bot-away 1.1.0 → 1.2.0

data/lib/bot-away.rb

@@ -1,29 +1,44 @@
 $:.unshift(File.dirname(__FILE__)) unless
   $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
 
-require 'rubygems' unless defined?(Gem)
 require 'action_controller'
 require 'action_view'
 require 'sc-core-ext'
 
 require 'bot-away/param_parser'
-require 'bot-away/action_controller/request'
+require 'bot-away/action_dispatch/request'
 require 'bot-away/action_view/helpers/instance_tag'
 require 'bot-away/spinner'
 
 module BotAway
-  VERSION = '1.1.0'
+  VERSION = File.read(File.join(File.dirname(__FILE__), "../VERSION")) unless defined?(VERSION)
   
   class << self
     attr_accessor :show_honeypots, :dump_params
     
-    def unfiltered_params(*args)
-      ActionController::Request.unfiltered_params(*args)
+    def unfiltered_params(*keys)
+      unfiltered_params = instance_variable_get("@unfiltered_params") || instance_variable_set("@unfiltered_params", [])
+      unfiltered_params.concat keys.flatten.collect { |k| k.to_s }
+      unfiltered_params
     end
+
+    alias_method :accepts_unfiltered_params, :unfiltered_params
     
-    alias accepts_unfiltered_params unfiltered_params
+    # options include:
+    #   :controller
+    #   :action
+    #   :object_name
+    #   :method_name
+    #
+    # excluded? will also check the current Rails run mode against disabled_for[:mode]
+    def excluded?(options)
+      options = options.stringify_keys
+      nonparams = options.stringify_keys.without('object_name', 'method_name')
+      (options['object_name'] && options['method_name'] &&
+              unfiltered_params_include?(options['object_name'], options['method_name'])) || disabled_for?(nonparams)
+    end
     
-    def excluded?(object_name, method_name)
+    def unfiltered_params_include?(object_name, method_name)
       unfiltered_params.collect! { |u| u.to_s }
       if (object_name &&
               (unfiltered_params.include?(object_name.to_s) ||
@@ -34,7 +49,52 @@ module BotAway
         false
       end
     end
+    
+    # Returns true if the given options match the options set via #disabled_for, or if the Rails run mode
+    # matches any run modes set via #disabled_for.
+    def disabled_for?(options)
+      return false if @disabled_for.nil? || options.empty?
+      options = options.stringify_keys
+#      p options
+#      p "===="
+      @disabled_for.each do |set|
+        if set.key?('mode')
+          next unless ENV['RAILS_ENV'] == set['mode'].to_s
+          return true if set.keys.length == 1
+          # if there are more keys, then it looks something like:
+          #   disabled_for :mode => 'development', :controller => 'tests'
+          # and that means we need to check the next few conditions.
+        end
+        
+#        p set
+        if set.key?('controller') && set.key?('action')
+          return true if set['controller'] == options['controller'] && set['action'] == options['action']
+        elsif set.key?('controller') && !set.key?('action')
+          return true if set['controller'] == options['controller']
+        elsif set.key?('action')
+          return true if set['action'] == options['action']
+        end
+      end
+      false
+    end
+    
+    def disabled_for(options = {})
+      @disabled_for ||= []
+      if !options.empty?
+        @disabled_for << options.stringify_keys
+      end
+      @disabled_for
+    end
+    
+    def reset!
+      self.show_honeypots = false
+      self.dump_params = false
+      self.unfiltered_params.clear
+      self.disabled_for.clear
+    end
   end
+
+  delegate :accepts_unfiltered_params, :unfiltered_params, :to => :"self.class"
 end
 
 # WHY do I have to do this???

data/lib/bot-away/action_dispatch/request.rb

@@ -0,0 +1,20 @@
+request = (defined?(Rails::VERSION) && Rails::VERSION::STRING >= "3.0") ? 
+          ActionDispatch::Request : # Rails 3.0
+          ActionController::Request # Rails 2.3
+
+request.module_eval do
+  def parameters_with_deobfuscation
+    # NFC what is happening behind the scenes but Rails 2.3 croaks when we memoize; Rails 3 croaks when we don't.
+    if defined?(Rails::VERSION) && Rails::VERSION::STRING >= "3.0"
+      @deobfuscated_parameters ||= begin
+        BotAway::ParamParser.new(ip, parameters_without_deobfuscation.dup).params
+      end
+    else
+      Rails.logger.info parameters_without_deobfuscation.inspect
+      BotAway::ParamParser.new(ip, parameters_without_deobfuscation.dup).params
+    end
+  end
+
+  alias_method_chain :parameters, :deobfuscation
+  alias_method :params, :parameters
+end

