diff --git a/app/models/chat/message.rb b/app/models/chat/message.rb index 5076f0951..a86b0bba1 100644 --- a/app/models/chat/message.rb +++ b/app/models/chat/message.rb @@ -1,2 +1,5 @@ class Chat::Message < ApplicationModel + include HtmlSanitized + + sanitized_html :content end diff --git a/app/models/concerns/html_sanitized.rb b/app/models/concerns/html_sanitized.rb new file mode 100644 index 000000000..116967e7e --- /dev/null +++ b/app/models/concerns/html_sanitized.rb @@ -0,0 +1,46 @@ +# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/ +module HtmlSanitized + extend ActiveSupport::Concern + + included do + before_create :sanitized_html_attributes + before_update :sanitized_html_attributes + end + + def sanitized_html_attributes + html_attributes = self.class.instance_variable_get(:@sanitized_html) || [] + return if html_attributes.empty? + + html_attributes.each do |attribute| + value = send(attribute) + + next if value.blank? + next if !sanitizeable?(attribute, value) + + send("#{attribute}=".to_sym, HtmlSanitizer.strict(value)) + end + end + + def sanitizeable?(_attribute, _value) + true + end + + # methods defined here are going to extend the class, not the instance of it + class_methods do + +=begin + +serve methode to mark HTML attrbibutes that need to get sanitized + +class Model < ApplicationModel + include Sanitized + sanitized_html :body +end + +=end + + def sanitized_html(*attributes) + @sanitized_html = attributes + end + end +end diff --git a/app/models/ticket/article.rb b/app/models/ticket/article.rb index 979914b66..b9c75acc6 100644 --- a/app/models/ticket/article.rb +++ b/app/models/ticket/article.rb @@ -3,6 +3,7 @@ class Ticket::Article < ApplicationModel include LogsActivityStream include NotifiesClients include Historisable + include HtmlSanitized load 'ticket/article/assets.rb' include Ticket::Article::Assets @@ -16,6 +17,8 @@ class Ticket::Article < ApplicationModel before_create :check_subject, :check_message_id_md5 before_update :check_subject, :check_message_id_md5 + sanitized_html :body + activity_stream_permission 'ticket.agent' activity_stream_attributes_ignored :type_id, @@ -203,6 +206,12 @@ returns: ) end + def sanitizeable?(attribute, _value) + return true if attribute != :body + return false if content_type.blank? + content_type =~ /html/i + end + private # strip not wanted chars diff --git a/lib/html_sanitizer.rb b/lib/html_sanitizer.rb new file mode 100644 index 000000000..91e4f1be0 --- /dev/null +++ b/lib/html_sanitizer.rb @@ -0,0 +1,48 @@ +class HtmlSanitizer + + def self.strict(string) + remove = %w(style body head) + strip = ['script'] + + scrubber = Loofah::Scrubber.new do |node| + + # strip tags + if strip.include?(node.name) + node.before node.children + node.remove + end + + # remove tags + if remove.include?(node.name) + node.remove + end + + # prepare src attribute + if node['src'] + if node['src'].downcase.start_with?('http', 'ftp') + node.before node.children + node.remove + end + end + + # prepare links + if node['href'] + if node['href'].downcase.start_with?('http', 'ftp') + node.set_attribute('rel', 'nofollow') + node.set_attribute('target', '_blank') + end + if node['href'] =~ /javascript/i + node.delete('href') + end + end + + # remove on* attributes + node.each { |attribute, _value| + next if !attribute.downcase.start_with?('on') + node.delete(attribute) + } + end + Loofah.fragment(string).scrub!(scrubber).to_s + end + +end diff --git a/test/unit/email_process_test.rb b/test/unit/email_process_test.rb index 42a1780de..fefc4220b 100644 --- a/test/unit/email_process_test.rb +++ b/test/unit/email_process_test.rb @@ -148,7 +148,7 @@ Some Text", }, 1 => { content_type: 'text/html', - body: "_________________________________________________________________________________Please beth saw his head

9õhH3ÿoIÚõ´GÿiH±6u-û◊NQ4ùäU¹awAq¹JLZμÒIicgT1ζ2Y7⊆t 63‘Mñ36EßÝ→DAå†I048CvJ9A↑3iTc4ÉIΥvXO50ñNÁFJSð­r 154F1HPOÀ£CRxZp tLîT9öXH1b3Es±W mNàBg3õEbPŒSúfτTóY4 sUÖPÒζΔRFkcIÕ1™CÓZ3EΛRq!Cass is good to ask what that
86ËÏuÕC L I C K   H E R E28M (http://piufup.medicatingsafemart.ru)Luke had been thinking about that.
