bot-away 1.0.0

data/History.txt

@@ -0,0 +1,4 @@
+=== 0.0.1 2010-03-24
+
+* 1 major enhancement:
+  * Initial release

data/Manifest.txt

@@ -0,0 +1,23 @@
+History.txt
+Manifest.txt
+README.rdoc
+Rakefile
+lib/bot-away.rb
+lib/bot-away/action_controller/request.rb
+lib/bot-away/action_view/helpers/instance_tag.rb
+lib/bot-away/param_parser.rb
+lib/bot-away/spinner.rb
+script/console
+script/destroy
+script/generate
+spec/controllers/test_controller_spec.rb
+spec/lib/action_view/helpers/instance_tag_spec.rb
+spec/lib/builder_spec.rb
+spec/lib/param_parser_spec.rb
+spec/spec_helper.rb
+spec/support/controllers/test_controller.rb
+spec/support/honeypot_matcher.rb
+spec/support/obfuscation_helper.rb
+spec/support/obfuscation_matcher.rb
+spec/support/views/test/index.html.erb
+spec/support/views/test/model_form.html.erb

data/README.rdoc

@@ -0,0 +1,88 @@
+= bot-away
+
+* http://github.com/sinisterchipmunk/bot-away
+
+== DESCRIPTION:
+
+Unobtrusively detects form submissions made by spambots, and silently drops those submissions. The key word here is
+"unobtrusive" -- this is NOT a CAPTCHA. This is transparent, modular implementation of the bot-catching techniques
+discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html
+
+If a submission is detected, the params hash is cleared, so the data can't be used. Since this includes the authenticity
+token, Rails should barf due to an invalid or missing authenticity token. Congrats, spam blocked.
+
+The specifics of the techniques employed for filtering spambots are discussed Ned's site at the above location; however,
+here's a brief run-down of what's going on:
+
+* Your code stays the same. After the bot-away gem has been activated, all Rails-generated forms on your site
+  will automatically be transformed into bot-resistent forms.
+* All of the form elements that you create (for instance, a "comment" model with a "body" field) are turned into
+  dummy elements, or honeypots, and are made invisible to the end user. This is done using div elements and inline CSS
+  stylesheets. There are several ways an element can be hidden, and these approaches are chosen at random to help
+  minimize predictability. In the rare event that a real user actually can see the element, it has a label next to it
+  along the lines of "Leave this blank" -- though the exact message is randomized to help prevent detection.
+* All of the form elements are mirrored by hashes. The hashes are generated using the session's authenticity token,
+  so they can't be predicted.
+* When data is submitted, bot-away steps in and 1.) validates that no honeypots have been filled in; and 2)
+  converts the hashed elements back into the field names that you are expecting (replacing the honeypot fields).
+* If a honeypot has been filled in, or a hashed element is missing where it was expected, then the request is
+  considered to be either spam, or tampered with; and the entire params hash is emptied. Since this happens at the
+  lowest level, the most likely result is that Rails will complain that the user's authenticity token is invalid. If
+  that does not happen, then your code will be passed a params hash containing only a "suspected_bot" key, and an error
+  will result. Either way, the spambot has been foiled!
+
+== FEATURES/PROBLEMS:
+
+* Wherever protection from forgery is not enabled in your Rails app, the Rails forms will be generated as if this gem
+  did not exist. That means hashed elements won't be generated, honeypots won't be generated, and posted forms will not
+  be intercepted.
+
+* By default, protection from forgery is enabled for all Rails controllers, so by default the above-mentioned checks
+  will also be triggered. For more details on forgery protection, see:
+  http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
+  
+* The techniques implemented by this library will be very difficult for a spambot to circumvent. However, keep in mind
+  that since the pages have to be machine-readable by definition, and since this gem has to follow certain protocols
+  in order to avoid confusing lots of humans (such as hiding the honeypots), it is always theoretically possible for
+  a spambot to get around it. It's just very, very difficult.
+
+== REQUIREMENTS:
+
+* Rails 2.3.5 or better.
+
+== INSTALL:
+
+* sudo gem install bot-away
+
+== USAGE:
+
+In your Rails config/environment.rb:
+
+* config.gem 'bot-away'
+
+That's it.
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2010 Colin MacKenzie IV
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,45 @@
+require 'rubygems'
+gem 'hoe', '>= 2.1.0'
+require 'hoe'
+require 'fileutils'
+require './lib/bot-away'
+
+Hoe.plugin :newgem
+# Hoe.plugin :website
+# Hoe.plugin :cucumberfeatures
+
+# Generate all the Rake tasks
+# Run 'rake -T' to see list of generated tasks (from gem root directory)
+$hoe = Hoe.spec 'bot-away' do
+  self.developer 'Colin MacKenzie IV', 'sinisterchipmunk@gmail.com'
+  self.extra_deps         = [['actionpack','>= 2.3.5'],['sc-core-ext','>= 1.1.1']]
+  self.readme_file = "README.rdoc"
+end
+
+Rake::RDocTask.new(:docs) do |rdoc|
+  files = ['README.rdoc', # 'LICENSE', 'CHANGELOG',
+           'lib/**/*.rb', 'doc/**/*.rdoc']#, 'spec/*.rb']
+  rdoc.rdoc_files.add(files)
+  rdoc.main = 'README.rdoc'
+  rdoc.title = 'EVE Documentation'
+  #rdoc.template = '/path/to/gems/allison-2.0/lib/allison'
+  rdoc.rdoc_dir = 'doc'
+  rdoc.options << '--line-numbers' << '--inline-source'
+end
+
+
+require 'newgem/tasks'
+Dir['tasks/**/*.rake'].each { |t| load t }
+
+require 'spec/rake/spectask'
+
+desc "Run all examples with RCov"
+Spec::Rake::SpecTask.new('rcov') do |t|
+  t.spec_files = FileList['spec/**/*_spec.rb']
+  t.rcov = true
+  t.rcov_opts = ['--exclude', 'spec,/home/*']
+end
+
+# TODO - want other tests/tasks run by default? Add them to the list
+# remove_task :default
+# task :default => [:spec, :features]

