Skip to content

Commit

Permalink
Merge branch 'master' into add-renovate
Browse files Browse the repository at this point in the history
  • Loading branch information
fzipi authored Jun 5, 2024
2 parents 05042f7 + c7505f1 commit 2926695
Show file tree
Hide file tree
Showing 8 changed files with 191 additions and 83 deletions.
28 changes: 18 additions & 10 deletions sqli_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -147,18 +147,26 @@ func TestSQLiDriver(t *testing.T) {
data := readTestData(p)
switch {
case strings.Contains(fi.Name(), "-sqli-"):
runSQLiTest(t, data, p, fingerprints, 0)
t.Run(fi.Name(), func(t *testing.T) {
runSQLiTest(t, data, p, fingerprints, 0)
})
case strings.Contains(fi.Name(), "-folding-"):
runSQLiTest(t, data, p, folding, sqliFlagQuoteNone|sqliFlagSQLAnsi)
t.Run(fi.Name(), func(t *testing.T) {
runSQLiTest(t, data, p, folding, sqliFlagQuoteNone|sqliFlagSQLAnsi)
})
case strings.Contains(fi.Name(), "-tokens_mysql-"):
runSQLiTest(t, data, p, tokens, sqliFlagQuoteNone|sqliFlagSQLMysql)
t.Run(fi.Name(), func(t *testing.T) {
runSQLiTest(t, data, p, tokens, sqliFlagQuoteNone|sqliFlagSQLMysql)
})
case strings.Contains(fi.Name(), "-tokens-"):
runSQLiTest(t, data, p, tokens, sqliFlagQuoteNone|sqliFlagSQLAnsi)
t.Run(fi.Name(), func(t *testing.T) {
runSQLiTest(t, data, p, tokens, sqliFlagQuoteNone|sqliFlagSQLAnsi)
})
}
}
}

type testCase struct {
type testCaseSQLI struct {
name string
data map[string]string
}
Expand All @@ -171,16 +179,16 @@ func BenchmarkSQLiDriver(b *testing.B) {
}

cases := struct {
sqli []testCase
folding []testCase
tokensMySQL []testCase
tokens []testCase
sqli []testCaseSQLI
folding []testCaseSQLI
tokensMySQL []testCaseSQLI
tokens []testCaseSQLI
}{}

for _, fi := range dir {
p := filepath.Join(baseDir, fi.Name())
data := readTestData(p)
tc := testCase{
tc := testCaseSQLI{
name: fi.Name(),
data: data,
}
Expand Down
12 changes: 12 additions & 0 deletions tests/test-html5-068.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
--TEST--
tags
--INPUT--
quitesomerandomcharacters<TABLE BACKGROUND="javascript:javascript:alert(99111)">
--EXPECTED--
DATA_TEXT,25,quitesomerandomcharacters
TAG_NAME_OPEN,5,TABLE
ATTR_NAME,10,BACKGROUND
ATTR_VALUE,34,javascript:javascript:alert(99111)
TAG_NAME_CLOSE,1,>


9 changes: 9 additions & 0 deletions tests/test-html5-069.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
--TEST--
cdata, degenerate. Longer text
--INPUT--
<![CDATA foofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoo
--EXPECTED--
TAG_COMMENT,253,[CDATA foofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoofoo



10 changes: 10 additions & 0 deletions tests/test-html5-070.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
--TEST--
Extended bogus closing tags
--INPUT--
</ looooooonger foo="><script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script>
--EXPECTED--
TAG_COMMENT,19, looooooonger foo="
TAG_NAME_OPEN,6,script
TAG_NAME_CLOSE,1,>
DATA_TEXT,84,ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x
TAG_CLOSE,6,script
42 changes: 42 additions & 0 deletions tests/test-html5-071.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
--TEST--
Extended Body Test
--INPUT--
<BODY BACKGROUND="javascript:alert('XSS')"><h1>Welcome to my awesome Website!</h1><p>This is a paragraph of text on my website. It contains more characters to make the test longer.</p><div id="content"><p>Here's another paragraph of text. This one is inside a div with an id of "content".</p><ul><li>List item 1</li><li>List item 2</li><li>List item 3</li></ul></div></BODY>
--EXPECTED--
TAG_NAME_OPEN,4,BODY
ATTR_NAME,10,BACKGROUND
ATTR_VALUE,23,javascript:alert('XSS')
TAG_NAME_CLOSE,1,>
TAG_NAME_OPEN,2,h1
TAG_NAME_CLOSE,1,>
DATA_TEXT,30,Welcome to my awesome Website!
TAG_CLOSE,2,h1
TAG_NAME_OPEN,1,p
TAG_NAME_CLOSE,1,>
DATA_TEXT,95,This is a paragraph of text on my website. It contains more characters to make the test longer.
TAG_CLOSE,1,p
TAG_NAME_OPEN,3,div
ATTR_NAME,2,id
ATTR_VALUE,7,content
TAG_NAME_CLOSE,1,>
TAG_NAME_OPEN,1,p
TAG_NAME_CLOSE,1,>
DATA_TEXT,83,Here's another paragraph of text. This one is inside a div with an id of "content".
TAG_CLOSE,1,p
TAG_NAME_OPEN,2,ul
TAG_NAME_CLOSE,1,>
TAG_NAME_OPEN,2,li
TAG_NAME_CLOSE,1,>
DATA_TEXT,11,List item 1
TAG_CLOSE,2,li
TAG_NAME_OPEN,2,li
TAG_NAME_CLOSE,1,>
DATA_TEXT,11,List item 2
TAG_CLOSE,2,li
TAG_NAME_OPEN,2,li
TAG_NAME_CLOSE,1,>
DATA_TEXT,11,List item 3
TAG_CLOSE,2,li
TAG_CLOSE,2,ul
TAG_CLOSE,3,div
TAG_CLOSE,4,BODY
10 changes: 4 additions & 6 deletions xss.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,11 @@ func isXSS(input string, flags int) bool {
}

