bot-away 1.0.0 → 1.0.1

data/History.txt

@@ -1,3 +1,11 @@
+=== 1.0.1 2010-04-02
+* 2 minor enhancements:
+  * ActionController::Request.accepts_unfiltered_params creates an array of params that will not be checked
+  * Took all honeypots out of the keyboard tab order using randomized negative indexes.
+
+* Bugfixes:
+  * Empty select tags no longer raise errors
+
 === 0.0.1 2010-03-24
 
 * 1 major enhancement:

data/README.rdoc

@@ -5,13 +5,15 @@
 == DESCRIPTION:
 
 Unobtrusively detects form submissions made by spambots, and silently drops those submissions. The key word here is
-"unobtrusive" -- this is NOT a CAPTCHA. This is transparent, modular implementation of the bot-catching techniques
-discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html
+"unobtrusive" -- this is NOT a CAPTCHA. This is a transparent, modular implementation of the bot-catching techniques
+discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html.
 
-If a submission is detected, the params hash is cleared, so the data can't be used. Since this includes the authenticity
-token, Rails should barf due to an invalid or missing authenticity token. Congrats, spam blocked.
+== WHAT'S GOING ON:
 
-The specifics of the techniques employed for filtering spambots are discussed Ned's site at the above location; however,
+If a bot submission is detected, the params hash is cleared, so the data can't be used. Since this includes the
+authenticity token, Rails should complain about an invalid or missing authenticity token. Congrats, spam blocked.
+
+The specifics of the techniques employed for filtering spambots are discussed Ned's site in the description; however,
 here's a brief run-down of what's going on:
 
 * Your code stays the same. After the bot-away gem has been activated, all Rails-generated forms on your site
@@ -46,6 +48,19 @@ here's a brief run-down of what's going on:
   in order to avoid confusing lots of humans (such as hiding the honeypots), it is always theoretically possible for
   a spambot to get around it. It's just very, very difficult.
 
+* I feel this library has been fairly well-tested (99.5% test coverage as of this writing), but if you discover a bug
+  and can't be bothered to let me know about it (or you just don't have time to wait for a fix or fix it yourself),
+  then you can simply add the name of the offending form element to the ActionController::Request.unfiltered_params
+  array like so:
+    ActionController::Request.accepts_unfiltered_params 'role_ids'
+    ActionController::Request.accepts_unfiltered_params 'user' # this can be called multiple times
+  You should also take note that this is an array, not a hash. So if you have a user[role_ids] as well as a
+  group[role_ids], the +role_ids+ will not be matched on EITHER of these models.
+
+* Currently, there's no direct support for per-request configuration of unfiltered params. This is mostly due to
+  Bot-Away's low-level approach to filtering bots: the params have already been filtered by the time your controller
+  is created. I'd like to revisit per-request filtering sometime in the future, once I figure out the best way to do it.
+
 == REQUIREMENTS:
 
 * Rails 2.3.5 or better.
@@ -85,4 +100,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -21,7 +21,7 @@ Rake::RDocTask.new(:docs) do |rdoc|
            'lib/**/*.rb', 'doc/**/*.rdoc']#, 'spec/*.rb']
   rdoc.rdoc_files.add(files)
   rdoc.main = 'README.rdoc'
-  rdoc.title = 'EVE Documentation'
+  rdoc.title = 'Bot-Away Documentation'
   #rdoc.template = '/path/to/gems/allison-2.0/lib/allison'
   rdoc.rdoc_dir = 'doc'
   rdoc.options << '--line-numbers' << '--inline-source'

data/lib/bot-away.rb

@@ -12,7 +12,7 @@ require 'bot-away/action_view/helpers/instance_tag'
 require 'bot-away/spinner'
 
 module BotAway
-  VERSION = '1.0.0'
+  VERSION = '1.0.1'
 end
 
 # WHY do I have to do this???

data/lib/bot-away/action_controller/request.rb

@@ -3,6 +3,17 @@ class ActionController::Request < Rack::Request
     @parameters ||= BotAway::ParamParser.new(ip, parameters_without_deobfuscation).params
   end
 
+  class << self
+    def unfiltered_params(*keys)
+      unfiltered_params = instance_variable_get("@unfiltered_params") || instance_variable_set("@unfiltered_params", [])
+      unfiltered_params.concat keys.flatten.collect { |k| k.to_s }
+      unfiltered_params
+    end
+
+    alias_method :accepts_unfiltered_params, :unfiltered_params
+  end
+
+  delegate :accepts_unfiltered_params, :unfiltered_params, :to => :"self.class"
   alias_method_chain :parameters, :deobfuscation
   alias_method :params, :parameters
 end

data/lib/bot-away/action_view/helpers/instance_tag.rb

@@ -21,6 +21,7 @@ class ActionView::Helpers::InstanceTag
     assuming(spinner && options) do
       options['value'] &&= ''
       options['autocomplete'] = 'off'
+      options['tabindex'] = -rand(10)
     end
   end
 
