Module: LibInjection
- Defined in:
- lib/libinjection.rb,
lib/libinjection.rb,
lib/libinjection/version.rb,
ext/libinjection/libinjection_ext.c
Defined Under Namespace
Classes: Error, ParserError, Result
Constant Summary collapse
- VERSION =
"0.1.1"- LIBINJECTION_VERSION =
"4.0.0"- SQLI_CONTEXTS =
li_named_int_hash(SQLI_CONTEXTS, LI_ARRAY_LEN(SQLI_CONTEXTS))
- SQLI_QUOTES =
li_named_int_hash(SQLI_QUOTES, LI_ARRAY_LEN(SQLI_QUOTES))
- SQLI_DIALECTS =
li_named_int_hash(SQLI_DIALECTS, LI_ARRAY_LEN(SQLI_DIALECTS))
- SQLI_TOKEN_TYPES =
li_named_char_hash(SQLI_TOKEN_TYPES, LI_ARRAY_LEN(SQLI_TOKEN_TYPES))
- HTML5_CONTEXTS =
li_named_int_hash(HTML5_CONTEXTS, LI_ARRAY_LEN(HTML5_CONTEXTS))
- XSS_CONTEXTS =
li_named_int_hash(HTML5_CONTEXTS, LI_ARRAY_LEN(HTML5_CONTEXTS))
- HTML5_TOKEN_TYPES =
li_named_int_hash(HTML5_TOKEN_TYPES, LI_ARRAY_LEN(HTML5_TOKEN_TYPES))
Class Method Summary collapse
- .detect(input) ⇒ Object
- .detect_raw(input) ⇒ Object
- .detect_url_encoded_raw(input, depth_value, plus_as_space_value, threat_mask_value) ⇒ Object
- .html5_tokens(*args) ⇒ Object
- .lib_version ⇒ Object
- .sqli?(input) ⇒ Boolean
- .sqli_contexts(input) ⇒ Object
- .sqli_fingerprint(input) ⇒ Object
- .sqli_fingerprint_for(*args) ⇒ Object
- .sqli_flags(*args) ⇒ Object
- .sqli_result(*args) ⇒ Object
- .sqli_tokens(*args) ⇒ Object
- .xss?(input) ⇒ Boolean
- .xss_contexts(input) ⇒ Object
- .xss_flags(*args) ⇒ Object
- .xss_result(*args) ⇒ Object
Class Method Details
.detect(input) ⇒ Object
25 26 27 28 29 30 |
# File 'lib/libinjection.rb', line 25 def detect(input) raw = detect_raw(input) return Result.new(type: nil, detected: false, fingerprint: nil) if raw.nil? Result.new(type: raw[0], detected: true, fingerprint: raw[1]) end |
.detect_raw(input) ⇒ Object
705 706 707 708 709 710 711 712 713 714 715 716 717 718 |
# File 'ext/libinjection/libinjection_ext.c', line 705
static VALUE rb_li_detect_raw(VALUE self, VALUE input) {
li_raw_scan_args_t args;
(void)self;
memset(&args, 0, sizeof(args));
args.input = input;
li_scan_out_reset(&args.out);
rb_ensure(li_raw_scan_body, (VALUE)&args, li_raw_scan_ensure, (VALUE)&args);
raise_on_error(args.out.sqli_result);
raise_on_error(args.out.xss_result);
return li_scan_out_to_value(&args.out);
}
|
.detect_url_encoded_raw(input, depth_value, plus_as_space_value, threat_mask_value) ⇒ Object
819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 |
# File 'ext/libinjection/libinjection_ext.c', line 819
static VALUE rb_li_detect_url_encoded_raw(VALUE self, VALUE input, VALUE depth_value,
VALUE plus_as_space_value, VALUE threat_mask_value) {
li_url_scan_args_t args;
(void)self;
memset(&args, 0, sizeof(args));
args.input = input;
args.depth = NUM2INT(depth_value);
args.plus_as_space = RTEST(plus_as_space_value);
args.threat_mask = NUM2INT(threat_mask_value);
args.sqli_error = LIBINJECTION_RESULT_FALSE;
args.xss_error = LIBINJECTION_RESULT_FALSE;
li_scan_out_reset(&args.out);
if (args.depth < 0) {
rb_raise(eArgumentError, "depth must be >= 0");
}
if (args.depth > LI_MAX_URL_DECODE_DEPTH) {
rb_raise(eArgumentError, "depth must be <= %d", LI_MAX_URL_DECODE_DEPTH);
}
if ((args.threat_mask & ~LI_THREAT_BOTH) != 0 || args.threat_mask == 0) {
rb_raise(eArgumentError, "threat mask must include SQLi and/or XSS");
}
rb_ensure(li_detect_url_encoded_raw_body, (VALUE)&args, li_detect_url_encoded_raw_ensure,
(VALUE)&args);
raise_on_error(args.sqli_error);
raise_on_error(args.xss_error);
return li_scan_out_to_value(&args.out);
}
|
.html5_tokens(*args) ⇒ Object
1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 |
# File 'ext/libinjection/libinjection_ext.c', line 1049
static VALUE rb_li_html5_tokens(int argc, VALUE *argv, VALUE self) {
VALUE input;
VALUE opts;
VALUE str;
VALUE out;
int flags;
h5_state_t state;
injection_result_t result;
(void)self;
rb_scan_args(argc, argv, "11", &input, &opts);