Shannon said nothing in fact they. Matt placed the sofa with amy smiled. Since the past him with more. Maybe he checked the phone. Neither did her name only. Ryan then went inside matt.
Maybe we can have anything you sure.
á•XMYÍÅEE£ÓN°kP'dÄÅS4⌉d √p¨HΣ>jE4y4ACüûLì“vT∧4tHXÆX:
x5VV"¹tiçÂaaΦ3fg¦zèr«°haeJw n§Va879sÆ3j f¶ïlÞ9lo5F¾wν¶1 κψ›a9f4sLsL ùVo$v3x1¸nz.uȦ1H4s35Ô7 yoQCÄFMiMzda¯ZεlÝHNi¬cÚsù–ϖ DYhaã7Ns4Ö· n3dl1XÆo¯µ¶wpN↑ YQ7aé39s1qÓ QyL$fcÕ1ΝS5.5Wy62­d5ĶH
³7<V401i4æÂaθÀTg÷ÄGr9EûaΡBw →ÌÖSRSLu72lpL6Veº9Ær¾HL FEpAÕø9cP¬ltÒcDibäXvTtFel3®+bVM ø5ôaXWas4ºä μÕKl∏7mo√þ3wSg1 ι£Ca´´Xso18 ÅL2$…4¾2Jo↑.0Λa53iè55WÕ î3IV4◊9iFÊVaßÕóg8³9r℘buaf®2 fc7Pg3⊆rzç8oÜ−⋅fÿ≥ZeaPÑs5⇐TsiΨ∋i9ÌuoU8RnΨ⌉•aw1flfùë TQNaU›ésvDu BÇIl6Θlo∠HfwNX8 36Xa∼α»sT½d ŠHG$Îõ¬3QWÀ.‰›Y5Ôg80¦ao
LKNV0ÄwiM4xafsJgFJär27”a⇐MÔ ∠O5SQØMuté«p÷ÅÃe¨ûHrZ4Ä 1UΛF¨TsoûwXrú4Ickyçe½qY 074aÙl⌊sÐH1 4Ùplø4Xob0aw4FÔ 28∴a70lsA30 ßWF$Z¸v4AEG.Î6¨2t9p5¶¼Q M9¯Cε92i0qPa¹AölW5Pi5Vusi8ë ðO0SE2Euù∈èpòY3eTs6r6ý2 lªÌAyîjcQpet½3õiiqXvPVOe8­V+«“G ¤ó6a®Π7sJÕg ¡JÈl♥Š¾oÐolwBVà →AmaηÒ¯saÑÚ Häð$2Ef2∈n5.Œ8H95¨19⊃ƒõ
Up dylan in love and found herself. Sorry for beth smiled at some time Whatever you on one who looked. Except for another man and ready.
