File Coverage

blib/lib/FWS/V2/Safety.pm

Criterion	Covered	Total	%
statement	12	49	24.4
branch	0	4	0.0
condition			n/a
subroutine	4	12	33.3
pod	8	8	100.0
total	24	73	32.8

line	stmt	bran	sub	pod	time	code
1						package FWS::V2::Safety;
2
3	1		1		7097	use 5.006;
	1				5
	1				55
4	1		1		5	use strict;
	1				2
	1				35
5	1		1		5	use warnings;
	1				2
	1				31
6	1		1		4	no warnings 'uninitialized';
	1				2
	1				615
7
8						=head1 NAME
9
10						FWS::V2::Safety - Framework Sites version 2 safe data wrappers
11
12						=head1 VERSION
13
14						Version 1.13091122
15
16						=cut
17
18						our $VERSION = '1.13091122';
19
20
21						=head1 SYNOPSIS
22
23						use FWS::V2;
24
25						my $fws = FWS::V2->new();
26
27						#
28						# each one of these statements will clean the string up to make it "safe"
29						# depending on its context
30						#
31
32						print $fws->safeDir( "../../this/could/be/dangrous" );
33
34						print $fws->safeFile( "../../i-am-trying-to-change-dir.ext" );
35
36						print $fws->safeSQL( "this ' or 1=1 or ' is super bad" );
37
38
39						=head1 DESCRIPTION
40
41						FWS version 2 safety methods are used for security when using unknown parameters that could be malicious. Whenever data is passed to another method it should be wrapped in its appropriate safety wrapper under the guidance of each method.
42
43
44						=head1 METHODS
45
46						=head2 safeDir
47
48						All directories or directry with file combination should be wrapped in this method before being used. It will remove any context that could change its scope to higher than its given location. When using directories ALWAYS prepend them with $fws->{fileDir} or $fws->{secureFileDir} to ensure they root path is always in a known location to further prevent any tampering. NEVER use a directory that is not prepended with a known depth!
49
50						In addition this also will convert any directory backslashes to forward slashes in case a dos style windows path was tossed into the directory.
51
52						#
53						# will return //this/could/be/dangerous
54						#
55						print $fws->safeDir( "../../this/could/be/dangrous" );
56
57						#
58						# will return this/is/fine
59						#
60						print $fws->safeDir( "this/is/fine" );
61
62						#
63						# using this with files is fine also
64						#
65						print $fws->safeDir( "c:/this/is/fine/also.zip" );
66
67						=cut
68
69						sub safeDir {
70	0		0	1		my ( $self, $incomingText ) = @_;
71
72						#
73						# not dots, no pipes, no semi colons
74						#
75	0					$incomingText =~ s/(\.\.\|\\|\|;)//sg;
76
77						#
78						# no matter what there should be no back slashes
79						# switch them to forwards if some funky windows paths
80						# made it into the dir
81						#
82	0					$incomingText =~ s/\\/\//sg;
83
84	0					return $incomingText;
85						}
86
87
88						=head2 safeFile
89
90						All files should be wrapped in this method before being applied. It will remove any context that could change its scope to a different directory.
91
92						#
93						# will return ....i-am-trying-to-change-dir.ext
94						#
95						print $fws->safeFile( "../../i-am-trying-to-change-dir.ext" );
96
97						=cut
98
99
100						sub safeFile {
101	0		0	1		my ( $self, $incomingText ) = @_;
102	0					$incomingText =~ s/(\/\|\\\|;\|\\|)//sg;
103	0					return $incomingText;
104						}
105
106
107						=head2 safeNumber
108
109						Make sure a number is a valid number and strip anything that would make it not. The first character in the string has to be a '-' for the number to maintain its negative status.
110
111						#
112						# will return -34663.43
113						#
114						print $fws->safeNumber( '- $34,663.43' );
115
116						=cut
117
118						sub safeNumber {
119	0		0	1		my ( $self, $number ) = @_;
120	0					my $negative = 0;
121	0	0				if ( $number =~ /^-/ ) { $negative = 1 }
	0
122	0					$number =~ s/[^\d.]+//g;
123	0	0				if ( $negative ) { return '-' . ( $number + 0 ) }
	0
124	0					return $number + 0;
125						}
126
127
128						=head2 safeSQL
129
130						All fields and dynamic content in SQL statements should be wrapped in this method before being applied. It will add double tics and escape any escapes so you can not break out of a statement and inject anything not intended.
131
132						#