data/lib/bot-away.rb

@@ -0,0 +1,19 @@
+$:.unshift(File.dirname(__FILE__)) unless
+  $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
+
+require 'rubygems' unless defined?(Gem)
+require 'action_controller'
+require 'action_view'
+require 'sc-core-ext'
+
+require 'bot-away/param_parser'
+require 'bot-away/action_controller/request'
+require 'bot-away/action_view/helpers/instance_tag'
+require 'bot-away/spinner'
+
+module BotAway
+  VERSION = '1.0.0'
+end
+
+# WHY do I have to do this???
+ActionView::Base.send :include, ActionView::Helpers

data/lib/bot-away/action_controller/request.rb

@@ -0,0 +1,8 @@
+class ActionController::Request < Rack::Request
+  def parameters_with_deobfuscation
+    @parameters ||= BotAway::ParamParser.new(ip, parameters_without_deobfuscation).params
+  end
+
+  alias_method_chain :parameters, :deobfuscation
+  alias_method :params, :parameters
+end

data/lib/bot-away/action_view/helpers/instance_tag.rb

@@ -0,0 +1,92 @@
+class ActionView::Helpers::InstanceTag
+  attr_reader :spinner
+
+  def initialize_with_spinner(object_name, method_name, template_object, object = nil)
+    initialize_without_spinner(object_name, method_name, template_object, object)
+    if template_object.controller.send(:protect_against_forgery?)
+      @spinner = BotAway::Spinner.new(template_object.request.ip, object_name, template_object.form_authenticity_token)
+    end
+  end
+
+  def obfuscate_options(options)
+    add_default_name_and_id(options)
+    assuming(spinner && options) do
+      options['name'] &&= spinner.encode(options['name'])
+      options['id'] &&= spinner.encode(options['id'])
+    end
+  end
+
+  def honeypot_options(options)
+    add_default_name_and_id(options)
+    assuming(spinner && options) do
+      options['value'] &&= ''
+      options['autocomplete'] = 'off'
+    end
+  end
+
+  def assuming(object)
+    yield if object
+    object
+  end
+
+  def honeypot_tag(name, options = nil, *args)
+    tag_without_honeypot(name, honeypot_options(options.dup? || {}), *args)
+  end
+
+  def obfuscated_tag(name, options = nil, *args)
+    tag_without_honeypot(name, obfuscate_options(options.dup? || {}), *args)
+  end
+
+  def tag_with_honeypot(name, options = nil, *args)
+    if spinner
+      obfuscated_tag(name, options, *args) + disguise(honeypot_tag(name, options, *args))
+    else
+      tag_without_honeypot(name, options, *args)
+    end
+  end
+
+  # Special case
+  def to_label_tag_with_obfuscation(text = nil, options = {})
+    # TODO: Can this be simplified? It's pretty similar to to_label_tag_without_obfuscation...
+    options = options.stringify_keys
+    tag_value = options.delete("value")
+    name_and_id = options.dup
+    name_and_id["id"] = name_and_id["for"]
+    add_default_name_and_id_for_value(tag_value, name_and_id)
+    options["for"] ||= name_and_id["id"]
+    options["for"] = spinner.encode(options["for"]) if spinner && options["for"]
+    to_label_tag_without_obfuscation(text, options)
+  end
+
+  def content_tag_with_obfuscation(name, content_or_options_with_block = nil, options = nil, *args, &block)
+    if block_given?