ÚúeACíøN˵UT3L♠ICë9-BŒfAoÓCL5ΒÉLHοNE5∂7RScdGX­ªIpΣuCCw∨/D¤6A´vâS0d⊂TÇ'BHfóΔMåß7A63B:
2UýV5¦Ueý¿×nRm2tæÓOoγ1øly¼Wi6pxnÀZ« câSa8ï¤sGï⊂ ΜJll1£„onbéw⌉ö1 vY8aΘmgs0Ú4 å¥G$·592KkU1®b0.½Âℜ54Èh0º´h Zf­A0j¸dc1ξv™Xpagl×ib8YrSf0 ¨WiaÀ4»sÁ×7 TAwll¨dom1Gw2¿z ΒÿÀaˆyÎsN8η 3oo$D012Λp³4cìz.PA∅9ϒ7354ú9
RãíNn¨2aYRøs≅←ÍoPÀynCΧ»efõoxÕ∪h E18aNÿÜsiÿ5 f47lÃ47oFÂjwGÎÉ ·08aºedsjÛS ¿e®$KèR1LDÍ7üoè.4·O99Ý£9íϖn ¶ú↵Sι3”pÝó‾iEuerΓy0iY30vΤA6a2"Y 465a1m6sgÁs C∀ilΑÒΠor6yw7¿ð 1KΩaÐ32s∇Δ¤ 9Χ9$MWN2P0É8óËβ.Ö∩S93íñ0RQ’
Have anything but matty is taking care. Voice sounded in name only the others Mouth shut and while he returned with. Herself with one who is your life
ÿ²íGu8NEZ3FNFsôEÆRnRÇC9AK4xLÀ5Ç Ì5bH97CE«Ì0AÎq¢Lµk→TªJkHe3š:Taking care about matt li? ed ryan. Knowing he should be there.
Ks£TäbIr74EaãDZmœH¡a³7odÅ∪voÒozlP3S 23‹azy∝sÚ°Q 4â¹ll21ovh7w2D2 ©Qwa⇑cΒs¨wH Iµe$⇐J517Tñ.t5f36ÅB06ãΨ 5z℘Z4nGiý89t←f4hvnàrbŸTo1s9m¥Ëqand·xxO6 Iÿ∪ak½0sÙ£M ûΗ¡løȾorztw170 —♣≅ar6qsvDv 76T$3×D0erÍ.d¼07WoI5ÀKú
ϒa9P'¶¯rP74o2ψÈzχfþaÃàñc3qY →®7aaRgsN©k ¯‰ΣlÍpÃo7R⊂wÆðe 3Iha♣d˜s3g7 È3M$≡⋅ª0AY4.Uq√3Û±k5SUΜ Zr2A8Ö6cZŸdoΡeumpq¼pAoUlèI2ieYÒaK>∂ 3n6ax1Qs20b °Häl9¶ÑoÏ6aw≡dä ΗÅ2a¢Óvs⊃Á7 C⊆Ä$2Bz2sló.∫Pb5ØMx0oQd
ZΙμPCqmrµp0eAΦ♥dô‾Ωn∠2si4y2s÷8«o6∀ClDeÌoPbqnd¡Jelè× ÿˆ5aWl〈sbPÔ ï²çl8¢OoH¸ew’90 Υ66aÕÆdsh6K r6Ç$7Ey0WcÎ.£—012C857Aþ i·σS€53yxµèn80ntΡΠmhç≡hrB²doµS¥ih÷rdOKK 7½öa←ãIs2⌉V Cssl±´RoT1QwyÉΔ •∏∞aïYGsÂ8E 1πx$04ò0gMF.bTQ3Íx658ùς
Maybe even though she followed. Does this mean you talking about. Whatever else to sit on them back
←4BC3éhAGAWNrÛjAGυ»D¬f4Iðm√AHM9N〉1è ‚¬HDÁ9ÜRâ3∨U90IG¾99S¶∪”T¥ì3OË°cR0E⇑E2°1 4ÖaA″XΝDµ4ℑVAK8Aµd9NrÅDT¦12A5khGA3mE98ÔS9KC!5TU
AMm>EjL w∗LWυIaoKd¹rΘ22l2IΚdê5PwO4Hiây6dÖH⌊eÃìg j14Dr­5e700lH·ÐiJ±ùvY…öe¦mhr¸«4yrÆÔ!∑η2 ÷¬υOΔfδrKZwd4KVeB¶órℜ0Ç PΖ×341o+A7Y ¬æ6GM17oGOºos7∑d×7ûs¤8P ο♦QaRn–n5b2d0ìw ËrϒGIÑℑem0∀t³bæ 20rF4O7Rä2°EÇò⊆ESΥ4 KF0AÒÂßi5ïcrt⊆€mRJ7aNΛÿinÕ6l5bQ ¸ϒtSZbwh3¶3ig♠9p2″Ìp×¢êiK»´nsWsgdXW!tBO
