51
    my $lang = $1;
52 53
    my $flavor = $2;

54 55
    chdir $topdir; # absolute path
    my @testitems = Support::Templates::find_actual_files($path);
56
    chdir $topdir; # absolute path
57 58 59 60 61 62 63 64 65 66 67 68 69
    
    next unless @testitems;
    
    # Some people require this, others don't. No-one knows why.
    chdir $path; # relative path
    
    # We load a %safe list of acceptable exceptions.
    if (!-r "filterexceptions.pl") {
        ok(0, "$path has templates but no filterexceptions.pl file. --ERROR");
        next;
    }
    else {
        do "filterexceptions.pl";
70
        if (ON_WINDOWS) {
71 72 73 74 75 76
          # filterexceptions.pl uses / separated paths, while 
          # find_actual_files returns \ separated ones on Windows.
          # Here, we convert the filter exception hash to use \.
          foreach my $file (keys %safe) {
            my $orig_file = $file;
            $file =~ s|/|\\|g;
77 78 79 80
            if ($file ne $orig_file) {
              $safe{$file} = $safe{$orig_file};
              delete $safe{$orig_file};
            }
81 82
          }
        }
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
    }
    
    # We preprocess the %safe hash of lists into a hash of hashes. This allows
    # us to flag which members were not found, and report that as a warning, 
    # thereby keeping the lists clean.
    foreach my $file (keys %safe) {
        my $list = $safe{$file};
        $safe{$file} = {};
        foreach my $directive (@$list) {
            $safe{$file}{$directive} = 0;    
        }
    }

    foreach my $file (@testitems) {
        # There are some files we don't check, because there is no need to
        # filter their contents due to their content-type.
99
        if ($file =~ /\.(pm|txt|png)\.tmpl$/) {
100
            ok(1, "($lang/$flavor) $file is filter-safe");
101 102 103 104 105 106 107 108 109 110 111 112
            next;
        }
        
        # Read the entire file into a string
        open (FILE, "<$file") || die "Can't open $file: $!\n";    
        my $slurp = <FILE>;
        close (FILE);

        my @unfiltered;

        # /g means we execute this loop for every match
        # /s means we ignore linefeeds in the regexp matches
113
        while ($slurp =~ /\[%(?:-|\+|~|=)?(.*?)(?:-|\+|~|=)?%\]/gs) {
114 115 116 117 118
            my $directive = $1;

            my @lineno = ($` =~ m/\n/gs);
            my $lineno = scalar(@lineno) + 1;

119
            if (!directive_ok($file, $directive)) {
120

121 122 123 124 125
              # This intentionally makes no effort to eliminate duplicates; to do
              # so would merely make it more likely that the user would not 
              # escape all instances when attempting to correct an error.
              push(@unfiltered, "$lineno:$directive");
            }
126 127 128 129 130 131
        }  

        my $fullpath = File::Spec->catfile($path, $file);
        
        if (@unfiltered) {
            my $uflist = join("\n  ", @unfiltered);
132
            ok(0, "($lang/$flavor) $fullpath has unfiltered directives:\n  $uflist\n--ERROR");
133 134 135 136 137 138 139 140 141 142
        }
        else {
            # Find any members of the exclusion list which were not found
            my @notfound;
            foreach my $directive (keys %{$safe{$file}}) {
                push(@notfound, $directive) if ($safe{$file}{$directive} == 0);    
            }

            if (@notfound) {
                my $nflist = join("\n  ", @notfound);
143
                ok(0, "($lang/$flavor) $fullpath - filterexceptions.pl has extra members:\n  $nflist\n" . 
144 145 146 147
                                                                  "--WARNING");
            }
            else {
                # Don't use the full path here - it's too long and unwieldy.
148
                ok(1, "($lang/$flavor) $file is filter-safe");
149 150 151 152 153
            }
        }
    }
}

154 155 156 157
sub directive_ok {
    my ($file, $directive) = @_;

    # Comments
158
    return 1 if $directive =~ /^#/;        
159

160 161 162
    # Remove any leading/trailing whitespace.
    $directive =~ s/^\s*//;
    $directive =~ s/\s*$//;
163 164 165

    # Empty directives are ok; they are usually line break helpers
    return 1 if $directive eq '';
166

167 168 169
    # Make sure we're not looking for ./ in the $safe hash
    $file =~ s#^\./##;

170 171 172 173 174 175 176 177 178
    # Exclude those on the nofilter list
    if (defined($safe{$file}{$directive})) {
        $safe{$file}{$directive}++;
        return 1;
    };

    # Directives
    return 1 if $directive =~ /^(IF|END|UNLESS|FOREACH|PROCESS|INCLUDE|
                                 BLOCK|USE|ELSE|NEXT|LAST|DEFAULT|FLUSH|
179
                                 ELSIF|SET|SWITCH|CASE|WHILE|RETURN|STOP|
180
                                 TRY|CATCH|FINAL|THROW|CLEAR|MACRO|FILTER)/x;
181 182 183 184 185 186 187 188 189 190 191 192 193

    # ? :
    if ($directive =~ /.+\?(.+):(.+)/) {
        return 1 if directive_ok($file, $1) && directive_ok($file, $2);
    }

    # + - * /
    return 1 if $directive =~ /[+\-*\/]/;

    # Numbers
    return 1 if $directive =~ /^[0-9]+$/;

    # Simple assignments
194
    return 1 if $directive =~ /^[\w\.\$\{\}]+\s+=\s+/;
195 196 197 198 199 200 201 202 203 204 205 206

    # Conditional literals with either sort of quotes 
    # There must be no $ in the string for it to be a literal
    return 1 if $directive =~ /^(["'])[^\$]*[^\\]\1/;
    return 1 if $directive =~ /^(["'])\1/;

    # Special values always used for numbers
    return 1 if $directive =~ /^[ijkn]$/;
    return 1 if $directive =~ /^count$/;
    
    # Params
    return 1 if $directive =~ /^Param\(/;
207 208 209
    
    # Hooks
    return 1 if $directive =~ /^Hook.process\(/;
210 211

    # Other functions guaranteed to return OK output
212
    return 1 if $directive =~ /^(time2str|url)\(/;
213 214

    # Safe Template Toolkit virtual methods
215
    return 1 if $directive =~ /\.(length$|size$|push\(|unshift\(|delete\()/;
216 217 218 219 220 221 222 223 224 225

    # Special Template Toolkit loop variable
    return 1 if $directive =~ /^loop\.(index|count)$/;
    
    # Branding terms
    return 1 if $directive =~ /^terms\./;
            
    # Things which are already filtered
    # Note: If a single directive prints two things, and only one is 
    # filtered, we may not catch that case.
226 227
    return 1 if $directive =~ /FILTER\ (html|csv|js|base64|css_class_quote|ics|
                                        quoteUrls|time|uri|xml|lower|html_light|
228
                                        obsolete|inactive|closed|unitconvert|
229
                                        txt|html_linebreak|none)\b/x;
230 231 232 233

    return 0;
}

234 235 236
$/ = $oldrecsep;

exit 0;