From a7f39383913d5adce906253b6775d8398243d8ef Mon Sep 17 00:00:00 2001 From: Niels Lohmann Date: Mon, 16 Jan 2017 20:03:50 +0100 Subject: [PATCH] :white_check_mark: added Big List of Naughty Strings --- test/data/big-list-of-naughty-strings/LICENSE | 22 + .../big-list-of-naughty-strings/blns.json | 496 ++++++++++++++++++ test/src/unit-testsuites.cpp | 11 + 3 files changed, 529 insertions(+) create mode 100644 test/data/big-list-of-naughty-strings/LICENSE create mode 100644 test/data/big-list-of-naughty-strings/blns.json diff --git a/test/data/big-list-of-naughty-strings/LICENSE b/test/data/big-list-of-naughty-strings/LICENSE new file mode 100644 index 00000000..3a041642 --- /dev/null +++ b/test/data/big-list-of-naughty-strings/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2015 Max Woolf + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/test/data/big-list-of-naughty-strings/blns.json b/test/data/big-list-of-naughty-strings/blns.json new file mode 100644 index 00000000..ed832d4d --- /dev/null +++ b/test/data/big-list-of-naughty-strings/blns.json @@ -0,0 +1,496 @@ +[ + "", + "undefined", + "undef", + "null", + "NULL", + "(null)", + "nil", + "NIL", + "true", + "false", + "True", + "False", + "TRUE", + "FALSE", + "None", + "hasOwnProperty", + "\\", + "\\\\", + "0", + "1", + "1.00", + "$1.00", + "1/2", + "1E2", + "1E02", + "1E+02", + "-1", + "-1.00", + "-$1.00", + "-1/2", + "-1E2", + "-1E02", + "-1E+02", + "1/0", + "0/0", + "-2147483648/-1", + "-9223372036854775808/-1", + "0.00", + "0..0", + ".", + "0.0.0", + "0,00", + "0,,0", + ",", + "0,0,0", + "0.0/0", + "1.0/0.0", + "0.0/0.0", + "1,0/0,0", + "0,0/0,0", + "--1", + "-", + "-.", + "-,", + "999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999", + "NaN", + "Infinity", + "-Infinity", + "INF", + "1#INF", + "-1#IND", + "1#QNAN", + "1#SNAN", + "1#IND", + "0x0", + "0xffffffff", + "0xffffffffffffffff", + "0xabad1dea", + "123456789012345678901234567890123456789", + "1,000.00", + "1 000.00", + "1'000.00", + "1,000,000.00", + "1 000 000.00", + "1'000'000.00", + "1.000,00", + "1 000,00", + "1'000,00", + "1.000.000,00", + "1 000 000,00", + "1'000'000,00", + "01000", + "08", + "09", + "2.2250738585072011e-308", + ",./;'[]\\-=", + "<>?:\"{}|_+", + "!@#$%^&*()`~", + "Ω≈ç√∫˜µ≤≥÷", + "åß∂ƒ©˙∆˚¬…æ", + "œ∑´®†¥¨ˆøπ“‘", + "¡™£¢∞§¶•ªº–≠", + "¸˛Ç◊ı˜Â¯˘¿", + "ÅÍÎÏ˝ÓÔÒÚÆ☃", + "Œ„´‰ˇÁ¨ˆØ∏”’", + "`⁄€‹›fifl‡°·‚—±", + "⅛⅜⅝⅞", + "ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя", + "٠١٢٣٤٥٦٧٨٩", + "⁰⁴⁵", + "₀₁₂", + "⁰⁴⁵₀₁₂", + "ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็", + "'", + "\"", + "''", + "\"\"", + "'\"'", + "\"''''\"'\"", + "\"'\"'\"''''\"", + "", + "", + "", + "", + "田中さんにあげて下さい", + "パーティーへ行かないか", + "和製漢語", + "部落格", + "사회과학원 어학연구소", + "찦차를 타고 온 펲시맨과 쑛다리 똠방각하", + "社會科學院語學研究所", + "울란바토르", + "𠜎𠜱𠝹𠱓𠱸𠲖𠳏", + "ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ ", + "(。◕ ∀ ◕。)", + "`ィ(´∀`∩", + "__ロ(,_,*)", + "・( ̄∀ ̄)・:*:", + "゚・✿ヾ╲(。◕‿◕。)╱✿・゚", + ",。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’", + "(╯°□°)╯︵ ┻━┻) ", + "(ノಥ益ಥ)ノ ┻━┻", + "┬─┬ノ( º _ ºノ)", + "( ͡° ͜ʖ ͡°)", + "😍", + "👩🏽", + "👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 ", + "🐵 🙈 🙉 🙊", + "❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙", + "✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿", + "🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧", + "0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟", + "🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 ", + "🇺🇸🇷🇺🇸🇦🇫🇦🇲", + "🇺🇸🇷🇺🇸🇦", + "123", + "١٢٣", + "ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.", + "בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ", + "הָיְתָהtestالصفحات التّحول", + "﷽", + "ﷺ", + "مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، ", + "​", + " ", + "᠎", + " ", + "", + "␣", + "␢", + "␡", + "‪‪test‪", + "‫test‫", + "
test
", + "test⁠test‫", + "⁦test⁧", + "Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣", + "̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰", + "̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟", + "̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕", + "Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮", + "˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥", + "00˙Ɩ$-", + "The quick brown fox jumps over the lazy dog", + "𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠", + "𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌", + "𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈", + "𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰", + "𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘", + "𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐", + "⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢", + "", + "<script>alert('123');</script>", + "", + " ", + "\">", + "'>", + ">", + "", + "< / script >< script >alert(123)< / script >", + " onfocus=JaVaSCript:alert(123) autofocus ", + "\" onfocus=JaVaSCript:alert(123) autofocus ", + "' onfocus=JaVaSCript:alert(123) autofocus ", + "<script>alert(123)</script>", + "ript>alert(123)ript>", + "-->", + "\";alert(123);t=\"", + "';alert(123);t='", + "JavaSCript:alert(123)", + ";alert(123);", + "src=JaVaSCript:prompt(132)", + "\"><\\x3Cscript>javascript:alert(1) ", + "'`\"><\\x00script>javascript:alert(1)", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "ABC
