├── .gitattributes
├── .gitignore
├── .gitmodules
├── .travis.yml
├── LICENSE
├── README.md
├── appveyor.yml
├── scripts
├── build-libprotection.injections.cmd
└── build-libprotection.playground.cmd
├── sources
├── LibProtection.Injections
│ ├── LibProtection.Injections.Tests
│ │ ├── FunctionalTests.cs
│ │ ├── LibProtection.Injections.Tests.csproj
│ │ ├── SafeStringBuilderTests.cs
│ │ ├── SafeStringTests.cs
│ │ ├── TestCase.cs
│ │ ├── TestCases
│ │ │ └── formatCases
│ │ │ │ └── example.json
│ │ ├── TokenConverter.cs
│ │ └── TokenizationTests.cs
│ ├── LibProtection.Injections
│ │ ├── Caching
│ │ │ ├── CacheFormatItem.cs
│ │ │ └── RandomizedLRUCache.cs
│ │ ├── Exceptions.cs
│ │ ├── Extensions
│ │ │ ├── ArrayExtensions.cs
│ │ │ └── StringExtensions.cs
│ │ ├── Formatting
│ │ │ ├── ComplementaryFormatter.cs
│ │ │ ├── FormatResult.cs
│ │ │ ├── Formatter.cs
│ │ │ └── Fragment.cs
│ │ ├── LanguageService.cs
│ │ ├── Languages
│ │ │ ├── AntlrLanguageProvider.cs
│ │ │ ├── FilePath
│ │ │ │ ├── FilePath.cs
│ │ │ │ └── FilePathTokenType.cs
│ │ │ ├── Html
│ │ │ │ ├── Html.cs
│ │ │ │ └── HtmlTokenType.cs
│ │ │ ├── IslandDto.cs
│ │ │ ├── JavaScript
│ │ │ │ ├── JavaScript.cs
│ │ │ │ └── JavaScriptTokenType.cs
│ │ │ ├── LanguageProvider.cs
│ │ │ ├── RegexLanguageProvider.cs
│ │ │ ├── RegexRule.cs
│ │ │ ├── Sql
│ │ │ │ ├── Sql.cs
│ │ │ │ └── SqlTokenType.cs
│ │ │ ├── Token.cs
│ │ │ ├── TokenScope.cs
│ │ │ └── Url
│ │ │ │ ├── Url.cs
│ │ │ │ └── UrlTokenType.cs
│ │ ├── LibProtection.Injections.csproj
│ │ ├── LibProtection.Injections.csproj.DotSettings
│ │ ├── Option.cs
│ │ ├── Range.cs
│ │ ├── RawString.cs
│ │ ├── SafeString.Formattable.cs
│ │ ├── SafeString.cs
│ │ ├── SafeStringBuilder
│ │ │ ├── Replacer.cs
│ │ │ ├── SafeStringBuilder.cs
│ │ │ └── SortedRangesList.cs
│ │ └── Single.cs
│ └── LibProtection.sln
└── LibProtection.snk
└── tools
└── nuget
└── nuget.exe
/.gitattributes:
--------------------------------------------------------------------------------
1 | * text=auto
2 | /sources/LibProtection.TestSite/**/* linguist-vendored
3 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.suo
8 | *.user
9 | *.userosscache
10 | *.sln.docstates
11 |
12 | # User-specific files (MonoDevelop/Xamarin Studio)
13 | *.userprefs
14 |
15 | # Build results
16 | [Dd]ebug/
17 | [Dd]ebugPublic/
18 | [Rr]elease/
19 | [Rr]eleases/
20 | x64/
21 | x86/
22 | bld/
23 | [Bb]in/
24 | [Oo]bj/
25 | [Ll]og/
26 |
27 | # Visual Studio 2015 cache/options directory
28 | .vs/
29 | # Uncomment if you have tasks that create the project's static files in wwwroot
30 | #wwwroot/
31 |
32 | # MSTest test Results
33 | [Tt]est[Rr]esult*/
34 | [Bb]uild[Ll]og.*
