bot-away 1.2.0 → 2.0.0

data/gemfiles/Gemfile.rails-3.0.x

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in bot-away.gemspec
+gemspec :path => ".."
+
+gem 'rails', '~> 3.0.10'
+gem 'rspec', '~> 2.6.0'
+gem 'rspec-rails', '~> 2.6.1'

data/gemfiles/Gemfile.rails-3.0.x.lock

@@ -0,0 +1,121 @@
+PATH
+  remote: /Users/colin/projects/gems/bot-away
+  specs:
+    bot-away (2.0.0)
+      actionpack (>= 2.3.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    abstract (1.0.0)
+    actionmailer (3.0.11)
+      actionpack (= 3.0.11)
+      mail (~> 2.2.19)
+    actionpack (3.0.11)
+      activemodel (= 3.0.11)
+      activesupport (= 3.0.11)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.5.0)
+      rack (~> 1.2.1)
+      rack-mount (~> 0.6.14)
+      rack-test (~> 0.5.7)
+      tzinfo (~> 0.3.23)
+    activemodel (3.0.11)
+      activesupport (= 3.0.11)
+      builder (~> 2.1.2)
+      i18n (~> 0.5.0)
+    activerecord (3.0.11)
+      activemodel (= 3.0.11)
+      activesupport (= 3.0.11)
+      arel (~> 2.0.10)
+      tzinfo (~> 0.3.23)
+    activeresource (3.0.11)
+      activemodel (= 3.0.11)
+      activesupport (= 3.0.11)
+    activesupport (3.0.11)
+    arel (2.0.10)
+    builder (2.1.2)
+    capybara (1.1.2)
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      selenium-webdriver (~> 2.0)
+      xpath (~> 0.1.4)
+    childprocess (0.2.9)
+      ffi (~> 1.0.6)
+    diff-lcs (1.1.3)
+    erubis (2.6.6)
+      abstract (>= 1.0.0)
+    ffi (1.0.11)
+    i18n (0.5.0)
+    json (1.6.4)
+    mail (2.2.19)
+      activesupport (>= 2.3.6)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.17.2)
+    multi_json (1.0.4)
+    nokogiri (1.5.0)
+    polyglot (0.3.3)
+    rack (1.2.5)
+    rack-mount (0.6.14)
+      rack (>= 1.0.0)
+    rack-test (0.5.7)
+      rack (>= 1.0)
+    rails (3.0.11)
+      actionmailer (= 3.0.11)
+      actionpack (= 3.0.11)
+      activerecord (= 3.0.11)
+      activeresource (= 3.0.11)
+      activesupport (= 3.0.11)
+      bundler (~> 1.0)
+      railties (= 3.0.11)
+    railties (3.0.11)
+      actionpack (= 3.0.11)
+      activesupport (= 3.0.11)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.4)
+    rake (0.9.2.2)
+    rdoc (3.12)
+      json (~> 1.4)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.4)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+    rspec-rails (2.6.1)
+      actionpack (~> 3.0)
+      activesupport (~> 3.0)
+      railties (~> 3.0)
+      rspec (~> 2.6.0)
+    rubyzip (0.9.5)
+    selenium-webdriver (2.16.0)
+      childprocess (>= 0.2.5)
+      ffi (~> 1.0.9)
+      multi_json (~> 1.0.4)
+      rubyzip
+    thor (0.14.6)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.31)
+    xpath (0.1.4)
+      nokogiri (~> 1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bot-away!
+  capybara (~> 1.1.2)
+  rails (~> 3.0.10)
+  rake (~> 0.9.2)
+  rspec (~> 2.6.0)
+  rspec-rails (~> 2.6.1)

data/gemfiles/Gemfile.rails-3.1.x

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in bot-away.gemspec
+gemspec :path => ".."
+
+gem 'rails', '~> 3.1.0'
+gem 'rspec', '~> 2.6.0'
+gem 'rspec-rails', '~> 2.6.1'