m0W>YÙ b¬u1xΔd03¯¬0vHK%Þ¹ó 674Aj3öuQ←ÏtÈH¨houqeyªYnÑ21t⌋BZi¦V2c¬Tn >ZΓMöÜÊe3Å1dís5s2ø›!³0û 2¡ÌEmè1xéV2p1∨6iâdârB9ra72mtSzIiMlVo0NLngΒû ú2LD7⇑maNx3tUζ∪etcù 90ìo¶Ù3fv49 w≅»O0givÅýYeXïNryfT 3fP3xZÕ FñÃY8q¯eEÂÜaâyfrΜpls9âÂ!qκÊ
î5A>∀pƒ ZµÍSδ3éem2sc⊕7vu41JrÒ°weÊyh qaρOÏp¼nΣxZlrN¡i♠Êcnl4jeN¶Q y2≅Sb63h17〉ofµypÅAÆpþh0iÔcbnec4gIù1 h2Uw23‹i9çktSÅÏh6Vº g±sVŒóuipV¯seÈ⋅a4üV,T6D 2ý8MΡY©a⊃ºΕs5ùýt9IDeFDℑrXpOCe“μan·Mr¾1Kd¥ëð,eø7 DfmAæ¤NM9ïhEUË∨XσψG 4j0a°81nhTAdmTü «9öEνμr-U4fc¨Þ1h8ª¸eoycc9xjk⁄ko!ë9K
¬Û…>J6Á ¢〉8EÖ22a³41s¬17y3â8 °f2R6olewtzfw¹suýoQn⇓³³d×4Gs¢7« AlDa°H¶n9Ejdtg› ¯ôθ2ε¥⊇4¯″A/4Øv72z→ Ü3¥C6ú2u56Xs9⁄1t∑ΙioxÉjmØRùe1WÔrH25 o¥ßS≥gmuX2gp3yip·³2oD£3rc3μtks∪!sWK
When she were there you here. Lott to need for amy said.
Once more than ever since matt. Lott said turning o? ered. Tell you so matt kept going.
Homegrown dandelions by herself into her lips. Such an excuse to stop thinking about. Leave us and be right.




http://www.avast.com/
?????? ?????????????????? ???????????????? ???? ?????????????? ?? ???????????????????????? ???? ?????????????????? avast! Antivirus (http://www.avast.com/) ???????????? ??????????????.", + body: "_________________________________________________________________________________Please beth saw his head

9õhH3ÿoIÚõ´GÿiH±6u-û◊NQ4ùäU¹awAq¹JLZμÒIicgT1ζ2Y7⊆t 63‘Mñ36EßÝ→DAå†I048CvJ9A↑3iTc4ÉIΥvXO50ñNÁFJSð­r 154F1HPOÀ£CRxZp tLîT9öXH1b3Es±W mNàBg3õEbPŒSúfτTóY4 sUÖPÒζΔRFkcIÕ1™CÓZ3EΛRq!Cass is good to ask what that
86ËÏuÕC L I C K   H E R E28M (http://piufup.medicatingsafemart.ru)Luke had been thinking about that.
Shannon said nothing in fact they. Matt placed the sofa with amy smiled. Since the past him with more. Maybe he checked the phone. Neither did her name only. Ryan then went inside matt.
Maybe we can have anything you sure.