35 |
36 | # NUNIT
37 | *.VisualState.xml
38 | TestResult.xml
39 |
40 | # Build Results of an ATL Project
41 | [Dd]ebugPS/
42 | [Rr]eleasePS/
43 | dlldata.c
44 |
45 | # .NET Core
46 | project.lock.json
47 | project.fragment.lock.json
48 | artifacts/
49 | **/Properties/launchSettings.json
50 |
51 | *_i.c
52 | *_p.c
53 | *_i.h
54 | *.ilk
55 | *.meta
56 | *.obj
57 | *.pch
58 | *.pdb
59 | *.pgc
60 | *.pgd
61 | *.rsp
62 | *.sbr
63 | *.tlb
64 | *.tli
65 | *.tlh
66 | *.tmp
67 | *.tmp_proj
68 | *.log
69 | *.vspscc
70 | *.vssscc
71 | .builds
72 | *.pidb
73 | *.svclog
74 | *.scc
75 |
76 | # Chutzpah Test files
77 | _Chutzpah*
78 |
79 | # Visual C++ cache files
80 | ipch/
81 | *.aps
82 | *.ncb
83 | *.opendb
84 | *.opensdf
85 | *.sdf
86 | *.cachefile
87 | *.VC.db
88 | *.VC.VC.opendb
89 |
90 | # Visual Studio profiler
91 | *.psess
92 | *.vsp
93 | *.vspx
94 | *.sap
95 |
96 | # TFS 2012 Local Workspace
97 | $tf/
98 |
99 | # Guidance Automation Toolkit
100 | *.gpState
101 |
102 | # ReSharper is a .NET coding add-in
103 | _ReSharper*/
104 | *.[Rr]e[Ss]harper
105 | *.DotSettings.user
106 |
107 | # JustCode is a .NET coding add-in
108 | .JustCode
109 |
110 | # TeamCity is a build add-in
111 | _TeamCity*
112 |
113 | # DotCover is a Code Coverage Tool
114 | *.dotCover
115 |
116 | # Visual Studio code coverage results
117 | *.coverage
118 | *.coveragexml
119 |
120 | # NCrunch
121 | _NCrunch_*
122 | .*crunch*.local.xml
123 | nCrunchTemp_*
124 |
125 | # MightyMoose
126 | *.mm.*
127 | AutoTest.Net/
128 |
129 | # Web workbench (sass)
130 | .sass-cache/
131 |
132 | # Installshield output folder
133 | [Ee]xpress/
134 |
135 | # DocProject is a documentation generator add-in
136 | DocProject/buildhelp/
137 | DocProject/Help/*.HxT
138 | DocProject/Help/*.HxC
139 | DocProject/Help/*.hhc
140 | DocProject/Help/*.hhk
141 | DocProject/Help/*.hhp
142 | DocProject/Help/Html2
143 | DocProject/Help/html
144 |
145 | # Click-Once directory
146 | publish/
147 |
148 | # Publish Web Output
149 | *.[Pp]ublish.xml
150 | *.azurePubxml
151 | # TODO: Comment the next line if you want to checkin your web deploy settings
152 | # but database connection strings (with potential passwords) will be unencrypted
153 | *.pubxml
154 | *.publishproj
155 |
156 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
157 | # checkin your Azure Web App publish settings, but sensitive information contained
158 | # in these scripts will be unencrypted
159 | PublishScripts/
160 |
161 | # NuGet Packages
162 | *.nupkg
163 | # The packages folder can be ignored because of Package Restore
164 | **/packages/*
165 | # except build/, which is used as an MSBuild target.