data/gemfiles/Gemfile.rails-3.1.x.lock

@@ -0,0 +1,133 @@
+PATH
+  remote: /Users/colin/projects/gems/bot-away
+  specs:
+    bot-away (2.0.0)
+      actionpack (>= 2.3.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.1.0)
+      actionpack (= 3.1.0)
+      mail (~> 2.3.0)
+    actionpack (3.1.0)
+      activemodel (= 3.1.0)
+      activesupport (= 3.1.0)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6)
+      rack (~> 1.3.2)
+      rack-cache (~> 1.0.3)
+      rack-mount (~> 0.8.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.0.0)
+    activemodel (3.1.0)
+      activesupport (= 3.1.0)
+      bcrypt-ruby (~> 3.0.0)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.0)
+      activemodel (= 3.1.0)
+      activesupport (= 3.1.0)
+      arel (~> 2.2.1)
+      tzinfo (~> 0.3.29)
+    activeresource (3.1.0)
+      activemodel (= 3.1.0)
+      activesupport (= 3.1.0)
+    activesupport (3.1.0)
+      multi_json (~> 1.0)
+    arel (2.2.1)
+    bcrypt-ruby (3.0.0)
+    builder (3.0.0)
+    capybara (1.1.2)
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      selenium-webdriver (~> 2.0)
+      xpath (~> 0.1.4)
+    childprocess (0.2.9)
+      ffi (~> 1.0.6)
+    diff-lcs (1.1.3)
+    erubis (2.7.0)
+    ffi (1.0.11)
+    hike (1.2.1)
+    i18n (0.6.0)
+    json (1.6.4)
+    mail (2.3.0)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.17.2)
+    multi_json (1.0.4)
+    nokogiri (1.5.0)
+    polyglot (0.3.3)
+    rack (1.3.2)
+    rack-cache (1.0.3)
+      rack (>= 0.4)
+    rack-mount (0.8.3)
+      rack (>= 1.0.0)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.1.0)
+      actionmailer (= 3.1.0)
+      actionpack (= 3.1.0)
+      activerecord (= 3.1.0)
+      activeresource (= 3.1.0)
+      activesupport (= 3.1.0)
+      bundler (~> 1.0)
+      railties (= 3.1.0)
+    railties (3.1.0)
+      actionpack (= 3.1.0)
+      activesupport (= 3.1.0)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.6)
+    rake (0.9.2.2)
+    rdoc (3.12)
+      json (~> 1.4)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.4)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+    rspec-rails (2.6.1)
+      actionpack (~> 3.0)
+      activesupport (~> 3.0)
+      railties (~> 3.0)
+      rspec (~> 2.6.0)
+    rubyzip (0.9.5)
+    selenium-webdriver (2.16.0)
+      childprocess (>= 0.2.5)
+      ffi (~> 1.0.9)
+      multi_json (~> 1.0.4)
+      rubyzip
+    sprockets (2.0.0)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    thor (0.14.6)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.31)
+    xpath (0.1.4)
+      nokogiri (~> 1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bot-away!
+  capybara (~> 1.1.2)
+  rails (~> 3.1.0)
+  rake (~> 0.9.2)
+  rspec (~> 2.6.0)
+  rspec-rails (~> 2.6.1)

data/lib/bot-away.rb

@@ -1,20 +1,23 @@
-$:.unshift(File.dirname(__FILE__)) unless
-  $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
-
 require 'action_controller'
 require 'action_view'
-require 'sc-core-ext'
 
 require 'bot-away/param_parser'
-require 'bot-away/action_dispatch/request'
+require 'bot-away/action_dispatch/params_parser'
 require 'bot-away/action_view/helpers/instance_tag'
 require 'bot-away/spinner'
+require 'bot-away/version'
+require 'bot-away/railtie'
 
