Release the code!

Signed-off-by: David Black <[email protected]>

Author: dbaxa

LICENSE

@@ -0,0 +1,22 @@
+Copyright © 2012 - 2013 Atlassian Corporation Pty Ltd.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README

@@ -0,0 +1,8 @@
+This package contains a django template parser that can be used to find templates
+that contain variables that will not be escaped. This package currently has
+no knowledge of custom filters, custom tags, and python code (e.g. uses of
+mark safe). The code has only been tested against django 1.5.
+
+Use:
+This package can be used on the command line by running
+ python -m django_xss_detection.cli

django_xss_detection/__init__.py

@@ -0,0 +1 @@
+__version__="0.4.9"

django_xss_detection/cli.py

@@ -0,0 +1,50 @@
+import argparse
+import collections
+import json
+
+from . import util
+
+
+def setup_option():
+	opt = argparse.ArgumentParser(description = \
+		"Find potential xss bugs in a django app!")
+	opt.add_argument("-d", "--template-directory", dest="template_dirs",
+		action="append", help = "Specify a template directory. " +
+		"This argument can be specified multiple times.", required=True)
+	opt.add_argument("-j", "--json", dest="json_output",
+		action="store_true", help = "Print results out as JSON.")
+	return opt
+
+def main(template_dirs, json_output=False):
+	util.configure_django(template_dirs)
+	f_results = util.walk_templates(template_dirs)
+	if json_output:
+		_output_results_in_json(f_results)
+	else:
+		for template_name, results in f_results.iteritems():
+			print template_name
+			for result in results:
+				print '	', result
+
+def _output_results_in_json(f_results):
+	""" Prints out results in JSON in the following format:
+	    {'filename' : [{'result ...}, 'filename_two' : [...] }
+	"""
+	out = collections.defaultdict(list)
+	for filename, results in f_results.iteritems():
+		for result in results:
+			result_dict = {'line_number' : result.get_line_number(),
+				'finding_reason' : result._get_reason(),
+				'vulnerability_text' :
+					result.get_vulnerability_text(),
+			}
+			out[result.get_filename()].append(result_dict)
+	print json.dumps(out)
+
+def from_cli():
+	opt = setup_option()
+	args = opt.parse_args()
+	main(args.template_dirs, args.json_output)
+
+if __name__=="__main__":
+	from_cli()

django_xss_detection/loaders/__init__.py

@@ -0,0 +1,13 @@
+from django.template.loader import BaseLoader, get_template_from_string
+
+class Loader(BaseLoader):
+	""" This loader will always return an 'empty' template and *therefore*
+	    *should* be the last loader in settings.TEMPLATE_LOADERS.
+	"""
+	is_usable = True
+	def load_template(self, template_name, template_dirs=None):
+		template = get_template_from_string('', None, template_name)
+		return template, None
+
+	def load_template_source(self, template_name, template_dirs=None):
+		return '', None