á•XMYÍÅEE£ÓN°kP'dÄÅS4⌉d √p¨HΣ>jE4y4ACüûLì“vT∧4tHXÆX:
x5VV\"¹tiçÂaaΦ3fg¦zèr«°haeJw n§Va879sÆ3j f¶ïlÞ9lo5F¾wν¶1 κψ›a9f4sLsL ùVo$v3x1¸nz.uȦ1H4s35Ô7 yoQCÄFMiMzda¯ZεlÝHNi¬cÚsù–ϖ DYhaã7Ns4Ö· n3dl1XÆo¯µ¶wpN↑ YQ7aé39s1qÓ QyL$fcÕ1ΝS5.5Wy62­d5ĶH
³7<V401i4æÂaθÀTg÷ÄGr9EûaΡBw →ÌÖSRSLu72lpL6Veº9Ær¾HL FEpAÕø9cP¬ltÒcDibäXvTtFel3®+bVM ø5ôaXWas4ºä μÕKl∏7mo√þ3wSg1 ι£Ca´´Xso18 ÅL2$…4¾2Jo↑.0Λa53iè55WÕ î3IV4◊9iFÊVaßÕóg8³9r℘buaf®2 fc7Pg3⊆rzç8oÜ−⋅fÿ≥ZeaPÑs5⇐TsiΨ∋i9ÌuoU8RnΨ⌉•aw1flfùë TQNaU›ésvDu BÇIl6Θlo∠HfwNX8 36Xa∼α»sT½d ŠHG$Îõ¬3QWÀ.‰›Y5Ôg80¦ao
LKNV0ÄwiM4xafsJgFJär27”a⇐MÔ ∠O5SQØMuté«p÷ÅÃe¨ûHrZ4Ä 1UΛF¨TsoûwXrú4Ickyçe½qY 074aÙl⌊sÐH1 4Ùplø4Xob0aw4FÔ 28∴a70lsA30 ßWF$Z¸v4AEG.Î6¨2t9p5¶¼Q M9¯Cε92i0qPa¹AölW5Pi5Vusi8ë ðO0SE2Euù∈èpòY3eTs6r6ý2 lªÌAyîjcQpet½3õiiqXvPVOe8­V+«“G ¤ó6a®Π7sJÕg ¡JÈl♥Š¾oÐolwBVà →AmaηÒ¯saÑÚ Häð$2Ef2∈n5.Œ8H95¨19⊃ƒõ
Up dylan in love and found herself. Sorry for beth smiled at some time Whatever you on one who looked. Except for another man and ready.
ÚúeACíøN˵UT3L♠ICë9-BŒfAoÓCL5ΒÉLHοNE5∂7RScdGX­ªIpΣuCCw∨/D¤6A´vâS0d⊂TÇ'BHfóΔMåß7A63B:
2UýV5¦Ueý¿×nRm2tæÓOoγ1øly¼Wi6pxnÀZ« câSa8ï¤sGï⊂ ΜJll1£„onbéw⌉ö1 vY8aΘmgs0Ú4 å¥G$·592KkU1®b0.½Âℜ54Èh0º´h Zf­A0j¸dc1ξv™Xpagl×ib8YrSf0 ¨WiaÀ4»sÁ×7 TAwll¨dom1Gw2¿z ΒÿÀaˆyÎsN8η 3oo$D012Λp³4cìz.PA∅9ϒ7354ú9
RãíNn¨2aYRøs≅←ÍoPÀynCΧ»efõoxÕ∪h E18aNÿÜsiÿ5 f47lÃ47oFÂjwGÎÉ ·08aºedsjÛS ¿e®$KèR1LDÍ7üoè.4·O99Ý£9íϖn ¶ú↵Sι3”pÝó‾iEuerΓy0iY30vΤA6a2\"Y 465a1m6sgÁs C∀ilΑÒΠor6yw7¿ð 1KΩaÐ32s∇Δ¤ 9Χ9$MWN2P0É8óËβ.Ö∩S93íñ0RQ’
Have anything but matty is taking care. Voice sounded in name only the others Mouth shut and while he returned with. Herself with one who is your life
ÿ²íGu8NEZ3FNFsôEÆRnRÇC9AK4xLÀ5Ç Ì5bH97CE«Ì0AÎq¢Lµk→TªJkHe3š:Taking care about matt li? ed ryan. Knowing he should be there.