data/lib/bot-away/action_view/helpers/instance_tag.rb

@@ -3,8 +3,11 @@ class ActionView::Helpers::InstanceTag
 
   def initialize_with_spinner(object_name, method_name, template_object, object = nil)
     initialize_without_spinner(object_name, method_name, template_object, object)
-    if template_object.controller.send(:protect_against_forgery?) && !BotAway.excluded?(object_name, method_name)
-      puts "#{object_name.inspect} => #{method_name.inspect}"
+    
+    if template_object.controller.send(:protect_against_forgery?) &&
+               !BotAway.excluded?(:object_name => object_name, :method_name => method_name) &&
+               !BotAway.excluded?(:controller => template_object.controller.controller_name,
+                                  :action => template_object.controller.action_name)
       @spinner = BotAway::Spinner.new(template_object.request.ip, object_name, template_object.form_authenticity_token)
     end
   end
@@ -48,12 +51,18 @@ class ActionView::Helpers::InstanceTag
   end
 
   # Special case
-  def to_label_tag_with_obfuscation(text = nil, options = {})
+  def to_label_tag_with_obfuscation(text = nil, options = {}, &block)
     # TODO: Can this be simplified? It's pretty similar to to_label_tag_without_obfuscation...
     options = options.stringify_keys
     tag_value = options.delete("value")
     name_and_id = options.dup
-    name_and_id["id"] = name_and_id["for"]
+
+    if name_and_id["for"]
+      name_and_id["id"] = name_and_id["for"]
+    else
+      name_and_id.delete("id")
+    end
+
     add_default_name_and_id_for_value(tag_value, name_and_id)
     options["for"] ||= name_and_id["id"]
     options["for"] = spinner.encode(options["for"]) if spinner && options["for"]

data/lib/bot-away/param_parser.rb

@@ -2,34 +2,47 @@ module BotAway
   class ParamParser
     attr_reader :params, :ip, :authenticity_token
 
-    def initialize(ip, params, authenticity_token = params[:authenticity_token])
+    def initialize(ip, params, authenticity_token = nil)
+      params = params.with_indifferent_access if !params.kind_of?(HashWithIndifferentAccess)
+      authenticity_token ||= params[:authenticity_token]
       @ip, @params, @authenticity_token = ip, params, authenticity_token
-      Rails.logger.debug(params.inspect) if BotAway.dump_params
+      
+      if BotAway.dump_params
+        Rails.logger.debug("[BotAway] IP: #{@ip}")
+        Rails.logger.debug("[BotAway] Authenticity token: #{@authenticity_token}")
+        Rails.logger.debug("[BotAway] Parameters: #{params.inspect}")
+      end
+      
       if authenticity_token
         if catch(:bastard) { deobfuscate! } == :took_the_bait
-          params.clear
+          #params.clear
+          # don't clear the controller or action keys, as Rails 3 needs them
+          params.keys.each { |key| params.delete(key) unless %w(controller action).include?(key) }
           params[:suspected_bot] = true
         end
       end
     end
 
     def deobfuscate!(current = params, object_name = nil)
+      return current if BotAway.excluded?(:controller => params[:controller], :action => params[:action])
+      
       if object_name
         spinner = BotAway::Spinner.new(ip, object_name, authenticity_token)
       end
       
       current.each do |key, value|
-        if object_name && !value.kind_of?(Hash) && !BotAway.excluded?(object_name, key)
-          if value.blank? && params.keys.include?(spun_key = spinner.encode("#{object_name}[#{key}]"))
-            current[key] = params.delete(spun_key)
-          else
-            #puts "throwing on #{object_name}[#{key}] because its not blank" if !value.blank?
-            #puts "throwing on #{object_name}[#{key}] because its not found" if defined?(spun_key) && !spun_key.nil?
-            throw :bastard, :took_the_bait
-          end
-        end
         if value.kind_of?(Hash)
           deobfuscate!(value, object_name ? "#{object_name}[#{key}]" : key)
+        else
+          if object_name && !BotAway.excluded?(:object_name => object_name, :method_name => key)
+            if value.blank? && params.keys.include?(spun_key = spinner.encode("#{object_name}[#{key}]"))
+              current[key] = params.delete(spun_key)
+            else
+              #puts "throwing on #{object_name}[#{key}] because its not blank" if !value.blank?
+              #puts "throwing on #{object_name}[#{key}] because its not found" if defined?(spun_key) && !spun_key.nil?
+              throw :bastard, :took_the_bait
+            end
+          end
         end
       end
     end

data/lib/bot-away/spinner.rb

@@ -7,9 +7,7 @@ class BotAway::Spinner
                                                key.to_s,
                                                secret)
 