+      content_tag_without_obfuscation(name, content_or_options_with_block, options, *args, &block)
+    else
+      # this should cover all Rails selects.
+      if spinner && options && (options.keys.include?('id') || options.keys.include?('name'))
+        disguise(content_tag_without_obfuscation(name, '', honeypot_options(options), *args)) +
+                content_tag_without_obfuscation(name, content_or_options_with_block, obfuscate_options(options), *args)
+      else
+        content_tag_without_obfuscation(name, content_or_options_with_block, options, *args)
+      end
+    end
+  end
+
+  alias_method_chain :initialize, :spinner
+  alias_method_chain :tag, :honeypot
+  alias_method_chain :to_label_tag, :obfuscation
+  alias_method_chain :content_tag, :obfuscation
+
+  def disguise(element)
+    case rand(3)
+      when 0 # Hidden
+        "<div style='display:none;'>Leave this empty: #{element}</div>"
+      when 1 # Off-screen
+        "<div style='position:absolute;left:-1000px;top:-1000px;'>Don't fill this in: #{element}</div>"
+      when 2 # Negligible size
+        "<div style='position:absolute;width:0px;height:1px;z-index:-1;color:transparent;overflow:hidden;'>Keep this blank: #{element}</div>"
+      else # this should never happen?
+        disguise(element)
+    end
+  end
+end

data/lib/bot-away/param_parser.rb

@@ -0,0 +1,36 @@
+module BotAway
+  class ParamParser
+    class ObfuscationMissing < StandardError; end #:nodoc:
+
+    attr_reader :params, :ip, :authenticity_token
+
+    def initialize(ip, params, authenticity_token = params[:authenticity_token])
+      @ip, @params, @authenticity_token = ip, params, authenticity_token
+      if authenticity_token
+        if catch(:bastard) { deobfuscate! } == :took_the_bait
+          params.clear
+          params[:suspected_bot] = true
+        end
+      end
+    end
+
+    def deobfuscate!(current = params, object_name = nil)
+      if object_name
+        spinner = BotAway::Spinner.new(ip, object_name, authenticity_token)
+      end
+      
+      current.each do |key, value|
+        if object_name
+          if value.blank? && params.keys.include?(spun_key = spinner.encode("#{object_name}[#{key}]"))
+            current[key] = params.delete(spun_key)
+          else
+            throw :bastard, :took_the_bait
+          end
+        end
+        if value.kind_of?(Hash)
+          deobfuscate!(value, object_name ? "#{object_name}[#{key}]" : key)
+        end
+      end
+    end
+  end
+end

data/lib/bot-away/spinner.rb

@@ -0,0 +1,22 @@
+class BotAway::Spinner
+  def initialize(ip, key, secret)
+    raise "Shouldn't have a nil ip" unless ip
+    raise "Shouldn't have a nil secret" unless secret
+    secret = File.join(#Time.now.to_i.to_s,
+                                               ip,
+                                               key.to_s,
+                                               secret)
+
+    #puts secret
+    @spinner = Digest::MD5.hexdigest(secret)
+    #puts @spinner
+  end
+
+  def spinner
+    @spinner
+  end
+
+  def encode(real_field_name)
+    Digest::MD5.hexdigest(File.join(real_field_name.to_s, spinner))
+  end
+end