Ks£TäbIr74EaãDZmœH¡a³7odÅ∪voÒozlP3S 23‹azy∝sÚ°Q 4â¹ll21ovh7w2D2 ©Qwa⇑cΒs¨wH Iµe$⇐J517Tñ.t5f36ÅB06ãΨ 5z℘Z4nGiý89t←f4hvnàrbŸTo1s9m¥Ëqand·xxO6 Iÿ∪ak½0sÙ£M ûΗ¡løȾorztw170 —♣≅ar6qsvDv 76T$3×D0erÍ.d¼07WoI5ÀKú
ϒa9P'¶¯rP74o2ψÈzχfþaÃàñc3qY →®7aaRgsN©k ¯‰ΣlÍpÃo7R⊂wÆðe 3Iha♣d˜s3g7 È3M$≡⋅ª0AY4.Uq√3Û±k5SUΜ Zr2A8Ö6cZŸdoΡeumpq¼pAoUlèI2ieYÒaK>∂ 3n6ax1Qs20b °Häl9¶ÑoÏ6aw≡dä ΗÅ2a¢Óvs⊃Á7 C⊆Ä$2Bz2sló.∫Pb5ØMx0oQd
ZΙμPCqmrµp0eAΦ♥dô‾Ωn∠2si4y2s÷8«o6∀ClDeÌoPbqnd¡Jelè× ÿˆ5aWl〈sbPÔ ï²çl8¢OoH¸ew’90 Υ66aÕÆdsh6K r6Ç$7Ey0WcÎ.£—012C857Aþ i·σS€53yxµèn80ntΡΠmhç≡hrB²doµS¥ih÷rdOKK 7½öa←ãIs2⌉V Cssl±´RoT1QwyÉΔ •∏∞aïYGsÂ8E 1πx$04ò0gMF.bTQ3Íx658ùς
Maybe even though she followed. Does this mean you talking about. Whatever else to sit on them back
←4BC3éhAGAWNrÛjAGυ»D¬f4Iðm√AHM9N〉1è ‚¬HDÁ9ÜRâ3∨U90IG¾99S¶∪”T¥ì3OË°cR0E⇑E2°1 4ÖaA″XΝDµ4ℑVAK8Aµd9NrÅDT¦12A5khGA3mE98ÔS9KC!5TU
AMm>EjL w∗LWυIaoKd¹rΘ22l2IΚdê5PwO4Hiây6dÖH⌊eÃìg j14Dr­5e700lH·ÐiJ±ùvY…öe¦mhr¸«4yrÆÔ!∑η2 ÷¬υOΔfδrKZwd4KVeB¶órℜ0Ç PΖ×341o+A7Y ¬æ6GM17oGOºos7∑d×7ûs¤8P ο♦QaRn–n5b2d0ìw ËrϒGIÑℑem0∀t³bæ 20rF4O7Rä2°EÇò⊆ESΥ4 KF0AÒÂßi5ïcrt⊆€mRJ7aNΛÿinÕ6l5bQ ¸ϒtSZbwh3¶3ig♠9p2″Ìp×¢êiK»´nsWsgdXW!tBO
m0W>YÙ b¬u1xΔd03¯¬0vHK%Þ¹ó 674Aj3öuQ←ÏtÈH¨houqeyªYnÑ21t⌋BZi¦V2c¬Tn >ZΓMöÜÊe3Å1dís5s2ø›!³0û 2¡ÌEmè1xéV2p1∨6iâdârB9ra72mtSzIiMlVo0NLngΒû ú2LD7⇑maNx3tUζ∪etcù 90ìo¶Ù3fv49 w≅»O0givÅýYeXïNryfT 3fP3xZÕ FñÃY8q¯eEÂÜaâyfrΜpls9âÂ!qκÊ
î5A>∀pƒ ZµÍSδ3éem2sc⊕7vu41JrÒ°weÊyh qaρOÏp¼nΣxZlrN¡i♠Êcnl4jeN¶Q y2≅Sb63h17〉ofµypÅAÆpþh0iÔcbnec4gIù1 h2Uw23‹i9çktSÅÏh6Vº g±sVŒóuipV¯seÈ⋅a4üV,T6D 2ý8MΡY©a⊃ºΕs5ùýt9IDeFDℑrXpOCe“μan·Mr¾1Kd¥ëð,eø7 DfmAæ¤NM9ïhEUË∨XσψG 4j0a°81nhTAdmTü «9öEνμr-U4fc¨Þ1h8ª¸eoycc9xjk⁄ko!ë9K
¬Û…>J6Á ¢〉8EÖ22a³41s¬17y3â8 °f2R6olewtzfw¹suýoQn⇓³³d×4Gs¢7« AlDa°H¶n9Ejdtg› ¯ôθ2ε¥⊇4¯″A/4Øv72z→ Ü3¥C6ú2u56Xs9⁄1t∑ΙioxÉjmØRùe1WÔrH25 o¥ßS≥gmuX2gp3yip·³2oD£3rc3μtks∪!sWK
When she were there you here. Lott to need for amy said.