166 | !**/packages/build/
167 | # Uncomment if necessary however generally it will be regenerated when needed
168 | #!**/packages/repositories.config
169 | # NuGet v3's project.json files produces more ignorable files
170 | *.nuget.props
171 | *.nuget.targets
172 |
173 | # Microsoft Azure Build Output
174 | csx/
175 | *.build.csdef
176 |
177 | # Microsoft Azure Emulator
178 | ecf/
179 | rcf/
180 |
181 | # Windows Store app package directories and files
182 | AppPackages/
183 | BundleArtifacts/
184 | Package.StoreAssociation.xml
185 | _pkginfo.txt
186 |
187 | # Visual Studio cache files
188 | # files ending in .cache can be ignored
189 | *.[Cc]ache
190 | # but keep track of directories ending in .cache
191 | !*.[Cc]ache/
192 |
193 | # Others
194 | ClientBin/
195 | ~$*
196 | *~
197 | *.dbmdl
198 | *.dbproj.schemaview
199 | *.jfm
200 | *.pfx
201 | *.publishsettings
202 | orleans.codegen.cs
203 |
204 | # Since there are multiple workflows, uncomment next line to ignore bower_components
205 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
206 | #bower_components/
207 |
208 | # RIA/Silverlight projects
209 | Generated_Code/
210 |
211 | # Backup & report files from converting an old project file
212 | # to a newer Visual Studio version. Backup files are not needed,
213 | # because we have git ;-)
214 | _UpgradeReport_Files/
215 | Backup*/
216 | UpgradeLog*.XML
217 | UpgradeLog*.htm
218 |
219 | # SQL Server files
220 | *.mdf
221 | *.ldf
222 | *.ndf
223 |
224 | # Business Intelligence projects
225 | *.rdl.data
226 | *.bim.layout
227 | *.bim_*.settings
228 |
229 | # Microsoft Fakes
230 | FakesAssemblies/
231 |
232 | # GhostDoc plugin setting file
233 | *.GhostDoc.xml
234 |
235 | # Node.js Tools for Visual Studio
236 | .ntvs_analysis.dat
237 | node_modules/
238 |
239 | # Typescript v1 declaration files
240 | typings/
241 |
242 | # Visual Studio 6 build log
243 | *.plg
244 |
245 | # Visual Studio 6 workspace options file
246 | *.opt
247 |
248 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
249 | *.vbw
250 |
251 | # Visual Studio LightSwitch build output
252 | **/*.HTMLClient/GeneratedArtifacts
253 | **/*.DesktopClient/GeneratedArtifacts
254 | **/*.DesktopClient/ModelManifest.xml
255 | **/*.Server/GeneratedArtifacts
256 | **/*.Server/ModelManifest.xml
257 | _Pvt_Extensions
258 |
259 | # Paket dependency manager
260 | .paket/paket.exe
261 | paket-files/
262 |
263 | # FAKE - F# Make
264 | .fake/
265 |
266 | # JetBrains Rider
267 | .idea/
268 | *.sln.iml
269 |
270 | # CodeRush
271 | .cr/
272 |
273 | # Python Tools for Visual Studio (PTVS)
274 | __pycache__/
275 | *.pyc
276 |
277 | # Cake - Uncomment if you are using it
278 | # tools/**
279 | # !tools/packages.config
280 |
281 | # Telerik's JustMock configuration file
282 | *.jmconfig
283 |
284 | # BizTalk build output
285 | *.btp.cs
286 | *.btm.cs
287 | *.odx.cs
288 | *.xsd.cs
289 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "submodules/libprotection-common"]
2 | path = submodules/libprotection-common
3 | url = https://github.com/LibProtection/libprotection-common.git
4 | branch = dev
5 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: csharp
2 | solution: ./sources/LibProtection.Injections/LibProtection.sln
3 | dist: trusty
4 | mono: none
5 | dotnet: 2.1.301
6 |
7 | git:
8 | submodules: false
9 |
10 | before_script:
11 | - git submodule update --init --recursive
12 |
13 | script:
14 | - cd ./sources/LibProtection.Injections
15 | - dotnet build -c Release -f netcoreapp2.0
16 | - cd ./LibProtection.Injections.Tests
17 | - dotnet test -f netcoreapp2.0
18 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 Positive Technologies
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # LibProtection.NET
2 |
3 | ## Disclaimer
4 |
5 | This project is in the state of early beta. It is stable enough for the public testing, but could be used in a production environment only at your own risk.
6 |
7 | **Libprotection.NET** is a .NET version of LibProtection library — an alternative implementation of the standard functionality of the formatted and interpolated strings. It provides a realtime automatic protection from any class of the injection attacks, which belong to the most attacked languages (HTML, URL, JavaScript, SQL and the file paths are currently supported).
8 |
9 | | Windows Build Status | Linux Build Status |
10 | |---|---|
11 | |[](https://ci.appveyor.com/project/libprotection/libprotection-dotnet/branch/dev) | [](https://travis-ci.org/LibProtection/libprotection-dotnet)|
12 |
13 | ## How it works
14 |
15 | The library considers each placeholder in a processed interpolated or format string as a potentially injection point. It performs the following actions in each of these points:
16 |
17 | 1. It decides a grammatical context of the possible injection (taking into account the island grammars, if necessary).
18 | 2. If sanitization rules are defined for the given context, then it sanitizes data, which belongs to the placeholder. Otherwise, data inserts as is.