if h5.tokenLen > 5 {
// IE <?import pseudo-tag
if strings.ToUpper(strings.ReplaceAll(h5.tokenStart[:6], "\x00", "")) == "IMPORT" {
return true
}
upperTokenStart := strings.ToUpper(strings.ReplaceAll(h5.tokenStart[:6], "\x00", ""))

// XML Entity definition
if strings.ToUpper(strings.ReplaceAll(h5.tokenStart[:6], "\x00", "")) == "ENTITY" {
// IE <?import pseudo-tag or XML Entity definition
if upperTokenStart == "IMPORT" ||
upperTokenStart == "ENTITY" {
return true
}
}
Expand Down
100 changes: 44 additions & 56 deletions xss_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,23 +13,20 @@ func isBlackTag(s string) bool {
return false
}

upperS := strings.ToUpper(strings.ReplaceAll(s, "\x00", ""))
for i := 0; i < len(blackTags); i++ {
if strings.ToUpper(strings.ReplaceAll(s, "\x00", "")) == blackTags[i] {
if upperS == blackTags[i] {
return true
}
}

// anything SVG related
if strings.ToUpper(s) == "SVG" {
return true
}

// anything XSL(t) related
if strings.ToUpper(s) == "XSL" {
switch upperS {
// anything SVG or XSL(t) related
case "SVT", "XSL":
return true
default:
return false
}

return false
}

func isBlackAttr(s string) int {
Expand All @@ -38,107 +35,99 @@ func isBlackAttr(s string) int {
return attributeTypeNone
}

upperS := strings.ToUpper(strings.ReplaceAll(s, "\x00", ""))
if length >= 5 {
// javascript on.*
if strings.ToUpper(s[:2]) == "ON" {
// got javascript on- attribute name
return attributeTypeBlack
}

if strings.ToUpper(strings.ReplaceAll(s, "\x00", "")) == "XMLNS" ||
strings.ToUpper(strings.ReplaceAll(s, "\x00", "")) == "XLINK" {
if upperS == "XMLNS" || upperS == "XLINK" {
// got xmlns or xlink tags
return attributeTypeBlack
}
}

for _, black := range blacks {
if strings.ToUpper(strings.ReplaceAll(s, "\x00", "")) == black.name {
if upperS == black.name {
// got banner attribute name
return black.attributeType
}
}
return attributeTypeNone
}

func htmlDecodeByteAt(s string, consumed *int) int {
func htmlDecodeByteAt(s string) (int, int) {
length := len(s)
val := 0

if length == 0 {
*consumed = 0
return byteEOF
return byteEOF, 0
}

*consumed = 1
if s[0] != '&' || length < 2 {
return int(s[0])
return int(s[0]), 1
}

if s[1] != '#' || len(s) < 3 {
// normally this would be for named entities
// but for this case we don't actually care
return '&'
return '&', 1
}

if s[2] == 'x' || s[2] == 'X' {
if len(s) < 4 {
return '&'
return '&', 1
}
ch := int(s[3])
ch = gsHexDecodeMap[ch]
if ch == 256 {
// degenerate case '&#[?]'
return '&'
return '&', 1
}
val = ch
i := 4

for i < length {
ch = int(s[i])
if ch == ';' {
*consumed = i + 1
return val
return val, i + 1
}
ch = gsHexDecodeMap[ch]
if ch == 256 {
*consumed = i
return val
return val, i
}
val = val*16 + ch
if val > 0x1000FF {
return '&'
return '&', 1
}
i++
}
*consumed = i
} else {
i := 2
ch := int(s[i])
return val, i
}
i := 2
ch := int(s[i])
if ch < '0' || ch > '9' {
return '&', 1
}
val = ch - '0'
i++
for i < length {
ch = int(s[i])
if ch == ';' {
return val, i + 1
}
if ch < '0' || ch > '9' {
return '&'
return val, i
}
val = ch - '0'
i++
for i < length {
ch = int(s[i])
if ch == ';' {
*consumed = i + 1
return val
}
if ch < '0' || ch > '9' {
*consumed = i
return val
}
val = val*10 + (ch - '0')
if val > 0x1000FF {
return '&'
}
i++
val = val*10 + (ch - '0')
if val > 0x1000FF {
return '&', 1
}
*consumed = i
i++
}
return val
return val, i
}

// Does an HTML encoded binary string (const char*, length) start with
Expand All @@ -147,15 +136,14 @@ func htmlDecodeByteAt(s string, consumed *int) int {
// also ignore any embedded nulls in the HTML string!
func htmlEncodeStartsWith(a, b string) bool {
var (
consumed = 0
first = true
bs []byte
pos = 0
length = len(b)
first = true
bs []byte
pos = 0
length = len(b)
)

for length > 0 {
cb := htmlDecodeByteAt(b[pos:], &consumed)
cb, consumed := htmlDecodeByteAt(b[pos:])
pos += consumed
length -= consumed

Expand Down
Loading

0 comments on commit 2926695

Please sign in to comment.