str = li_str(input);
flags = li_html5_flags_from_opts(opts, DATA_STATE);
libinjection_h5_init(&state, RSTRING_PTR(str), (size_t)RSTRING_LEN(str), flags);
out = rb_ary_new();
while ((result = libinjection_h5_next(&state)) == LIBINJECTION_RESULT_TRUE) {
rb_ary_push(out, li_html5_token_hash(&state));
}
raise_on_error(result);
return out;
}
|
.lib_version ⇒ Object
1089 1090 1091 1092 |
# File 'ext/libinjection/libinjection_ext.c', line 1089
static VALUE rb_li_lib_version(VALUE self) {
(void)self;
return rb_str_new_cstr(libinjection_version());
}
|
.sqli?(input) ⇒ Boolean
645 646 647 648 649 650 651 652 653 654 655 656 657 |
# File 'ext/libinjection/libinjection_ext.c', line 645
static VALUE rb_li_sqli_p(VALUE self, VALUE input) {
li_work_scan_args_t args;
(void)self;
memset(&args, 0, sizeof(args));
args.input = input;
args.work.want_sqli = 1;
rb_ensure(li_work_scan_body, (VALUE)&args, li_work_scan_ensure, (VALUE)&args);
raise_on_error(args.work.sqli_result);
return args.work.sqli_detected ? Qtrue : Qfalse;
}
|
.sqli_contexts(input) ⇒ Object
898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 |
# File 'ext/libinjection/libinjection_ext.c', line 898
static VALUE rb_li_sqli_contexts(VALUE self, VALUE input) {
VALUE str;
VALUE out;
size_t i;
(void)self;
str = li_str(input);
out = rb_ary_new_capa((long)LI_ARRAY_LEN(SQLI_CONTEXTS));
for (i = 0; i < LI_ARRAY_LEN(SQLI_CONTEXTS); i++) {
struct libinjection_sqli_state state;
injection_result_t result = li_run_sqli_context(str, SQLI_CONTEXTS[i].value, &state);
raise_on_error(result);
rb_ary_push(out, li_sqli_result_hash(&state, result, SQLI_CONTEXTS[i].value,
li_id_sym(SQLI_CONTEXTS[i].name)));
}
return out;
}
|
.sqli_fingerprint(input) ⇒ Object
659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 |
# File 'ext/libinjection/libinjection_ext.c', line 659
static VALUE rb_li_sqli_fingerprint(VALUE self, VALUE input) {
li_work_scan_args_t args;
char fingerprint[LI_SQLI_FINGERPRINT_SIZE];
(void)self;
memset(&args, 0, sizeof(args));
args.input = input;
args.work.want_sqli = 1;
memset(fingerprint, 0, sizeof(fingerprint));
rb_ensure(li_work_scan_body, (VALUE)&args, li_work_scan_ensure, (VALUE)&args);
memcpy(fingerprint, args.work.sqli_fingerprint, sizeof(fingerprint));
raise_on_error(args.work.sqli_result);
return args.work.sqli_detected ? li_sqli_fingerprint_value(fingerprint) : Qnil;
}
|
.sqli_fingerprint_for(*args) ⇒ Object
880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 |
# File 'ext/libinjection/libinjection_ext.c', line 880
static VALUE rb_li_sqli_fingerprint_for(int argc, VALUE *argv, VALUE self) {
VALUE input;
VALUE opts;
VALUE str;
int flags;
struct libinjection_sqli_state state;
injection_result_t result;
(void)self;
rb_scan_args(argc, argv, "11", &input, &opts);
str = li_str(input);
flags = li_sqli_flags_from_opts(opts, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
result = li_run_sqli_context(str, flags, &state);
raise_on_error(result);
return li_sqli_fingerprint_value(state.fingerprint);
}
|
.sqli_flags(*args) ⇒ Object
958 959 960 961 962 963 |
# File 'ext/libinjection/libinjection_ext.c', line 958
static VALUE rb_li_sqli_flags(int argc, VALUE *argv, VALUE self) {
VALUE opts;
(void)self;
rb_scan_args(argc, argv, "01", &opts);
return INT2NUM(li_sqli_flags_from_opts(opts, FLAG_QUOTE_NONE | FLAG_SQL_ANSI));
}
|
.sqli_result(*args) ⇒ Object
851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 |
# File 'ext/libinjection/libinjection_ext.c', line 851
static VALUE rb_li_sqli_result(int argc, VALUE *argv, VALUE self) {
VALUE input;
VALUE opts;
VALUE str;
VALUE context_name = Qnil;
int flags;
struct libinjection_sqli_state state;
injection_result_t result;
(void)self;
rb_scan_args(argc, argv, "11", &input, &opts);
str = li_str(input);
if (NIL_P(opts)) {
libinjection_sqli_init(&state, RSTRING_PTR(str), (size_t)RSTRING_LEN(str), 0);