19 | 3. It performs tokenization of the input data and counting an amount of tokens. If it exceeds 1, then an attack is reported (by throwing an exception or returning a false value, depending on a used library method).
20 |
21 | ## Quick example
22 |
23 | The following code is vulnerable to injection attacks at three different points (provided that variables a, b and c contain values derived from the input data):
24 |
25 | ```csharp
26 | Response.Write($"{c}");
27 | ```
28 |
29 | Assume that the attacker passed the following values to the variables a, b and c:
30 |
31 | a = ``'onmouseover='alert(`XSS`)``
32 | b = ``");alert(`XSS`)``
33 | c = ````
34 |
35 | After interpolation, the resulting string will look like this:
36 |
37 | ````
38 |
39 | Thus, the attacker has the ability to implement the XSS attack by three different ways. However, after trivial wrapping the interpolated string in the LibProtection API call, this code becomes absolutely protected:
40 |
41 | ```csharp
42 | Response.Write(SafeString.Format($"{c}"));
43 | ```
44 |
45 | In this case, after interpolation, the resulting string will look like this:
46 |
47 | ``<script>alert(`XSS`)</script>``
48 |
49 | ## SafeStringBuilder
50 |
51 | :bangbang: This is an experimental feature and should not be used in a production environment.
52 |
53 | [SafeStringBuilder](https://github.com/LibProtection/libprotection-dotnet/blob/dev/sources/LibProtection.Injections/LibProtection.Injections/SafeStringBuilder/SafeStringBuilder.cs) class supports mixing tainted and non-tainted substring within one instance. For example, if a substring is added via to an instance of `SafeStringBuilder` via `Append(string value)` method, it will be considered tainted. On the other hand, a substring via `UncheckedAppend(string value)` method, it will be considered safe from being tampered by a potential attacker.
54 | Other methods, like `Insert` or `Replace` also have an "unchecked" version (`UncheckedInsert` and `UncheckedReplace`).
55 |
56 | Unlike in `SafeString.Format()` method, attack detection is postponed until a string is built inside an instance of `SafeStringBuilder` and `ToString()` method is called. If an attack is detected, an `AttackDetectedException` will be thrown.
57 |
58 | ## Try it online
59 |
60 | A test site that imitates a vulnerable application protected by the library (only [SafeString.TryFormat](https://github.com/LibProtection/libprotection-dotnet/blob/dev/sources/LibProtection.Injections/LibProtection.Injections/SafeString.cs#L24) for now) is available [here](http://playground.libprotection.org/).
61 |
62 | ## Additional resources
63 |
64 | *"LibProtection: Defeating Injections"* — webinar talk (Russian): [slides](https://speakerdeck.com/kochetkov/libprotection-pobiezhdaia-iniektsii), [video](https://youtu.be/mvFcpnoUfmM).
65 |
66 | *"LibProtection: 6 months later"* — meetup talk (Russian): [slides](https://speakerdeck.com/kochetkov/libprotection-6-miesiatsiev-spustia), [video](https://youtu.be/IiHHvE3FdC8?list=PLaKsSq6rTf22r9te6azn43JtMCUlFNtqs).
67 |
--------------------------------------------------------------------------------
/appveyor.yml:
--------------------------------------------------------------------------------
1 | version: 0.12.{build}
2 | skip_tags: true
3 | image: Visual Studio 2019
4 | init:
5 | - cmd: git config --global core.autocrlf false
6 | dotnet_csproj:
7 | patch: true
8 | file: '**\*.csproj'
9 | version: '{version}'
10 | version_prefix: '{version}'
11 | package_version: '{version}-beta'
12 | assembly_version: '{version}'
13 | file_version: '{version}'
14 | informational_version: '{version}-beta'
15 | install:
16 | - cmd: git submodule update --init --recursive
17 | build_script:
18 | - cmd: >-
19 | dotnet --info
20 |
21 | dotnet restore sources\LibProtection.Injections
22 |
23 | dotnet build -c Release sources\LibProtection.Injections
24 | after_test:
25 | - cmd: 7z a -r sources\LibProtection.Injections\LibProtection.Injections\bin\Release\LibProtection-%APPVEYOR_BUILD_VERSION%.zip sources\LibProtection.Injections\LibProtection.Injections\bin\Release\*.dll sources\LibProtection.Injections\LibProtection.Injections\bin\Release\*.xml
26 | artifacts:
27 | - path: sources\LibProtection.Injections\LibProtection.Injections\bin\Release\*.zip
28 | name: binaries
29 | - path: sources\LibProtection.Injections\LibProtection.Injections\bin\Release\*.nupkg
30 | name: packages
31 | deploy: off
32 | notifications:
33 | - provider: Email
34 | to:
35 | - libprotection@outlook.com
36 | on_build_success: true
37 | on_build_failure: true
38 | on_build_status_changed: true
--------------------------------------------------------------------------------
/scripts/build-libprotection.injections.cmd:
--------------------------------------------------------------------------------
1 | dotnet --info
2 | dotnet restore ..\sources\LibProtection.Injections
3 | dotnet build -c Release ..\sources\LibProtection.Injections
4 |
--------------------------------------------------------------------------------
/scripts/build-libprotection.playground.cmd:
--------------------------------------------------------------------------------
1 | ..\tools\nuget\nuget.exe restore ..\sources\LibProtection.PlayGround\LibProtection.PlayGround.sln
2 |
3 | set vs2017dir=%programfiles(x86)%\Microsoft Visual Studio\2017
4 | set msbuild="%vs2017dir%\Community\MSBuild\15.0\Bin\MSBuild.exe"
5 | if not exist %msbuild% (
6 | set msbuild="%vs2017dir%\Enterprise\MSBuild\15.0\Bin\MSBuild.exe"
7 | )
8 | if not exist %msbuild% (
9 | set msbuild="%vs2017dir%\Professional\MSBuild\15.0\Bin\MSBuild.exe"
10 | )
11 |
12 | %msbuild% ..\sources\LibProtection.PlayGround\LibProtection.PlayGround.sln /t:Rebuild /p:Configuration=Release
13 |
--------------------------------------------------------------------------------
/sources/LibProtection.Injections/LibProtection.Injections.Tests/FunctionalTests.cs:
--------------------------------------------------------------------------------
1 | using NUnit.Framework;
2 | using System;
3 | using System.Collections;
4 | using System.Linq;
5 |
6 | namespace LibProtection.Injections.Tests
7 | {
8 | [TestFixture(Category = nameof(FunctionalTests))]
9 | public class FunctionalTests
10 | {
11 | public class DataPoint
12 | {
13 | public Type LanguageProviderType { get; private set; }
14 | public string Result { get; private set; }
15 | public string Format { get; private set; }
16 | public object[] Arguments { get; private set; }
17 |
18 | public bool IsAttack()
19 | {
20 | return Result == null;
21 | }
22 |
23 | public static DataPoint GetDataPoint(string result, string format, params object[] arguments) where T : LanguageProvider
24 | {
25 | DataPoint point = new DataPoint();
26 | point.LanguageProviderType = typeof(T);
27 | point.Result = result;
28 | point.Format = format;
29 | point.Arguments = arguments;
30 | return point;
31 | }
32 | }
33 |
34 | private static DataPoint[] testCases = new DataPoint[]{
35 | //Valid
36 | DataPoint.GetDataPoint("This site's home page", "{2}", "Default.aspx", "Hello from embedded JavaScript code!", "This site's home page"),
37 | DataPoint.GetDataPoint("operationResult.innerText = 'operationResult.innerText = \\u0027Hello from internal JavaScript code!\\u0027;';", "operationResult.innerText = '{0}';", "operationResult.innerText = 'Hello from internal JavaScript code!';"),
38 | DataPoint.GetDataPoint("SELECT * FROM myTable WHERE id = 1 AND myColumn = 'value1'", "SELECT * FROM myTable WHERE id = {0} AND myColumn = '{1}'", 1, "value1"),
39 | DataPoint.GetDataPoint("Assets/jsFile.js", "{0}/{1}", "Assets", "jsFile.js"),
40 | DataPoint.GetDataPoint("C:\\inetpub\\playground.libprotection.org\\Assets\\textFile.txt", "C:\\inetpub\\playground.libprotection.org\\Assets\\{0}", "textFile.txt"),
41 | //Attacks
42 | DataPoint.GetDataPoint(null, "", "
