我怎样才能消毒所有进入Sinatra应用程序的参数?

时间:2020-12-06 17:09:37

In a similar Rails app, I was able to make a recursive Hash-checking function which then runs the Sanitize gem's clean/fragment method to remove any HTML elements from incoming params hash. I used a before filter in the application_controller so everything gets scrubbed app-wide (it's a big app).

在一个类似的Rails应用程序中,我能够创建一个递归的Hash-checking函数,然后运行Sanitize gem的clean / fragment方法从传入的params hash中删除任何HTML元素。我在application_controller中使用了一个前置过滤器,因此所有内容都在应用程序范围内进行清理(这是一个很棒的应用程序)。

Backstory: XSS attacks were possible, particularly in IE browsers, but really we just don't want any of this stuff being saved into the database anyway. Though the ultimate goal was that JSON output didn't contain it.

背景故事:XSS攻击是可能的,特别是在IE浏览器中,但实际上我们不希望任何这些东西被保存到数据库中。虽然最终目标是JSON输出不包含它。

I tried to do the same thing in a Sinatra app (which has some ActiveSupport and JRuby ActiveRecord bundled in), but the Sanitize gem won't bundle, because this particular app runs in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter just won't build in this JRuby environment.

我试图在Sinatra应用程序(它有一些ActiveSupport和JRuby ActiveRecord捆绑在一起)中做同样的事情,但是Sanitize gem不会捆绑,因为这个特定的应用程序在JRuby中出于某些数据库原因运行。 Sanitize需要Nokogiri,后者又需要Nokogumbo,后者不会在这个JRuby环境中构建。

So I tried doing a before filter in app.rb using Rack::Util's built in html escape method, but that blows up the app.

所以我尝试使用Rack :: Util的内置html转义方法在app.rb中做一个过滤器,但这会炸毁应用程序。

Are there any alternative ways I can think about

有没有其他方法可以考虑

1) Sanitizing all incoming params into a (JRuby) Sinatra app

1)将所有传入的参数消毒到(JRuby)Sinatra应用程序中

And if not, a lesser option:

如果没有,一个较小的选择:

2) make it so all JSON that is parsed sanitizes values in said JSON attribute-value lists?

2)使所有被解析的JSON清理所述JSON属性值列表中的值?

PS - Part of the issue here is that an included local gem, which handles a lot of the params and does JSON rendering, is proving impossible to debug. I'll include Pry in both the host app, and the locally linked gem, and when I try to Pry into the Gem, I can't view the params hash (it just shows as empty)–there seems to be an issue of scope.

PS - 这里的部分问题是,一个包含的本地gem,它处理了许多params并进行JSON渲染,证明无法调试。我将在主机应用程序和本地链接的宝石中包含Pry,当我尝试撬入宝石时,我无法查看params散列(它只显示为空) - 似乎是一个问题范围。

3 个解决方案

#1


1  

Sanitize gem won't bundle, because this particular app runs in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter just won't build in this JRuby environment.

Sanitize gem不会捆绑,因为这个特定的应用程序由于某些数据库原因在JRuby中运行。 Sanitize需要Nokogiri,后者又需要Nokogumbo,后者不会在这个JRuby环境中构建。

seems wrong as Nokogiri works in JRuby (has a -java specific gem), try a bundle update nokogiri so that you get Sanitize to play nicely ...

因为Nokogiri在JRuby中工作(有一个特定于-java的宝石)似乎是错误的,尝试捆绑更新nokogiri以便让Sanitize很好地玩...

So I tried doing a before filter in app.rb using Rack::Util's built in html escape method, but that blows up the app.

所以我尝试使用Rack :: Util的内置html转义方法在app.rb中做一个过滤器,但这会炸毁应用程序。

again, too bad. maybe post details on you gem versions and the failures you run into. although the preferred option, I believe, would be to get something that worked under MRI working under JRuby - thus I would try again to use Nokogiri.