DEF", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "test", + "`\"'>", + "`\"'>", + "`\"'>", + "`\"'>", + "`\"'>", + "`\"'>", + "`\"'>", + "`\"'>", + "`\"'>", + "`\"'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "\"`'>", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "XXX", + "javascript:alert(1)\"` `>", + "", + "", + "<a href=http://foo.bar/#x=`y></a><img alt=\"`><img src=x:x onerror=javascript:alert(1)></a>\">", + "<!--[if]><script>javascript:alert(1)</script -->", + "<!--[if<img src=x onerror=javascript:alert(1)//]> -->", + "<script src=\"/\\%(jscript)s\"></script>", + "<script src=\"\\\\%(jscript)s\"></script>", + "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">", + "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", + "<IMG SRC=# onmouseover=\"alert('xxs')\">", + "<IMG SRC= onmouseover=\"alert('xxs')\">", + "<IMG onmouseover=\"alert('xxs')\">", + "<IMG SRC=javascript:alert('XSS')>", + "<IMG SRC=javascript:alert('XSS')>", + "<IMG SRC=javascript:alert('XSS')>", + "<IMG SRC=\"jav ascript:alert('XSS');\">", + "<IMG SRC=\"jav ascript:alert('XSS');\">", + "<IMG SRC=\"jav ascript:alert('XSS');\">", + "<IMG SRC=\"jav ascript:alert('XSS');\">", + "perl -e 'print \"<IMG SRC=java\\0script:alert(\\\"XSS\\\")>\";' > out", + "<IMG SRC=\"  javascript:alert('XSS');\">", + "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", + "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", + "<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", + "<<SCRIPT>alert(\"XSS\");//<</SCRIPT>", + "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", + "<SCRIPT SRC=//ha.ckers.org/.j>", + "<IMG SRC=\"javascript:alert('XSS')\"", + "<iframe src=http://ha.ckers.org/scriptlet.html <", + "\\\";alert('XSS');//", + "<u oncopy=alert()> Copy me</u>", + "<i onwheel=alert(1)> Scroll over me </i>", + "<plaintext>", + "http://a/%%30%30", + "</textarea><script>alert(123)</script>", + "1;DROP TABLE users", + "1'; DROP TABLE users-- 1", + "' OR 1=1 -- 1", + "' OR '1'='1", + " ", + "%", + "_", + "-", + "--", + "--version", + "--help", + "$USER", + "/dev/null; touch /tmp/blns.fail ; echo", + "`touch /tmp/blns.fail`", + "$(touch /tmp/blns.fail)", + "@{[system \"touch /tmp/blns.fail\"]}", + "eval(\"puts 'hello world'\")", + "System(\"ls -al /\")", + "`ls -al /`", + "Kernel.exec(\"ls -al /\")", + "Kernel.exit(1)", + "%x('ls -al /')", + "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>", + "$HOME", + "$ENV{'HOME'}", + "%d", + "%s", + "{0}", + "%*.*s", + "../../../../../../../../../../../etc/passwd%00", + "../../../../../../../../../../../etc/hosts", + "() { 0; }; touch /tmp/blns.shellshock1.fail;", + "() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }", + "+++ATH0", + "<<< %s(un='%s') = %u", + "CON", + "PRN", + "AUX", + "CLOCK$", + "NUL", + "A:", + "ZZ:", + "COM1", + "LPT1", + "LPT2", + "LPT3", + "COM2", + "COM3", + "COM4", + "DCC SEND STARTKEYLOGGER 0 0 0", + "Scunthorpe General Hospital", + "Penistone Community Church", + "Lightwater Country Park", + "Jimmy Clitheroe", + "Horniman Museum", + "shitake mushrooms", + "RomansInSussex.co.uk", + "http://www.cum.qc.ca/", + "Craig Cockburn, Software Specialist", + "Linda Callahan", + "Dr. Herman I. Libshitz", + "magna cum laude", + "Super Bowl XXX", + "medieval erection of parapets", + "evaluate", + "mocha", + "expression", + "Arsenal canal", + "classic", + "Tyson Gay", + "Dick Van Dyke", + "basement", + "If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.", + "Roses are \u001b[0;31mred\u001b[0m, violets are \u001b[0;34mblue. Hope you enjoy terminal hue", + "But now...\u001b[20Cfor my greatest trick...\u001b[8m", + "The quic\b\b\b\b\b\bk brown fo\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007\u0007x... [Beeeep]", + "Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗" +] diff --git a/test/src/unit-testsuites.cpp b/test/src/unit-testsuites.cpp index a43e1997..b939bb62 100644 --- a/test/src/unit-testsuites.cpp +++ b/test/src/unit-testsuites.cpp @@ -815,3 +815,14 @@ TEST_CASE("nst's JSONTestSuite") } } } + +TEST_CASE("Big List of Naughty Strings") +{ + // test from https://github.com/minimaxir/big-list-of-naughty-strings + SECTION("blns.json") + { + std::ifstream f("test/data/big-list-of-naughty-strings/blns.json"); + json j; + CHECK_NOTHROW(j << f); + } +}