data/script/console

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+# File: script/console
+irb = RUBY_PLATFORM =~ /(:?mswin|mingw)/ ? 'irb.bat' : 'irb'
+
+libs =  " -r irb/completion"
+# Perhaps use a console_lib to store any extra methods I may want available in the cosole
+# libs << " -r #{File.dirname(__FILE__) + '/../lib/console_lib/console_logger.rb'}"
+libs <<  " -r #{File.dirname(__FILE__) + '/../lib/bot-away.rb'}"
+puts "Loading bot-away gem"
+exec "#{irb} #{libs} --simple-prompt"

data/script/destroy

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+APP_ROOT = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+begin
+  require 'rubigen'
+rescue LoadError
+  require 'rubygems'
+  require 'rubigen'
+end
+require 'rubigen/scripts/destroy'
+
+ARGV.shift if ['--help', '-h'].include?(ARGV[0])
+RubiGen::Base.use_component_sources! [:rubygems, :newgem, :newgem_theme, :test_unit]
+RubiGen::Scripts::Destroy.new.run(ARGV)

data/script/generate

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+APP_ROOT = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+begin
+  require 'rubigen'
+rescue LoadError
+  require 'rubygems'
+  require 'rubigen'
+end
+require 'rubigen/scripts/generate'
+
+ARGV.shift if ['--help', '-h'].include?(ARGV[0])
+RubiGen::Base.use_component_sources! [:rubygems, :newgem, :newgem_theme, :test_unit]
+RubiGen::Scripts::Generate.new.run(ARGV)

data/spec/controllers/test_controller_spec.rb

@@ -0,0 +1,128 @@
+require 'spec_helper'
+
+describe TestController do
+  include ActionController::TestProcess
+
+  def prepare!(action = 'index', method = 'get')
+    @controller.request = @request
+    @controller.params = {}
+    @controller.send(:initialize_current_url)
+    send(method, action)
+    if @response.template.instance_variable_get("@exception")
+      raise @response.template.instance_variable_get("@exception")
+    end
+  end
+  
+  before :each do
+    @request = ActionController::TestRequest.new
+    # can the authenticity token so that we can predict the generated element names
+    @request.session[:_csrf_token] = 'aVjGViz+pIphXt2pxrWfXgRXShOI0KXOILR23yw0WBo='
+    @request.remote_addr = '208.77.188.166' # example.com
+    @response = ActionController::TestResponse.new
+    @controller = TestController.new
+  end
+
+  after :each do
+    # effectively disables forgery protection.
+    TestController.request_forgery_protection_token = nil
+  end
+  
+  context "with a model" do
+    context "with forgery protection" do
+      before :each do
+        (class << @controller; self; end).send(:protect_from_forgery)
+        prepare!('model_form')
+      end
+
+      it "should work?" do
+        puts @response.body
+      end
+    end
+
+    context "without forgery protection" do
+      before :each do
+        prepare!('model_form')
+      end
+
+      it "should work?" do
+        puts @response.body
+      end
+    end
+  end
+
+  context "with forgery protection" do
+    before :each do
+      (class << @controller; self; end).send(:protect_from_forgery)
+      prepare!
+    end
+    #"object_name_method_name" name="object_name[method_name]" size="30" type="text" value="" /></div>
+    #<input id="e21372563297c728093bf74c3cb6b96c" name="a0844d45bf150668ff1d86a6eb491969" size="30" type="text" value="method_value" />
+    
+    it "processes valid obfuscated form post" do
+      form = { 'authenticity_token' => '1234',
+               'object_name' => { 'method_name' => '' },
+               '842d8d1c80014ce9f3d974614338605c' => 'some_value'
+             }
+      post 'proc_form', form
+      puts @response.body
+      @response.template.controller.params[:object_name].should == { 'method_name' => 'some_value' }
+    end
+
+    it "drops invalid obfuscated form post" do
+      form = { 'authenticity_token' => '1234',
+               'object_name' => { 'method_name' => 'test' },
+               '842d8d1c80014ce9f3d974614338605c' => 'some_value'
+             }
+      post 'proc_form', form
+      puts @response.body
+      @response.template.controller.params.should == { 'suspected_bot' => true }
+    end
+
+    it "does not drop valid authentication request" do
+      #@request.session[:_csrf_token] = 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw='
+      form = { 'authenticity_token' => 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw=',
+               'user_session' => {
+                 'login' => '',
+                 'password' => '',
+                 'remember_me' => ''
+               },
+               'commit' => 'Log In',
+               '89dce8f562b119a2f88da6d29f535a0d' => 'admin',
+               '4b9bab79bc1b1cd5229041c357750e0c' => 'pwpwpw',
+               '256307a36284445cc84014dae651f2ed' => '1'
+             }
+      @request.remote_addr = '127.0.0.1'
+      post 'proc_form', form
+      puts @response.template.controller.params.inspect
+      @response.template.controller.params.should == { 'action' => 'proc_form', 'controller' => 'test',
+                                                       'authenticity_token' => 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw=',
+                                                       'user_session' => {
+                                                          'login' => 'admin',
+                                                          'password' => 'pwpwpw',
+                                                          'remember_me' => '1'
+                                                       },
+                                                       'commit' => 'Log In'
+      }
+    end
+  end
+
+  context "without forgery protection" do
+    before :each do
+      prepare!
+    end
+
+    it "processes non-obfuscated form post" do
+      form = { #'authenticity_token' => '1234',
+               'object_name' => { 'method_name' => 'test' }
+             }
+      post 'proc_form', form
+      puts @response.body
+      @response.template.controller.params.should_not == { 'suspected_bot' => true }
+      @response.template.controller.params[:object_name].should == { 'method_name' => 'test' }
+    end
+
+    it "produces non-obfuscated form elements" do
+      @response.body.should_not match(/<\/div><input/)
+    end
+  end
+end