-    #puts secret
     @spinner = Digest::MD5.hexdigest(secret)
-    #puts @spinner
   end
 
   def spinner

data/spec/controllers/test_controller_spec.rb

@@ -1,41 +1,69 @@
 require 'spec_helper'
 
 describe TestController do
-  include ActionController::TestProcess
+  if RAILS_VERSION < "3.0"
+    # rails 2
+
+    def setup_default_controller
+      @request = ActionController::TestRequest.new
+      # can the authenticity token so that we can predict the generated element names
+      @request.session[:_csrf_token] = 'aVjGViz+pIphXt2pxrWfXgRXShOI0KXOILR23yw0WBo='
+      @request.remote_addr = '208.77.188.166' # example.com
+      @response = ActionController::TestResponse.new
+      @controller = TestController.new
+    
+      @controller.request = @request
+      @controller.params = {}
+      @controller.send(:initialize_current_url)
+      @controller
+    end
+  
+    include ActionController::TestProcess
+
+    def controller
+      @controller
+    end
+  else
+    # rails 3
+    def setup_default_controller
+      @controller.request.session[:_csrf_token] = 'aVjGViz+pIphXt2pxrWfXgRXShOI0KXOILR23yw0WBo='
+      @controller.request.remote_addr = '208.77.188.166'
+      
+      @controller
+    end
+    
+    #extend ActiveSupport::Concern
+    #include ActionController::TestCase::Behavior
+    delegate :session, :to => :controller
+  end
 
   def prepare!(action = 'index', method = 'get')
-    @controller.request = @request
-    @controller.params = {}
-    @controller.send(:initialize_current_url)
+    controller
     send(method, action)
-    if @response.template.instance_variable_get("@exception")
-      raise @response.template.instance_variable_get("@exception")
+    if RAILS_VERSION < "3.0"
+      if @response.template.instance_variable_get("@exception")
+        raise @response.template.instance_variable_get("@exception")
+      end
     end
   end
-  
-  before :each do
-    @request = ActionController::TestRequest.new
-    # can the authenticity token so that we can predict the generated element names
-    @request.session[:_csrf_token] = 'aVjGViz+pIphXt2pxrWfXgRXShOI0KXOILR23yw0WBo='
-    @request.remote_addr = '208.77.188.166' # example.com
-    @response = ActionController::TestResponse.new
-    @controller = TestController.new
-  end
 
+  before(:each) { setup_default_controller }
+  
   after :each do
     # effectively disables forgery protection.
     TestController.request_forgery_protection_token = nil
   end
+
   
   context "with a model" do
     context "with forgery protection" do
       before :each do
-        (class << @controller; self; end).send(:protect_from_forgery)
+        (class << controller; self; end).send(:protect_from_forgery)
         prepare!('model_form')
       end
 
       it "should work?" do
-        puts @response.body
+        #puts @response.body
       end
     end
 
@@ -45,15 +73,15 @@ describe TestController do
       end
 
       it "should work?" do
-        puts @response.body
+        #puts @response.body
       end
     end
   end
 