133						# will return this '' or 1=1 or '' is super bad
134						#
135						print $fws->safeSQL("this ' or 1=1 or ' is super bad");
136
137						=cut
138
139						sub safeSQL {
140	0		0	1		my ( $self, $incomingText ) = @_;
141	0					$incomingText =~ s/\'/\'\'/sg;
142	0					$incomingText =~ s/\\/\\\\/sg;
143	0					return $incomingText;
144						}
145
146
147						=head2 safeQuery
148
149						Remove anything from a query string that could advocate a cross site scripting attack
150
151						#
152						# Do something that could be used for evil
153						#
154						my $querySting = 'id=url&this=that';
155						$valueHash{html} .= 'Click Me';
156
157						=cut
158
159						sub safeQuery {
160	0		0	1		my ( $self, $incomingText ) = @_;
161	0					$incomingText =~ s/\%3C/\
162	0					$incomingText =~ s/\%3E/\>/sg;
163	0					return $self->removeHTML( $incomingText );
164						}
165
166
167						=head2 safeURL
168
169						Switch a string into a safe url by replacing all non 0-9 a-z A-Z with a dash but not start with a dash. For SEO reasons this will also switch any & with the word "and".
170
171						#
172						# change the product name into a safe url
173						#
174						my $productName = 'My super cool product & title';
175						my $frindlyURL = $fws->safeURL( $productName ) . '.html';
176
177						#
178						# change an name into a safe class name
179						#
180						my $productAttribute = 'Size: Large';
181						my $className = 'productAttribute_' . $fws->safeURL( $productAttribute );
182
183						=cut
184
185						sub safeURL {
186	0		0	1		my ( $self, $incomingText ) = @_;
187	0					$incomingText =~ s/\&/and/sg;
188	0					$incomingText =~ s/[^0-9a-zA-Z]/_/sg;
189	0					$incomingText =~ s/^\s+//;
190	0					return $incomingText;
191						}
192
193
194						=head2 safeJSON
195
196						Replace any thing harmful to an JSON node that could cause it to fail. It will escape stuff like quotes and such.
197
198						#
199						# make a node safe
200						#
201						my $sillyNode = 'This "Can not" be in json';
202						my $safeSillyNode = $fws->safeJSON( $sillyNode );
203						print 'Safe JSON: '.$sillyNode;
204
205						=cut
206
207
208						sub safeJSON {
209	0		0	1		my ( $self, $incomingText ) = @_;
210	0					$incomingText =~ s/\\/\\\\/sg;
211	0					$incomingText =~ s/"/\\"/sg;
212	0					$incomingText =~ s/\//\\\//sg;
213	0					return $incomingText;
214						}
215
216
217						=head2 safeXML
218
219						Replace any thing harmful to an XML node that could cause it to fail validation. & and < will be converted to & and <
220
221						#
222						# make a node safe
223						#
224						my $sillyNode = '55 is < 66 & 77';
225						my $safeSillyNode = $fws->safeXML( $sillyNode );
226						print '' . $safeSillyNode . '';
227
228						#
229						# all in one
230						#
231						print '' . $fws->safeXML( '55 is < 66 & 77' ) . '';
232
233
234						=cut
235
236						sub safeXML {
237	0		0	1		my ( $self, $incomingText ) = @_;
238	0					$incomingText =~ s/&/&/sg;
239	0					$incomingText =~ s/
240	0					return $incomingText;
241						}
242
243
244
245						=head1 AUTHOR
246
247						Nate Lewis, C<< >>
248
249						=head1 BUGS
250
251						Please report any bugs or feature requests to C, or through
252						the web interface at L. I will be notified, and then you'll
253						automatically be notified of progress on your bug as I make changes.
254
255
256
257
258						=head1 SUPPORT
259
260						You can find documentation for this module with the perldoc command.
261
262						perldoc FWS::V2::Safety
263
264
265						You can also look for information at:
266
267						=over 4
268
269						=item * RT: CPAN's request tracker (report bugs here)
270
271						L
272
273						=item * AnnoCPAN: Annotated CPAN documentation
274
275						L
276
277						=item * CPAN Ratings
278
279						L
280
281						=item * Search CPAN
282
283						L
284
285						=back
286
287
288						=head1 LICENSE AND COPYRIGHT
289
290						Copyright 2013 Nate Lewis.
291
292						This program is free software; you can redistribute it and/or modify it
293						under the terms of either: the GNU General Public License as published
294						by the Free Software Foundation; or the Artistic License.
295
296						See http://dev.perl.org/licenses/ for more information.
297
298
299						=cut
300
301						1; # End of FWS::V2::Safety