data/spec/lib/action_view/helpers/instance_tag_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+def template
+  return @response if @response
+  @response = TestController.call(Rack::MockRequest.env_for('/').merge({'REQUEST_URI' => '/',
+                                                                     'REMOTE_ADDR' => '127.0.0.1'}))
+  @response.template.controller.request_forgery_protection_token = :authenticity_token
+  @response.template.controller.session[:_csrf_token] = '1234'
+  @response.template
+end
+
+def mock_object
+  @mock_object ||= MockObject.new
+end
+
+def default_instance_tag
+  ActionView::Helpers::InstanceTag.new("object_name", "method_name", template, mock_object)
+end
+
+describe ActionView::Helpers::InstanceTag do
+  subject { default_instance_tag }
+
+  context "with a valid text area tag" do
+    subject do
+      dump { default_instance_tag.to_text_area_tag }
+    end
+
+    it "should produce blank honeypot value" do
+      subject.should_not =~ /name="object_name\[method_name\]"[^>]+>method_value<\/textarea>/
+    end
+  end
+
+  context "with a valid input type=text tag" do
+    before(:each) { @tag_options = ["input", {:type => 'text', 'name' => 'object_name[method_name]', 'id' => 'object_name_method_name', 'value' => 'method_value'}] }
+    #subject { dump { default_instance_tag.tag(*@tag_options) } }
+
+    it "should turn off autocomplete for honeypots" do
+      subject.honeypot_tag(*@tag_options).should =~ /autocomplete="off"/
+    end
+
+    it "should obfuscate tag name" do
+      subject.obfuscated_tag(*@tag_options).should =~ /name="a0844d45bf150668ff1d86a6eb491969"/
+    end
+
+    it "should obfuscate tag id" do
+      subject.obfuscated_tag(*@tag_options).should =~ /id="e21372563297c728093bf74c3cb6b96c"/
+    end
+
+    it "should not obfuscate tag value" do
+      subject.obfuscated_tag(*@tag_options).should_not =~ /value="5a6a50d5fd0b5c8b1190d87eb0057e47"/
+    end
+
+    it "should include unobfuscated tag value" do
+      subject.obfuscated_tag(*@tag_options).should =~ /value="method_value"/
+    end
+
+    it "should create honeypot name" do
+      subject.honeypot_tag(*@tag_options).should =~ /name="object_name\[method_name\]"/
+    end
+
+    it "should create honeypot id" do
+      subject.honeypot_tag(*@tag_options).should =~ /id="object_name_method_name"/
+    end
+
+    it "should create empty honeypot tag value" do
+      subject.honeypot_tag(*@tag_options).should =~ /value=""/
+    end
+  end
+end

