lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb in contrast-agent-6.1.0 vs lib/contrast/agent/protect/rule/xxe/entity_wrapper.rb in contrast-agent-6.1.1
- old
+ new
@@ -9,10 +9,24 @@
# A holder for the external entity which was determined to be an
# attack.
class EntityWrapper
attr_reader :system_id, :public_id
+ DTD_MARKER = '.dtd'
+ FILE_START = 'file:'
+ FTP_START = 'ftp:'
+ GOPHER_START = 'gopher:'
+ JAR_START = 'jar:'
+ UP_DIR_LINUX = '../'
+ UP_DIR_WIN = '..\\'
+ # <!ENTITY name SYSTEM "URI">
+ SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
+ # <!ENTITY name PUBLIC "public_ID" "URI">
+ PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
+ # we only use this against lowercase strings, removed A-Z for speed
+ FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
+
def initialize entity
@system_id = parse_system_id(entity)
# an entity cannot be system and public
@public_id = parse_public_id(entity) unless @system_id
end
@@ -28,32 +42,19 @@
end
end
@_external_entity
end
- # <!ENTITY name SYSTEM "URI">
- SYSTEM_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+SYSTEM\s+"(?<id>.*?)">/.cs__freeze
def parse_system_id entity
match = SYSTEM_ID_REGEXP.match(entity)
match[:id] if match
end
- # <!ENTITY name PUBLIC "public_ID" "URI">
- PUBLIC_ID_REGEXP = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+PUBLIC\s+".*?"\s+"(?<id>.*?)">/.cs__freeze
def parse_public_id entity
match = PUBLIC_ID_REGEXP.match(entity)
match[:id] if match
end
- DTD_MARKER = '.dtd'
- FILE_START = 'file:'
- FTP_START = 'ftp:'
- GOPHER_START = 'gopher:'
- JAR_START = 'jar:'
- UP_DIR_LINUX = '../'
- UP_DIR_WIN = '..\\'
- # we only use this against lowercase strings, removed A-Z for speed
- FILE_PATTERN_WINDOWS = /^\\*[a-z]{1,3}:.*/.cs__freeze
def external_id? entity_id
return false unless entity_id
# downcase this since we don't have an ignore case compare
tmp_id = entity_id.to_s.downcase