@@ -64,7 +65,12 @@ class ActionView::Helpers::InstanceTag
     else
       # this should cover all Rails selects.
       if spinner && options && (options.keys.include?('id') || options.keys.include?('name'))
-        disguise(content_tag_without_obfuscation(name, '', honeypot_options(options), *args)) +
+        if name == 'select' && !content_or_options_with_block.empty?
+          content = '<option selected value=""></option>'
+        else
+          content = ""
+        end
+        disguise(content_tag_without_obfuscation(name, content, honeypot_options(options), *args)) +
                 content_tag_without_obfuscation(name, content_or_options_with_block, obfuscate_options(options), *args)
       else
         content_tag_without_obfuscation(name, content_or_options_with_block, options, *args)

data/lib/bot-away/param_parser.rb

@@ -1,7 +1,5 @@
 module BotAway
   class ParamParser
-    class ObfuscationMissing < StandardError; end #:nodoc:
-
     attr_reader :params, :ip, :authenticity_token
 
     def initialize(ip, params, authenticity_token = params[:authenticity_token])
@@ -20,10 +18,12 @@ module BotAway
       end
       
       current.each do |key, value|
-        if object_name
+        if object_name && !value.kind_of?(Hash) && !ActionController::Request.unfiltered_params.include?(key)
           if value.blank? && params.keys.include?(spun_key = spinner.encode("#{object_name}[#{key}]"))
             current[key] = params.delete(spun_key)
           else
+            #puts "throwing on #{object_name}[#{key}] because its not blank" if !value.blank?
+            #puts "throwing on #{object_name}[#{key}] because its not found" if defined?(spun_key) && !spun_key.nil?
             throw :bastard, :took_the_bait
           end
         end

data/spec/controllers/test_controller_spec.rb

@@ -78,6 +78,18 @@ describe TestController do
       @response.template.controller.params.should == { 'suspected_bot' => true }
     end
 
+    it "processes no params" do
+      post 'proc_form', { 'authenticity_token' => '1234' }
+      @response.template.controller.params.should_not == { 'suspected_bot' => true }
+    end
+
+    it "should not fail on unfiltered params" do
+      ActionController::Request.accepts_unfiltered_params :role_ids
+      @request.remote_addr = '127.0.0.1'
+      post 'proc_form', {'authenticity_token' => '1234', 'user' => { 'role_ids' => [1, 2] }}
+      @response.template.controller.params.should_not == { 'suspected_bot' => true }
+    end
+
     it "does not drop valid authentication request" do
       #@request.session[:_csrf_token] = 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw='
       form = { 'authenticity_token' => 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw=',

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 1
   - 0
-  - 0
-  version: 1.0.0
+  - 1
+  version: 1.0.1
 platform: ruby
 authors: 
 - Colin MacKenzie IV
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-04-01 00:00:00 -04:00
+date: 2010-04-02 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -89,31 +89,8 @@ dependencies:
   version_requirements: *id005
 description: |-
   Unobtrusively detects form submissions made by spambots, and silently drops those submissions. The key word here is
-  "unobtrusive" -- this is NOT a CAPTCHA. This is transparent, modular implementation of the bot-catching techniques
-  discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html
-  
-  If a submission is detected, the params hash is cleared, so the data can't be used. Since this includes the authenticity
-  token, Rails should barf due to an invalid or missing authenticity token. Congrats, spam blocked.
-  
-  The specifics of the techniques employed for filtering spambots are discussed Ned's site at the above location; however,
-  here's a brief run-down of what's going on:
-  
-  * Your code stays the same. After the bot-away gem has been activated, all Rails-generated forms on your site
-    will automatically be transformed into bot-resistent forms.
-  * All of the form elements that you create (for instance, a "comment" model with a "body" field) are turned into
-    dummy elements, or honeypots, and are made invisible to the end user. This is done using div elements and inline CSS
-    stylesheets. There are several ways an element can be hidden, and these approaches are chosen at random to help
-    minimize predictability. In the rare event that a real user actually can see the element, it has a label next to it
-    along the lines of "Leave this blank" -- though the exact message is randomized to help prevent detection.
-  * All of the form elements are mirrored by hashes. The hashes are generated using the session's authenticity token,
-    so they can't be predicted.
-  * When data is submitted, bot-away steps in and 1.) validates that no honeypots have been filled in; and 2)
-    converts the hashed elements back into the field names that you are expecting (replacing the honeypot fields).
-  * If a honeypot has been filled in, or a hashed element is missing where it was expected, then the request is
-    considered to be either spam, or tampered with; and the entire params hash is emptied. Since this happens at the
-    lowest level, the most likely result is that Rails will complain that the user's authenticity token is invalid. If
-    that does not happen, then your code will be passed a params hash containing only a "suspected_bot" key, and an error
-    will result. Either way, the spambot has been foiled!
+  "unobtrusive" -- this is NOT a CAPTCHA. This is a transparent, modular implementation of the bot-catching techniques
+  discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html.
 email: 
 - sinisterchipmunk@gmail.com
 executables: []