Exemplo n.º 1
0
        public void Init(HttpApplication httpApplication)
        {
            httpApplication.BeginRequest += (o, e) =>
                {
                    _filter = new ResponseFilter(httpApplication.Response.Filter, httpApplication.Response.ContentEncoding);
                    httpApplication.Response.Filter = _filter;
                };

            httpApplication.EndRequest += (o, e) =>
                {
                    // Only 'text/html' content type of response supported as yet
                    if (!httpApplication.Context.Response.ContentType.StartsWith("text/html")) return;
                    // TODO: Add support of 'application/json' and 'text/xml' MIME types

                    var responseText = _filter.Response;

                    var xssResponseValidator = new HtmlResponseValidator();
                    RequestValidationParam dangerousParam;

                    if (httpApplication.Context.Items.Contains("Irv.Engine.TaintfulParams") &&
                        !xssResponseValidator.IsValidHtmlResponseString(
                            (List<RequestValidationParam>) httpApplication.Context.Items["Irv.Engine.TaintfulParams"],
                            responseText,
                            out dangerousParam))
                    {
                        throw new HttpRequestValidationException(
                            string.Format(
                                _requestValidationErrorMessage, dangerousParam.Source,
                                string.Format("{0}=\"{1}\"...", dangerousParam.CollectionKey, dangerousParam.Value.Length > 15 ? dangerousParam.Value.Substring(0, 15) : dangerousParam.Value)));
                    }

                };
        }
Exemplo n.º 2
0
        private void TestScriptRunner(string testName)
        {
            var scriptLines = File.ReadAllLines(string.Format("{0}.testscript", testName));
            var templateBuilder = new StringBuilder();
            var currentScriptLine = 0;

            do
            {
                if (scriptLines[currentScriptLine] != string.Empty)
                {
                    templateBuilder.AppendLine(scriptLines[currentScriptLine]);
                }
            } while (scriptLines[++currentScriptLine] != "<!--End-of-template-->");

            currentScriptLine++;

            var responseTemplate = templateBuilder.ToString();

            var paramList = new List<string>();

            while (currentScriptLine < scriptLines.Length)
            {
                if (scriptLines[currentScriptLine].Length == 0)
                {
                    if (paramList.Count > 0)
                    {
            // ReSharper disable CoVariantArrayConversion
                        var responseText = string.Format(responseTemplate, paramList.ToArray());
            // ReSharper restore CoVariantArrayConversion

                        var validator = new HtmlResponseValidator();
                        var taintfulParams =
                            paramList.Select(param => new RequestValidationParam("Irv.Tests", "None", param)).ToList();
                        RequestValidationParam dangerousParam;
                        var validationResult = validator.IsValidHtmlResponseString(taintfulParams, responseText,
                                                                                   out dangerousParam);
                        if (validationResult)
                        {
                            TestContext.WriteLine("Test {0} failed on param(s): {{ {1} }}", testName,
                                                  string.Join("} {", paramList));
                        }

                        Assert.IsFalse(validationResult);
                        paramList.Clear();
                    }
                }
                else
                {
                    paramList.Add(HttpUtility.UrlDecode(scriptLines[currentScriptLine]));
                }
                currentScriptLine++;
            }
        }