actiondebug 1.0.0

data/.gitignore

@@ -0,0 +1,39 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# Ignore vim temp files
+*.swp
+*.swo
+*~

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in lorem.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Blake Hitchcock
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,107 @@
+# actiondebug
+A gem to show which *_filters affect your Rails controllers. Useful for security
+research (which controllers and actions skip an auth check?) and debugging
+development problems (why isn't a method running for a given request?)
+
+# Examples
+
+### Sample Application
+```ruby
+class ApplicationController < ActionController::Base
+  before_filter :require_login
+  before_filter :refresh_session
+
+  def index
+  end
+
+  private
+  def require_login
+  end
+
+  def refresh_session
+  end
+end
+
+class SessionsController < ApplicationController
+  skip_before_filter :require_login, :except => :active
+  before_filter :update_session, :only => :create
+  before_filter :destroy_session, :only => :new
+
+  def index
+  end
+
+  def new
+  end
+
+  def create
+  end
+
+  def active
+  end
+
+  private
+  def udpate_session
+  end
+
+  def destroy_session
+  end
+end
+```
+
+### Commands in Rails Console
+```ruby
+## Show all actions and filters for controllers which inherit from a controller (including itself)
+> ApplicationController.filters_for_self_and_descendants
+# => {
+#     :ApplicationController => {:index => [:require_login, :refresh_session]},
+#     :SessionsController => {
+#                              :index => [:refresh_sesion],
+#                              :new => [:refresh_session, :destroy_session],
+#                              :create => [:refresh_session, :update_session],
+#                              :active => [:require_login, :refresh_session]
+#                            }
+#    }
+
+## Show all filters used by a controller
+> SessionsController.filters
+# => {
+#      :index => [:refresh_session],
+#      :create => [:refresh_session, :destroy_session],
+#      :new => [:refresh_session, :udpate_session],
+#      :active => [:require_login, :refresh_session]
+#    }
+
+## Show all before filters for a given action
+> SessionsController.before_filters(:new)
+# => {
+#     :new => [:refresh_session, :update_session]
+#    }
+
+## Show all actions which skip a given filter, scoped to self and descendants
+> ApplicationController.actions_skipping_filter(:require_login)
+# => {
+#      :SessionsController => [:index, :new, :create]
+#    }
+```
+
+# Installation
+## Using Bundler
+```
+# From https://rubygems.org
+gem 'actiondebug', '~> 1.0.0'
+
+# From github
+gem 'actiondebug', '~> 1.0.0', git: "https://github.com/rbhitchcock/actiondebug"
+```
+
+## Standalone Gem
+```
+gem -v '1.0.0' actiondebug
+```
+
+## From source
+```
+> git clone https://github.com/rbhitchcock/actiondebug.git
+> cd actiondebug
+> rake install
+```

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/actiondebug.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'actiondebug/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "actiondebug"
+  spec.version       = ActionDebug::VERSION
+  spec.authors       = ["Blake Hitchcock"]
+  spec.email         = ["rbhitchcock@gmail.com"]
+  spec.summary       = "A gem to show which *_filters affect your Rails controllers"
+  spec.description   = <<-EOF
+    actiondebug is a utility that can give you more insight
+    into the structure of your Rails application. It can show all filters that
+    a controller is using, grouped by action. It can also report which actions
+    skip a given filter. Its extendability is essentially endless. Great tool
+    for security researchers and developers alike.
+  EOF
+  spec.homepage      = "https://github.com/rbhitchcock/actiondebug"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rake"
+end

data/lib/actiondebug.rb

@@ -0,0 +1,4 @@
+if defined? Rails
+  require 'actiondebug/controller'
+  require 'actiondebug/railtie'
+end