data/spec/lib/builder_spec.rb

@@ -0,0 +1,48 @@
+###
+# The original implementation of BotAway extended ActionView::Helpers::FormBuilder, and these tests were written
+# for it. This approach has since been abandoned in favor of a direct override of ActionView::Helpers::InstanceTag for
+# reasons of efficiency. The FormBuilder tests have been kept around simply for an extra layer of functional testing.
+###
+
+require 'spec_helper'
+
+class MockObject; attr_accessor :method_name; def initialize; @method_name = 'method_value'; end; end
+
+describe ActionView::Helpers::FormBuilder do
+  subject { builder }
+
+  it "should not create honeypots with default values" do
+    builder.text_field(:method_name).should match(/name="object_name\[method_name\]"[^>]*?value=""/)
+  end
+
+  # select(method, choices, options = {}, html_options = {})
+  obfuscates(:select) { builder.select(:method_name, {1 => :a, 2 => :b }) }
+
+  #collection_select(method, collection, value_method, text_method, options = {}, html_options = {})
+  obfuscates(:collection_select) { builder.collection_select method_name, [MockObject.new], :method_name, :method_name }
+  
+  #grouped_collection_select(method, collection, group_method, group_label_method, option_key_method,
+  #                          option_value_method, options = {}, html_options = {})
+  obfuscates(:grouped_collection_select) do
+    builder.grouped_collection_select method_name, [MockObject.new], :method_name, :method_name, :to_s, :to_s
+  end
+  
+  #time_zone_select(method, priority_zones = nil, options = {}, html_options = {})
+  obfuscates(:time_zone_select) do
+    builder.time_zone_select method_name
+  end
+
+  %w(hidden_field text_field text_area file_field password_field check_box).each do |field|
+    obfuscates(field) { builder.send(field, method_name) }
+  end
+
+  obfuscates(:radio_button, '53640013be550817d040597218884288') { builder.radio_button method_name, :value }
+
+  context "#label" do
+    subject { dump { builder.label(method_name) } }
+
+    it "links labels to their obfuscated elements" do
+      subject.should match(/for=\"e21372563297c728093bf74c3cb6b96c\"/)
+    end
+  end
+end

data/spec/lib/param_parser_spec.rb

@@ -0,0 +1,55 @@
+describe BotAway::ParamParser do
+  def params(honeypots)
+    @params = { 'authenticity_token' => '1234',
+                'bdf3e1964ac3a82c5f1c7385ed0100e4' => 'colin',
+                'ed8fc4fe67d66bc7aeaf0b4817bd1311' => [1, 2]
+           }.merge(honeypots).with_indifferent_access
+  end
+
+  before(:each) do
+    # Root level is encoded with 208.77.188.166/test/1234
+    #    which resolves to a spinner digest of 86ba3fd99e851587a849ad9ed9817f9b
+    @ip = '208.77.188.166'
+    @params = params('test' => { 'name' => '', 'posts' => [] })
+  end
+
+  subject { r = BotAway::ParamParser.new(@ip, @params); puts r.params.to_yaml; r }
+
+  context "with blank honeypots" do
+    it "drops obfuscated params" do
+      subject.params.keys.should_not include('bdf3e1964ac3a82c5f1c7385ed0100e4')
+    end
+
+    it "drops obfuscated subparams" do
+      subject.params.keys.should_not include('ed8fc4fe67d66bc7aeaf0b4817bd1311')
+    end
+
+    it "replaces honeypots" do
+      subject.params[:test].should_not be_blank
+    end
+
+    it "replaces subhoneypots" do
+      subject.params.keys.should include('test')
+      subject.params[:test][:name].should == 'colin'
+      subject.params[:test][:posts].should == [1,2]
+    end
+  end
+
+  context "with a filled honeypot" do
+    before(:each) { @params = params({'test' => {'name' => 'colin', 'posts' => []}}) }
+    subject { r = BotAway::ParamParser.new(@ip, @params); puts r.params.to_yaml; r }
+
+    it "drops all parameters" do
+      subject.params.should == { "suspected_bot" => true }
+    end
+  end
+
+  context "with a filled sub-honeypot" do
+    before(:each) { @params = params({'test' => {'name' => '', 'posts' => [1, 2]}}) }
+    subject { r = BotAway::ParamParser.new(@ip, @params); puts r.params.to_yaml; r }
+
+    it "drops all parameters" do
+      subject.params.should == { "suspected_bot" => true }
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+require 'rubygems'
+require 'action_controller'
+require 'action_view'
+
+ActionController::Routing::Routes.load!
+ActionController::Base.session = { :key => "_myapp_session", :secret => "12345"*6 }
+
+require File.join(File.dirname(__FILE__), '../lib/bot-away')
+
+Dir[File.join(File.dirname(__FILE__), 'support/**/*.rb')].each do |fi|
+  require fi
+end