 module BotAway
-  VERSION = File.read(File.join(File.dirname(__FILE__), "../VERSION")) unless defined?(VERSION)
+  autoload :TestCase, 'bot-away/test_case'
   
   class << self
     attr_accessor :show_honeypots, :dump_params
+    attr_writer :obfuscate_honeypot_warning_messages
+    
+    def obfuscate_honeypot_warning_messages?
+      !!@obfuscate_honeypot_warning_messages
+    end
     
     def unfiltered_params(*keys)
       unfiltered_params = instance_variable_get("@unfiltered_params") || instance_variable_set("@unfiltered_params", [])
@@ -33,7 +36,9 @@ module BotAway
     # excluded? will also check the current Rails run mode against disabled_for[:mode]
     def excluded?(options)
       options = options.stringify_keys
-      nonparams = options.stringify_keys.without('object_name', 'method_name')
+      nonparams = options.stringify_keys
+      nonparams.delete 'object_name'
+      nonparams.delete 'method_name'
       (options['object_name'] && options['method_name'] &&
               unfiltered_params_include?(options['object_name'], options['method_name'])) || disabled_for?(nonparams)
     end
@@ -55,8 +60,6 @@ module BotAway
     def disabled_for?(options)
       return false if @disabled_for.nil? || options.empty?
       options = options.stringify_keys
-#      p options
-#      p "===="
       @disabled_for.each do |set|
         if set.key?('mode')
           next unless ENV['RAILS_ENV'] == set['mode'].to_s
@@ -66,7 +69,6 @@ module BotAway
           # and that means we need to check the next few conditions.
         end
         
-#        p set
         if set.key?('controller') && set.key?('action')
           return true if set['controller'] == options['controller'] && set['action'] == options['action']
         elsif set.key?('controller') && !set.key?('action')
@@ -89,13 +91,13 @@ module BotAway
     def reset!
       self.show_honeypots = false
       self.dump_params = false
+      self.obfuscate_honeypot_warning_messages = true
       self.unfiltered_params.clear
       self.disabled_for.clear
     end
   end
 
   delegate :accepts_unfiltered_params, :unfiltered_params, :to => :"self.class"
-end
 
-# WHY do I have to do this???
-ActionView::Base.send :include, ActionView::Helpers
+  reset! # set defaults
+end

data/lib/bot-away/action_dispatch/params_parser.rb

@@ -0,0 +1,22 @@
+require 'action_dispatch/middleware/params_parser'
+
+# We're overriding ActionDispatch::ParamsParser
+# instead of just attaching a custom param parser so that others' custom param parsers can do
+# their jobs without conflict. Also, overriding the parser allows us to deobfuscate all params,
+# not just the ones I'm smart enough to predict will be used.
+class ActionDispatch::ParamsParser
+  def parse_formatted_parameters_with_deobfuscation(env)
+    request = ActionDispatch::Request.new(env)
+    params = parse_formatted_parameters_without_deobfuscation(env)
+    if params
+      BotAway::ParamParser.new(request.ip, params).params
+    else
+      request_parameters = request.parameters.dup
+      request.parameters.clear
+      request.parameters.merge! BotAway::ParamParser.new(request.ip, request_parameters).params
+      params
+    end
+  end
+
+  alias_method_chain :parse_formatted_parameters, :deobfuscation
+end

data/lib/bot-away/action_view/helpers/instance_tag.rb

@@ -1,5 +1,6 @@
 class ActionView::Helpers::InstanceTag
   attr_reader :spinner
+  attr_writer :honeypot_index
 
   def initialize_with_spinner(object_name, method_name, template_object, object = nil)
     initialize_without_spinner(object_name, method_name, template_object, object)
@@ -35,16 +36,16 @@ class ActionView::Helpers::InstanceTag
   end
   
   def honeypot_tag(name, options = nil, *args)
-    tag_without_honeypot(name, honeypot_options(options.dup? || {}), *args)
+    disguise tag_without_honeypot(name, honeypot_options(options ? options.dup : {}), *args)
   end
 