再次,太糟糕了。也许发布你的宝石版本的细节和你遇到的失败。虽然我认为首选的选择是获得在JRuby下工作的MRI工作 - 因此我会再次尝试使用Nokogiri。

#2


0  

Per Sinatra, there are 2 good ways of escaping. Both are mentioned on the website. http://www.sinatrarb.com/faq.html#escape_html

Per Sinatra有两种很好的逃避方式。两者都在网站上提到。 http://www.sinatrarb.com/faq.html#escape_html

1) Using Rack. The op mentioned that it was blowing up the app. Could you please explain more? Meanwhile, to use the rack method, you can use the following code snippet. Once the param has been cleaned, you can use that.

1)使用Rack。操作提到它正在炸毁应用程序。你能解释一下吗?同时,要使用rack方法,您可以使用以下代码段。一旦清理了参数,就可以使用它。

cleanedParam = Rack::Utils.escape_html(params[:some_param_name])

2) Using Erubis gem. The gem is written in pure ruby. Setup the erubis gem as follows:

2)使用Erubis gem。宝石是用纯红宝石书写的。设置erubis gem如下:

require 'erubis'
set :erb, :escape_html => true

Once that is done, you can use erubis when outputing a template

完成后,您可以在输出模板时使用erubis

erb :index

#3


0  

You can iterate through each of the parameters in the params hash and use Rack's escape_html method to escape HTML elements contained in each parameter.

您可以遍历params散列中的每个参数,并使用Rack的escape_html方法来转义每个参数中包含的HTML元素。

params.each do |p, v|
  params[p] = Rack::Utils.escape_html(v)
end

The documentation for escape_html can be found here.

可以在此处找到escape_html的文档。

#1


1  

Sanitize gem won't bundle, because this particular app runs in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter just won't build in this JRuby environment.

Sanitize gem不会捆绑,因为这个特定的应用程序由于某些数据库原因在JRuby中运行。 Sanitize需要Nokogiri,后者又需要Nokogumbo,后者不会在这个JRuby环境中构建。

seems wrong as Nokogiri works in JRuby (has a -java specific gem), try a bundle update nokogiri so that you get Sanitize to play nicely ...

因为Nokogiri在JRuby中工作(有一个特定于-java的宝石)似乎是错误的,尝试捆绑更新nokogiri以便让Sanitize很好地玩...

So I tried doing a before filter in app.rb using Rack::Util's built in html escape method, but that blows up the app.

所以我尝试使用Rack :: Util的内置html转义方法在app.rb中做一个过滤器,但这会炸毁应用程序。

again, too bad. maybe post details on you gem versions and the failures you run into. although the preferred option, I believe, would be to get something that worked under MRI working under JRuby - thus I would try again to use Nokogiri.

再次,太糟糕了。也许发布你的宝石版本的细节和你遇到的失败。虽然我认为首选的选择是获得在JRuby下工作的MRI工作 - 因此我会再次尝试使用Nokogiri。

#2


0  

Per Sinatra, there are 2 good ways of escaping. Both are mentioned on the website. http://www.sinatrarb.com/faq.html#escape_html

Per Sinatra有两种很好的逃避方式。两者都在网站上提到。 http://www.sinatrarb.com/faq.html#escape_html

1) Using Rack. The op mentioned that it was blowing up the app. Could you please explain more? Meanwhile, to use the rack method, you can use the following code snippet. Once the param has been cleaned, you can use that.

1)使用Rack。操作提到它正在炸毁应用程序。你能解释一下吗?同时,要使用rack方法,您可以使用以下代码段。一旦清理了参数,就可以使用它。

cleanedParam = Rack::Utils.escape_html(params[:some_param_name])

2) Using Erubis gem. The gem is written in pure ruby. Setup the erubis gem as follows:

2)使用Erubis gem。宝石是用纯红宝石书写的。设置erubis gem如下:

require 'erubis'
set :erb, :escape_html => true

Once that is done, you can use erubis when outputing a template

完成后,您可以在输出模板时使用erubis

erb :index

#3


0  

You can iterate through each of the parameters in the params hash and use Rack's escape_html method to escape HTML elements contained in each parameter.

您可以遍历params散列中的每个参数,并使用Rack的escape_html方法来转义每个参数中包含的HTML元素。

params.each do |p, v|
  params[p] = Rack::Utils.escape_html(v)
end

The documentation for escape_html can be found here.

可以在此处找到escape_html的文档。