data/spec/support/controllers/test_controller.rb

@@ -0,0 +1,18 @@
+class Post
+  attr_reader :subject, :body, :subscribers
+end
+
+class TestController < ActionController::Base
+  view_paths << File.expand_path(File.join(File.dirname(__FILE__), "../views"))
+
+  def index
+  end
+
+  def model_form
+    @post = Post.new
+  end
+
+  def proc_form
+    render :text => params.to_yaml
+  end
+end

data/spec/support/honeypot_matcher.rb

@@ -0,0 +1,26 @@
+class HoneypotMatcher
+  def initialize(object_name, method_name)
+    @object_name, @method_name = object_name, method_name
+  end
+
+  def matches?(target)
+    target = target.call if target.kind_of?(Proc)
+    @target = target
+    @rx = /name="#{Regexp::escape @object_name}\[#{Regexp::escape @method_name}/m
+    @target[@rx]
+  end
+
+  def failure_message
+    "expected #{@target.inspect}\n  to match #{@rx.to_s}"
+  end
+
+  def negative_failure_message
+    "expected #{@target.inspect}\n  to not match #{@rx.to_s}"
+  end
+end
+
+def include_honeypot(object_name, method_name)
+  HoneypotMatcher.new(object_name, method_name)
+end
+
+alias contain_honeypot include_honeypot

data/spec/support/obfuscation_helper.rb

@@ -0,0 +1,57 @@
+module ObfuscationHelper
+  def includes_honeypot(object_name, method_name)
+    it "includes a honeypot called #{object_name}[#{method_name}]" do
+      subject.should include_honeypot(object_name, method_name)
+    end
+  end
+
+  def is_obfuscated_as(id, name)
+    it "is obfuscated as #{id}, #{name}" do
+      subject.should be_obfuscated_as(id, name)
+    end
+  end
+
+  def dump
+    returning(yield) { |x| puts x }
+  end
+
+  def builder
+    return @builder if @builder
+    response = TestController.call(Rack::MockRequest.env_for('/').merge({'REQUEST_URI' => '/',
+                                                                         'REMOTE_ADDR' => '127.0.0.1'}))
+    response.template.controller.request_forgery_protection_token = :authenticity_token
+    response.template.controller.session[:_csrf_token] = '1234'
+    @builder = ActionView::Helpers::FormBuilder.new(:object_name, MockObject.new, response.template, {}, proc {})
+  end
+
+  def obfuscates(method, obfuscated_id = self.obfuscated_id, obfuscated_name = self.obfuscated_name)
+    value = yield
+    context "##{method}" do
+      subject { proc { dump { value } } }
+
+      includes_honeypot(object_name, method_name)
+      is_obfuscated_as(obfuscated_id, obfuscated_name)
+    end
+  end
+
+  def obfuscated_id
+    "e21372563297c728093bf74c3cb6b96c"
+  end
+
+  def obfuscated_name
+    "a0844d45bf150668ff1d86a6eb491969"
+  end
+
+  def object_name
+    "object_name"
+  end
+
+  def method_name
+    "method_name"
+  end
+end
+
+Spec::Runner.configure do |config|
+  config.extend  ObfuscationHelper
+  config.include ObfuscationHelper
+end

data/spec/support/obfuscation_matcher.rb

@@ -0,0 +1,28 @@
+class ObfuscationMatcher
+  def initialize(id, name)
+    @id, @name = id, name
+  end
+
+  def matches?(target)
+    target = target.call if target.kind_of?(Proc)
+    @target = target
+    match(:id) && match(:name)
+  end
+
+  def match(which)
+    @rx = /#{which}=['"]#{Regexp::escape instance_variable_get("@#{which}")}/
+    @target[@rx]
+  end
+
+  def failure_message
+    "expected #{@target.inspect}\n  to match #{@rx.inspect}"
+  end
+
+  def negative_failure_message
+    "expected #{@target.inspect}\n  to not match #{@rx.inspect}"
+  end
+end
+
+def be_obfuscated_as(id, name)
+  ObfuscationMatcher.new(id, name)
+end