"),
43 | DataPoint.GetDataPoint(null, "operationResult.innerText = {0};", "'
"),
44 | DataPoint.GetDataPoint(null, "SELECT * FROM myTable WHERE id = {0}", "1 OR 1==1 --"),
45 | DataPoint.GetDataPoint(null, "{0}/{1}", "../Asserts", "jsFile.js"),
46 | DataPoint.GetDataPoint(null, "C:\\Assets\\{0}", "..\\jsFile.js"),
47 | //safe modifier
48 | DataPoint.GetDataPoint(":safe", ":safe"),
49 | DataPoint.GetDataPoint(":safe<br>", "{0}", ":safe
"),
50 | DataPoint.GetDataPoint("<br>xxx:safe", "{0}xxx:safe", "
"),
51 | DataPoint.GetDataPoint("
", "{0:safe}", "
"),
52 | DataPoint.GetDataPoint("
", "{0:SaFe}", "
"),
53 | DataPoint.GetDataPoint("
:safe", "{0:safe}:safe", "
"),
54 | DataPoint.GetDataPoint("
<br>", "{0:safe}{1}", "
", "
"),
55 | DataPoint.GetDataPoint("<br>
<br>", "{0}{1:safe}{2}", "
", "
", "
"),
56 | };
57 |
58 |
59 | public static IEnumerable TestCases
60 | {
61 | get
62 | {
63 | int i = 0;
64 | foreach(var testCase in testCases)
65 | {
66 | yield return new TestCaseData(testCase).SetName($"Functional test #{++i}");
67 | }
68 | }
69 | }
70 |
71 | private delegate bool TryFormatDelegate(string format, out string formatted, params object[] args);
72 | private delegate string FormatDelegate(RawString format, params object[] args);
73 |
74 | private static void GetFormatters(Type providerType, out TryFormatDelegate tryFormatDelegate, out FormatDelegate formatDelegate)
75 | {
76 | var methods = typeof(SafeString<>).MakeGenericType(providerType).GetMethods();
77 |
78 | var tryFormatMethod = methods.First(x => x.Name == "TryFormat" && x.GetParameters()[0].ParameterType == typeof(string));
79 | tryFormatDelegate = (TryFormatDelegate)Delegate.CreateDelegate(typeof(TryFormatDelegate), null, tryFormatMethod);
80 |
81 | var formatMethod = methods.First(x => x.Name == "Format" && x.GetParameters()[0].ParameterType == typeof(RawString));
82 | formatDelegate = (FormatDelegate)Delegate.CreateDelegate(typeof(FormatDelegate), null, formatMethod);
83 | }
84 |
85 |
86 | [Test, TestCaseSource(typeof(FunctionalTests), nameof(TestCases))]
87 | public void FunctionalTest(DataPoint dataPoint)
88 | {
89 | GetFormatters(dataPoint.LanguageProviderType, out var tryFormatDelegate, out var formatDelegate);
90 | var tryFormatResult = tryFormatDelegate(dataPoint.Format, out var tryFormatResultValue, dataPoint.Arguments);
91 |
92 | if (dataPoint.IsAttack())
93 | {
94 | Assert.False(tryFormatResult);
95 |
96 | bool failed = false;
97 | try
98 | {
99 | formatDelegate(dataPoint.Format, dataPoint.Arguments);
100 | }
101 | catch(AttackDetectedException)
102 | {
103 | failed = true;
104 | }
105 | Assert.IsTrue(failed);
106 | }
107 | else{
108 | Assert.IsTrue(tryFormatResult);
109 | Assert.AreEqual(tryFormatResultValue, dataPoint.Result);
110 |
111 | var formatResultValue = formatDelegate(dataPoint.Format, dataPoint.Arguments);
112 | Assert.AreEqual(formatResultValue, dataPoint.Result);
113 | }
114 | }
115 | }
116 | }
117 |
--------------------------------------------------------------------------------
/sources/LibProtection.Injections/LibProtection.Injections.Tests/LibProtection.Injections.Tests.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | netcoreapp2.0;net461
5 | true
6 | ..\..\LibProtection.snk
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 | TestCases\%(RecursiveDir)%(Filename)%(Extension)
18 | Always
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | PreserveNewest
29 |
30 |
31 | Always
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/sources/LibProtection.Injections/LibProtection.Injections.Tests/SafeStringBuilderTests.cs:
--------------------------------------------------------------------------------
1 | using NUnit.Framework;
2 |
3 | namespace LibProtection.Injections.Tests
4 | {
5 | [TestFixture]
6 | class SafeStringBuilderTests
7 | {
8 | [Test]
9 | public void TestAppend()
10 | {
11 | var sb = new SafeStringBuilder();
12 | sb.UncheckedAppend("