Once more than ever since matt. Lott said turning o? ered. Tell you so matt kept going.
Homegrown dandelions by herself into her lips. Such an excuse to stop thinking about. Leave us and be right.




http://www.avast.com/
?????? ?????????????????? ???????????????? ???? ?????????????? ?? ???????????????????????? ???? ?????????????????? avast! Antivirus (http://www.avast.com/) ???????????? ??????????????.", sender: 'Customer', type: 'email', internal: false, diff --git a/test/unit/ticket_xss_test.rb b/test/unit/ticket_xss_test.rb new file mode 100644 index 000000000..5f1e80b76 --- /dev/null +++ b/test/unit/ticket_xss_test.rb @@ -0,0 +1,186 @@ +# encoding: utf-8 +require 'test_helper' + +class TicketXssTest < ActiveSupport::TestCase + test 'xss via model' do + ticket = Ticket.create( + title: 'test 123 ', + group: Group.lookup(name: 'Users'), + customer_id: 2, + state: Ticket::State.lookup(name: 'new'), + priority: Ticket::Priority.lookup(name: '2 normal'), + updated_by_id: 1, + created_by_id: 1, + ) + assert(ticket, 'ticket created') + + assert_equal('test 123 ', ticket.title, 'ticket.title verify') + assert_equal('Users', ticket.group.name, 'ticket.group verify') + assert_equal('new', ticket.state.name, 'ticket.state verify') + + article1 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/html', + body: '', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal('alert("XSS!");', article1.body, 'article1.body verify - inbound') + + article2 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/html', + body: 'please tell me this doesn\'t work: ', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal('please tell me this doesn\'t work: alert("XSS!");', article2.body, 'article2.body verify - inbound') + + article3 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/html', + body: 'please tell me this doesn\'t work: ada
LINKaaABC', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal("please tell me this doesn't work: ada +
+LINKaaABC +
", article3.body, 'article3.body verify - inbound') + + article4 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/html', + body: 'please tell me this doesn\'t work: alal', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal("please tell me this doesn't work: alal", article4.body, 'article4.body verify - inbound') + + article5 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/plain', + body: 'please tell me this doesn\'t work: ada
LINKaaABC', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal('please tell me this doesn\'t work: ada
LINKaaABC', article5.body, 'article5.body verify - inbound') + + article6 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/html', + body: 'some message article helper test1
asdasd
', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal('some message article helper test1
+asdasd
+
', article6.body, 'article6.body verify - inbound') + + article7 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/html', + body: 'some message article helper test1
asdasd
', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal('some message article helper test1
+asdasd
+
', article7.body, 'article7.body verify - inbound') + + article8 = Ticket::Article.create( + ticket_id: ticket.id, + from: 'some_sender@example.com', + to: 'some_recipient@example.com', + subject: 'some subject ', + message_id: 'some@id', + content_type: 'text/html', + body: 'some message article helper test1 abc 123123', + internal: false, + sender: Ticket::Article::Sender.find_by(name: 'Customer'), + type: Ticket::Article::Type.find_by(name: 'email'), + updated_by_id: 1, + created_by_id: 1, + ) + assert_equal('some message article helper test1 abc 123123', article8.body, 'article8.body verify - inbound') + + end + + test 'xss via mail' do + data = 'From: ME Bob +To: customer@example.com +Subject: some subject +Content-Type: text/html +MIME-Version: 1.0 + +no HTML ' + + parser = Channel::EmailParser.new + ticket, article, user = parser.process({}, data) + assert_equal('text/html', ticket.articles.first.content_type) + assert_equal('no HTML alert(\'XSS\')', ticket.articles.first.body) + + data = 'From: ME Bob +To: customer@example.com +Subject: some subject +Content-Type: text/plain +MIME-Version: 1.0 + +no HTML ' + + parser = Channel::EmailParser.new + ticket, article, user = parser.process({}, data) + assert_equal('text/plain', ticket.articles.first.content_type) + assert_equal('no HTML ', ticket.articles.first.body) + + end +end