data/spec/support/views/test/index.html.erb

@@ -0,0 +1,4 @@
+<%form_for :test, :url => {:action => 'post_to'} do |f|%>
+  <%=f.text_field :name%>
+<%end%>
+

data/spec/support/views/test/model_form.html.erb

@@ -0,0 +1,6 @@
+<%form_for @post, :url => url_for('proc_form') do |f|%>
+  <p>
+    <%=f.label :subject%><br/>
+    <%=f.text_field :subject%>
+  </p>
+<%end%>

metadata

@@ -0,0 +1,182 @@
+--- !ruby/object:Gem::Specification 
+name: bot-away
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 1
+  - 0
+  - 0
+  version: 1.0.0
+platform: ruby
+authors: 
+- Colin MacKenzie IV
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-04-01 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: actionpack
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 3
+        - 5
+        version: 2.3.5
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: sc-core-ext
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 1
+        - 1
+        version: 1.1.1
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rubyforge
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 0
+        - 3
+        version: 2.0.3
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: gemcutter
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        - 5
+        - 0
+        version: 0.5.0
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: hoe
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 5
+        - 0
+        version: 2.5.0
+  type: :development
+  version_requirements: *id005
+description: |-
+  Unobtrusively detects form submissions made by spambots, and silently drops those submissions. The key word here is
+  "unobtrusive" -- this is NOT a CAPTCHA. This is transparent, modular implementation of the bot-catching techniques
+  discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html
+  
+  If a submission is detected, the params hash is cleared, so the data can't be used. Since this includes the authenticity
+  token, Rails should barf due to an invalid or missing authenticity token. Congrats, spam blocked.
+  
+  The specifics of the techniques employed for filtering spambots are discussed Ned's site at the above location; however,
+  here's a brief run-down of what's going on:
+  
+  * Your code stays the same. After the bot-away gem has been activated, all Rails-generated forms on your site
+    will automatically be transformed into bot-resistent forms.
+  * All of the form elements that you create (for instance, a "comment" model with a "body" field) are turned into
+    dummy elements, or honeypots, and are made invisible to the end user. This is done using div elements and inline CSS
+    stylesheets. There are several ways an element can be hidden, and these approaches are chosen at random to help
+    minimize predictability. In the rare event that a real user actually can see the element, it has a label next to it
+    along the lines of "Leave this blank" -- though the exact message is randomized to help prevent detection.
+  * All of the form elements are mirrored by hashes. The hashes are generated using the session's authenticity token,
+    so they can't be predicted.
+  * When data is submitted, bot-away steps in and 1.) validates that no honeypots have been filled in; and 2)
+    converts the hashed elements back into the field names that you are expecting (replacing the honeypot fields).
+  * If a honeypot has been filled in, or a hashed element is missing where it was expected, then the request is
+    considered to be either spam, or tampered with; and the entire params hash is emptied. Since this happens at the
+    lowest level, the most likely result is that Rails will complain that the user's authenticity token is invalid. If
+    that does not happen, then your code will be passed a params hash containing only a "suspected_bot" key, and an error
+    will result. Either way, the spambot has been foiled!
+email: 
+- sinisterchipmunk@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- History.txt
+- Manifest.txt
+files: 
+- History.txt
+- Manifest.txt
+- README.rdoc
+- Rakefile
+- lib/bot-away.rb
+- lib/bot-away/action_controller/request.rb
+- lib/bot-away/action_view/helpers/instance_tag.rb
+- lib/bot-away/param_parser.rb
+- lib/bot-away/spinner.rb
+- script/console
+- script/destroy
+- script/generate
+- spec/controllers/test_controller_spec.rb
+- spec/lib/action_view/helpers/instance_tag_spec.rb
+- spec/lib/builder_spec.rb
+- spec/lib/param_parser_spec.rb
+- spec/spec_helper.rb
+- spec/support/controllers/test_controller.rb
+- spec/support/honeypot_matcher.rb
+- spec/support/obfuscation_helper.rb
+- spec/support/obfuscation_matcher.rb
+- spec/support/views/test/index.html.erb
+- spec/support/views/test/model_form.html.erb
+has_rdoc: true
+homepage: http://github.com/sinisterchipmunk/bot-away
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --main
+- README.rdoc
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: bot-away
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Unobtrusively detects form submissions made by spambots, and silently drops those submissions
+test_files: []
+