   context "with forgery protection" do
     before :each do
-      (class << @controller; self; end).send(:protect_from_forgery)
-      prepare!
+      (class << controller; self; end).send(:protect_from_forgery)
+      prepare! if RAILS_VERSION < "3.0"
     end
     #"object_name_method_name" name="object_name[method_name]" size="30" type="text" value="" /></div>
     #<input id="e21372563297c728093bf74c3cb6b96c" name="a0844d45bf150668ff1d86a6eb491969" size="30" type="text" value="method_value" />
@@ -64,30 +92,48 @@ describe TestController do
                '842d8d1c80014ce9f3d974614338605c' => 'some_value'
              }
       post 'proc_form', form
-      puts @response.body
-      @response.template.controller.params[:object_name].should == { 'method_name' => 'some_value' }
+      #puts @response.body
+      controller.params[:object_name].should == { 'method_name' => 'some_value' }
+    end
+    
+    context "after processing valid obfuscated post" do
+      before(:each) do
+        post 'proc_form', { 'authenticity_token' => '1234',
+                 'object_name' => { 'method_name' => '' },
+                 '842d8d1c80014ce9f3d974614338605c' => 'some_value'
+        }
+      end
+      it "should allow params to be changed" do
+        # Whether it's best practice or not, the Rails params hash can normally be modified from the controller.
+        # So, it makes sense to verify that BotAway doesn't change this.
+        controller.params[:object_name][:method_name] = "a different value"
+        controller.params[:object_name][:method_name].should == "a different value"
+        
+        controller.params.clear
+        controller.params.should == {}
+      end
     end
 
     it "drops invalid obfuscated form post" do
       form = { 'authenticity_token' => '1234',
-               'object_name' => { 'method_name' => 'test' },
+               'object_name' => { 'method_name' => 'a bot filled this in' },
                '842d8d1c80014ce9f3d974614338605c' => 'some_value'
              }
       post 'proc_form', form
-      puts @response.body
-      @response.template.controller.params.should == { 'suspected_bot' => true }
+      controller.params['suspected_bot'].should == true
+      controller.params.keys.should_not include('object_name')
     end
 
     it "processes no params" do
       post 'proc_form', { 'authenticity_token' => '1234' }
-      @response.template.controller.params.should_not == { 'suspected_bot' => true }
+      controller.params['suspected_bot'].should_not == true
     end
 
     it "should not fail on unfiltered params" do
-      ActionController::Request.accepts_unfiltered_params :role_ids
+      BotAway.accepts_unfiltered_params :role_ids
       @request.remote_addr = '127.0.0.1'
       post 'proc_form', {'authenticity_token' => '1234', 'user' => { 'role_ids' => [1, 2] }}
-      @response.template.controller.params.should_not == { 'suspected_bot' => true }
+      controller.params['suspected_bot'].should_not == true
     end
 
     it "does not drop valid authentication request" do
@@ -103,10 +149,10 @@ describe TestController do
                '4b9bab79bc1b1cd5229041c357750e0c' => 'pwpwpw',
                '256307a36284445cc84014dae651f2ed' => '1'
              }
-      @request.remote_addr = '127.0.0.1'
+      controller.request.remote_addr = '127.0.0.1'
       post 'proc_form', form
-      puts @response.template.controller.params.inspect
-      @response.template.controller.params.should == { 'action' => 'proc_form', 'controller' => 'test',
+      # puts controller.params.inspect
+      controller.params.should == { 'action' => 'proc_form', 'controller' => 'test',
                                                        'authenticity_token' => 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw=',
                                                        'user_session' => {
                                                           'login' => 'admin',
@@ -120,7 +166,7 @@ describe TestController do
 
   context "without forgery protection" do
     before :each do
-      prepare!
+      prepare! if RAILS_VERSION < "3.0"
     end
 
     it "processes non-obfuscated form post" do
@@ -128,12 +174,13 @@ describe TestController do
                'object_name' => { 'method_name' => 'test' }
              }
       post 'proc_form', form
-      puts @response.body
-      @response.template.controller.params.should_not == { 'suspected_bot' => true }
-      @response.template.controller.params[:object_name].should == { 'method_name' => 'test' }
+      # puts @response.body
+      controller.params.should_not == { 'suspected_bot' => true }
+      controller.params[:object_name].should == { 'method_name' => 'test' }
     end
 
     it "produces non-obfuscated form elements" do
+      prepare! if RAILS_VERSION >= "3.0"
       @response.body.should_not match(/<\/div><input/)
     end
   end

data/spec/rspec_version.rb

@@ -0,0 +1,19 @@
+unless defined?(RSPEC_VERSION)
+  begin
+    # RSpec 1.3.0
+    require 'spec/rake/spectask'
+    require 'spec/version'
+    
+    RSPEC_VERSION = Spec::VERSION::STRING
+  rescue LoadError
+    # RSpec 2.0
+    begin
+      require 'rspec/core/rake_task'
+      require 'rspec/core/version'
+      
+      RSPEC_VERSION = RSpec::Core::Version::STRING
+    rescue LoadError
+      raise "RSpec does not seem to be installed. You must install rspec to test this gem."
+    end
+  end
+end