   def obfuscated_tag(name, options = nil, *args)
-    tag_without_honeypot(name, obfuscate_options(options.dup? || {}), *args)
+    tag_without_honeypot(name, obfuscate_options(options ? options.dup : {}), *args)
   end
 
   def tag_with_honeypot(name, options = nil, *args)
     if spinner
-      obfuscated_tag(name, options, *args) + disguise(honeypot_tag(name, options, *args))
+      obfuscated_tag(name, options, *args) + honeypot_tag(name, options, *args)
     else
       tag_without_honeypot(name, options, *args)
     end
@@ -66,6 +67,9 @@ class ActionView::Helpers::InstanceTag
     add_default_name_and_id_for_value(tag_value, name_and_id)
     options["for"] ||= name_and_id["id"]
     options["for"] = spinner.encode(options["for"]) if spinner && options["for"]
+    # TODO ideas for future implementation, but they may break nested tags
+    # escaped_reversed_text = text.to_s.reverse.chars.collect { |b| "&#x#{b.ord.to_s(16)};" }.join
+    # text = '<bdo dir="rtl">'.html_safe + escaped_reversed_text + '</bdo>'.html_safe
     to_label_tag_without_obfuscation(text, options)
   end
 
@@ -76,7 +80,7 @@ class ActionView::Helpers::InstanceTag
       # this should cover all Rails selects.
       if spinner && options && (options.keys.include?('id') || options.keys.include?('name'))
         if name == 'select' && !content_or_options_with_block.empty?
-          content = '<option selected value=""></option>'
+          content = '<option selected value=""></option>'.html_safe
         else
           content = ""
         end
@@ -92,18 +96,38 @@ class ActionView::Helpers::InstanceTag
   alias_method_chain :tag, :honeypot
   alias_method_chain :to_label_tag, :obfuscation
   alias_method_chain :content_tag, :obfuscation
-
+  
   def disguise(element)
     return element.replace("Honeypot(#{element})") if BotAway.show_honeypots
-    case rand(3)
+    # TODO a way to customize the hidden tags too
+    case honeypot_index % 3
       when 0 # Hidden
-        element.replace "<div style='display:none;'>Leave this empty: #{element}</div>"
+        element.replace "<div style='display:none;'>#{honeypot_warning_tag}#{element}</div>"
       when 1 # Off-screen
-        element.replace "<div style='position:absolute;left:-1000px;top:-1000px;'>Don't fill this in: #{element}</div>"
-      when 2 # Negligible size
-        element.replace "<div style='position:absolute;width:0px;height:1px;z-index:-1;color:transparent;overflow:hidden;'>Keep this blank: #{element}</div>"
-      else # this should never happen?
-        disguise(element)
+        element.replace "<div style='position:absolute;left:-1000px;top:-1000px;'>#{honeypot_warning_tag}#{element}</div>"
+      else   # Negligible size
+        element.replace "<div style='position:absolute;width:0px;height:1px;z-index:-1;color:transparent;overflow:hidden;'>#{honeypot_warning_tag}#{element}</div>"
+    end
+  end
+  
+  def honeypot_index
+    @honeypot_index || rand(I18n.t("bot_away.number_of_honeypot_warning_messages").to_i) + 1
+  end
+
+  def honeypot_warning_message
+    warning = I18n.t "bot_away.honeypot_warning_#{honeypot_index}"
+    if BotAway.obfuscate_honeypot_warning_messages?
+      warning.reverse.chars.collect { |b| "&#x#{b.ord.to_s(16)};" }.join
+    else
+      warning.html_safe
+    end
+  end
+  
+  def honeypot_warning_tag
+    if BotAway.obfuscate_honeypot_warning_messages?
+      "<bdo dir=\"rtl\">#{honeypot_warning_message}</bdo>".html_safe
+    else
+      honeypot_warning_message
     end
   end
 end