result =
libinjection_is_sqli(&state) ? LIBINJECTION_RESULT_TRUE : LIBINJECTION_RESULT_FALSE;
raise_on_error(result);
return li_sqli_result_hash(&state, result, 0, Qnil);
}
flags = li_sqli_flags_from_opts(opts, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
context_name = li_symbol_for_int(SQLI_CONTEXTS, LI_ARRAY_LEN(SQLI_CONTEXTS), flags);
result = li_run_sqli_context(str, flags, &state);
raise_on_error(result);
return li_sqli_result_hash(&state, result, flags, context_name);
}
|
.sqli_tokens(*args) ⇒ Object
918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 |
# File 'ext/libinjection/libinjection_ext.c', line 918
static VALUE rb_li_sqli_tokens(int argc, VALUE *argv, VALUE self) {
VALUE input;
VALUE opts;
VALUE str;
VALUE out;
VALUE fold_value;
int flags;
int folded;
struct libinjection_sqli_state state;
(void)self;
rb_scan_args(argc, argv, "11", &input, &opts);
str = li_str(input);
opts = li_hash_opts(opts);
flags = li_sqli_flags_from_opts(opts, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
fold_value = li_hash_aref(opts, "fold");
folded = fold_value == Qtrue;
libinjection_sqli_init(&state, RSTRING_PTR(str), (size_t)RSTRING_LEN(str), flags);
out = rb_ary_new();
if (folded) {
int tlen;
int i;
libinjection_sqli_fingerprint(&state, flags);
tlen = (int)li_bounded_strlen(state.fingerprint, LI_SQLI_FINGERPRINT_SIZE);
for (i = 0; i < tlen; i++) {
rb_ary_push(out, li_sqli_token_hash(&state.tokenvec[i]));
}
return out;
}
state.current = &(state.tokenvec[0]);
while (libinjection_sqli_tokenize(&state)) {
rb_ary_push(out, li_sqli_token_hash(state.current));
}
return out;
}
|
.xss?(input) ⇒ Boolean
965 966 967 968 969 970 971 972 973 974 975 976 977 |
# File 'ext/libinjection/libinjection_ext.c', line 965
static VALUE rb_li_xss_p(VALUE self, VALUE input) {
li_work_scan_args_t args;
(void)self;
memset(&args, 0, sizeof(args));
args.input = input;
args.work.want_xss = 1;
rb_ensure(li_work_scan_body, (VALUE)&args, li_work_scan_ensure, (VALUE)&args);
raise_on_error(args.work.xss_result);
return args.work.xss_detected ? Qtrue : Qfalse;
}
|
.xss_contexts(input) ⇒ Object
1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 |
# File 'ext/libinjection/libinjection_ext.c', line 1015
static VALUE rb_li_xss_contexts(VALUE self, VALUE input) {
VALUE str;
VALUE out;
size_t i;
(void)self;
str = li_str(input);
out = rb_ary_new_capa((long)LI_ARRAY_LEN(HTML5_CONTEXTS));
for (i = 0; i < LI_ARRAY_LEN(HTML5_CONTEXTS); i++) {
injection_result_t result = libinjection_is_xss(RSTRING_PTR(str), (size_t)RSTRING_LEN(str),
HTML5_CONTEXTS[i].value);
raise_on_error(result);
rb_ary_push(out, li_xss_result_hash(result, HTML5_CONTEXTS[i].value,
li_id_sym(HTML5_CONTEXTS[i].name)));
}
return out;
}
|
.xss_flags(*args) ⇒ Object
1074 1075 1076 1077 1078 1079 |
# File 'ext/libinjection/libinjection_ext.c', line 1074
static VALUE rb_li_xss_flags(int argc, VALUE *argv, VALUE self) {
VALUE opts;
(void)self;
rb_scan_args(argc, argv, "01", &opts);
return INT2NUM(li_html5_flags_from_opts(opts, DATA_STATE));
}
|
.xss_result(*args) ⇒ Object
990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 |
# File 'ext/libinjection/libinjection_ext.c', line 990
static VALUE rb_li_xss_result(int argc, VALUE *argv, VALUE self) {
VALUE input;
VALUE opts;
VALUE str;
int flags;
injection_result_t result;
(void)self;
rb_scan_args(argc, argv, "11", &input, &opts);
str = li_str(input);
if (NIL_P(opts)) {
result = libinjection_xss(RSTRING_PTR(str), (size_t)RSTRING_LEN(str));
raise_on_error(result);
return li_xss_result_hash(result, -1, Qnil);
}
flags = li_html5_flags_from_opts(opts, DATA_STATE);
result = libinjection_is_xss(RSTRING_PTR(str), (size_t)RSTRING_LEN(str), flags);
raise_on_error(result);
return li_xss_result_hash(
result, flags, li_symbol_for_int(HTML5_CONTEXTS, LI_ARRAY_LEN(HTML5_CONTEXTS), flags));
}
|