First pass at an XSS security test, along with the "p" helper which

can clean HTML output.

2 files changed, 171 insertions, 0 deletions

diff --git a/modules/gallery/helpers/p.php b/modules/gallery/helpers/p.php
new file mode 100644
index 00000000..69032840
--- /dev/null
+++ b/modules/gallery/helpers/p.php
@@ -0,0 +1,33 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class p_Core {
+  static function attr($dirty_html) {
+    // return $dirty_html;
+    return htmlentities($dirty_html, ENT_QUOTES);
+    // return str_replace('"', '&quot;', $dirty_html);
+    // return str_replace('"', '&quot;', Purify::instance()->purify($dirty_html));
+  }
+
+  function clean($dirty_html) {
+    // return $dirty_html;
+    return htmlentities($dirty_html, ENT_QUOTES);
+    // return Purify::instance()->purify($dirty_html);
+  }
+}
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
new file mode 100644
index 00000000..22c4a767
--- /dev/null
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -0,0 +1,138 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Xss_Security_Test extends Unit_Test_Case {
+
+  static function scan_php_file($file, &$cache) {
+    $code = file_get_contents($file);
+    $raw_tokens = token_get_all($code);
+    unset($code);
+
+    $tokens = array();
+    $func_token_list = array("t" => array(), "t2" => array());
+    $token_number = 0;
+    // Filter out HTML / whitespace, and build a lookup for global function calls.
+    foreach ($raw_tokens as $token) {
+      if ((!is_array($token)) || (($token[0] != T_WHITESPACE) && ($token[0] != T_INLINE_HTML))) {
+        if (is_array($token)) {
+          if ($token[0] == T_STRING && in_array($token[1], array("t", "t2"))) {
+            $func_token_list[$token[1]][] = $token_number;
+          }
+        }
+        $tokens[] = $token;
+        $token_number++;
+      }
+    }
+    unset($raw_tokens);
+
+    if (!empty($func_token_list["t"])) {
+      l10n_scanner::_parse_t_calls($tokens, $func_token_list["t"], $cache);
+    }
+    if (!empty($func_token_list["t2"])) {
+      l10n_scanner::_parse_plural_calls($tokens, $func_token_list["t2"], $cache);
+    }
+  }
+
+  public function find_unescaped_variables_in_views_test() {
+    // foreach (glob("*/*/views/*.php") as $view) {
+    foreach (array("modules/search/views/search.html.php") as $view) {
+      $expr = null;
+      $line = null;
+      $level = 0;
+      $php = 0;
+      $str = null;
+      $in_p_clean = 0;
+      foreach (token_get_all(file_get_contents($view)) as $token) {
+        if (false /* useful for debugging */) {
+          if (is_array($token)) {
+            printf("[$str] [$in_p_clean] %-15s %s\n", token_name($token[0]), $token[1]);
+          } else {
+            printf("[$str] [$in_p_clean] %-15s %s\n", "<char>", $token);
+          }
+        }
+
+        // If we find a "(" after a "p::clean" then start counting levels of parens and assume
+        // that we're inside a p::clean() call until we find the matching close paren.
+        if ($token[0] == "(" && $str == "p::clean") {
+          $in_p_clean = 1;
+        } else if ($token[0] == "(" && $in_p_clean) {
+          $in_p_clean++;
+        } else if ($token[0] == ")" && $in_p_clean) {
+          $in_p_clean--;
+        }
+
+        // Concatenate runs of strings for convenience, which we use above to figure out if we're
+        // inside a p::clean() call or not
+        if ($token[0] == T_STRING || $token[0] == T_DOUBLE_COLON) {
+          $str .= $token[1];
+        } else {
+          $str = null;
+        }
+
+        // Scan for any occurrences of < ? = $variable ? > and store it in $expr
+        if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
+          $php++;
+        } else if ($php && $token[0] == T_CLOSE_TAG) {
+          $php--;
+        } else if ($php && $token[0] == T_VARIABLE) {
+          if (!$expr) {
+            $entry = array($token[2], $in_p_clean);
+          }
+          $expr .= $token[1];
+        } else if ($expr) {
+          if ($token[0] == T_OBJECT_OPERATOR) {
+            $expr .= $token[1];
+          } else if ($token[0] == T_STRING) {
+            $expr .= $token[1];
+          } else if ($token == "(") {
+            $expr .= $token;
+            $level++;
+          } else if ($level > 0 && $token == ")") {
+            $expr .= $token;
+            $level--;
+          } else if ($level > 0) {
+            $expr .= is_array($token) ? $token[1] : $token;
+          } else {
+            $entry[] = $expr;
+            $found[$view][] = $entry;
+            $expr = null;
+            $entry = null;
+          }
+        }
+      }
+    }
+
+    $canonical = MODPATH . "gallery/tests/xss_data.txt";
+    $new = TMPPATH . "xss_data.txt";
+    $fd = fopen($new, "wb");
+    ksort($found);
+    foreach ($found as $view => $entries) {
+      foreach ($entries as $entry) {
+        fwrite($fd,
+               sprintf("%-60s %-3s %-9s %s\n",
+                       $view, $entry[0], $entry[1] ? "CLEAN" : "NOT_CLEAN", $entry[2]));
+      }
+    }
+    fclose($fd);
+
+    exec("diff $canonical $new", $output, $return_value);
+    $this->assert_false(
+      $return_value, "XSS golden file mismatch.  Output:\n" . implode("\n", $output) );
+  }
+}