data/lib/actiondebug/controller.rb

@@ -0,0 +1,148 @@
+module ActionDebug
+  module Controller
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # With current knowledge of Rails internals, we are going to have to call
+      # this method several times when building up a map of the entire
+      # application.
+      def filters(p = {})
+        if p[:action].nil?
+          action_methods(false).reduce({}) do |h, action|
+            h[action.to_sym] = filters_for_action(action, p)
+            h
+          end
+        else
+          {p[:action].to_sym => filters_for_action(p[:action], p)}
+        end
+      end
+
+      def before_filters(action = nil)
+        filters kind: :before, action: action
+      end
+
+      def around_filters(action = nil)
+        filters kind: :around, action: action
+      end
+
+      def after_filters(action = nil)
+        filters kind: :after, action: action
+      end
+
+      def filters_for_self_and_descendants(p = {})
+        [self.name.to_sym, symbolized_descendants].flatten.reduce({}) do |h, d|
+          h[d] = safe_instantiate(d).send(:filters, p)
+          h
+        end
+      end
+
+      def before_filters_for_self_and_descendants
+        filters_for_self_and_descendants({kind: :before})
+      end
+
+      def around_filters_for_self_and_descendants(p = {})
+        filters_for_self_and_descendants({kind: :around})
+      end
+
+      def after_filters_for_self_and_descendants
+        filters_for_self_and_descendants({kind: :after})
+      end
+
+      # FIXME: what about filters with the same name in different controllers?
+      def actions_skipping_filter(filter)
+        filters_for_self_and_descendants.reduce({}) do |h, tuple|
+          # We want to handle the false positive of someone supplying a filter
+          # that simply does not exist either at all, or for the current
+          # controller being analyzed.
+          if !safe_instantiate(tuple.first).defined_filters.include?(filter)
+            puts "Filter #{filter} is not defined for #{tuple.first.to_s}. Skipping."
+            h[tuple.first] = []
+          else
+            h[tuple.first] = tuple.last.keys.select do |action|
+              !tuple.last[action].include?(filter.to_sym)
+            end
+          end
+          h
+        end.keep_if { |key, val| !val.empty? }
+      end
+
+      # FIXME: what about filters with the same name in different controllers?
+      def actions_using_filter(filter)
+        filters_for_self_and_descendants.reduce({}) do |h, tuple|
+          h[tuple.first] = tuple.last.keys.select do |action|
+            tuple.last[action].include?(filter.to_sym)
+          end
+          h
+        end.keep_if { |key, val| !val.empty? }
+      end
+
+      # This is just like action_methods found in the AbstractController class,
+      # but we provide the option to not include inherited methods
+      def action_methods(include_ans = true)
+        methods = super()
+        methods & public_instance_methods(false).map(&:to_s) unless include_ans
+      end
+
+      def defined_filters
+        @defined_filters ||= filters_for_self.map(&:filter)
+      end
+
+      private
+
+      def filters_for_self
+        @filters_for_self ||= _process_action_callbacks
+      end
+
+      def symbolized_descendants
+        @symbolized_descendants ||= symbolize_descendants
+      end
+
+      def filter_for_kind?(filter, kind)
+        return true if kind.nil?
+        filter.kind == kind
+      end
+
+      def filter_runs_for_action?(filter, action)
+        return true if action.nil? or filter.per_key.empty?
+        # XXX The @per_key attribute used below builds up its conditionals using
+        # action_name as the attribute to compare against. I don't like depending
+        # on this, but I don't see any way around it. Just keep this in mind if
+        # things ever start breaking.
+        action_name = action.to_s
+        conditions = ["true"]
+        unless filter.per_key[:if].empty?
+          conditions << Array.wrap("(#{filter.per_key[:if].first})")
+        end
+        unless filter.per_key[:unless].empty?
+          conditions << Array.wrap("!(#{filter.per_key[:unless].first})")
+        end
+        # XXX I feel safe using eval because we are only accessing Rails internal
+        # stuff, but try to come up with a better way to do this in the future if
+        # possible.
+        eval conditions.flatten.join(" && ")
+      end
+
+      def filters_for_action(action, p)
+        filters_for_self.select do |c|
+          filter_for_kind?(c, p[:kind]) and filter_runs_for_action?(c, action)
+        end.map(&:filter)
+      end
+
+      def safe_instantiate(klass)
+        return self unless is_a_descendant?(klass)
+        klass.to_s.constantize
+      end
+
+      def symbolize_descendants
+        Rails.application.eager_load! if Rails.env != "production"
+        descendants.map do |d|
+          d.name.to_sym
+        end
+      end
+
+      def is_a_descendant?(klass)
+        symbolized_descendants.include?(klass)
+      end
+    end
+  end
+end

data/lib/actiondebug/railtie.rb

@@ -0,0 +1,10 @@
+module ActionDebug
+  class Railtie < Rails::Railtie
+    initializer "actiondebug.action_controller" do
+      ActiveSupport.on_load(:action_controller) do
+        puts "Extending #{self} with ActionDebug"
+        include ActionDebug::Controller
+      end
+    end
+  end
+end

data/lib/actiondebug/version.rb

@@ -0,0 +1,3 @@
+module ActionDebug
+  VERSION = "1.0.0"
+end

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification
+name: actiondebug
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Blake Hitchcock
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-04-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ! "    actiondebug is a utility that can give you more insight\n    into
+  the structure of your Rails application. It can show all filters that\n    a controller
+  is using, grouped by action. It can also report which actions\n    skip a given
+  filter. Its extendability is essentially endless. Great tool\n    for security researchers
+  and developers alike.\n"
+email:
+- rbhitchcock@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- actiondebug.gemspec
+- lib/actiondebug.rb
+- lib/actiondebug/controller.rb
+- lib/actiondebug/railtie.rb
+- lib/actiondebug/version.rb
+homepage: https://github.com/rbhitchcock/actiondebug
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3255717403200248515
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3255717403200248515
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: A gem to show which *_filters affect your Rails controllers
+test_files: []