bot-away 1.2.0 → 2.0.0

data/spec/integration/params_post_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe "post data with params" do
+  before do
+    visit '/tests/model_form'
+    # puts page.body
+  end
+  
+  describe "filling in a honeypot" do
+    before do
+      fill_in 'post[subject]', :with => "this is a subject"
+      click_button 'submit'
+    end
+    
+    it "should be considered a bot" do
+      page.should have_content('suspected_bot')
+    end
+    
+    it "should not include legit params" do
+      page.should_not have_content("subject:")
+    end
+    
+    it "should drop data from the honeypots" do
+      page.should_not have_content("this is a subject")
+    end
+  end
+
+  describe "filling in a legit field" do
+    before do
+      fill_in '00a1168ac1379bdbe9b59e678fe486b1', :with => "this is a subject"
+      click_button 'submit'
+    end
+    
+    it "should have kept legit data" do
+      page.should have_content('this is a subject')
+    end
+    
+    it "should not be considered a bot" do
+      page.should_not have_content('suspected_bot')
+    end
+  end
+end

data/spec/lib/action_view/helpers/instance_tag_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper'
+
+describe ActionView::Helpers::InstanceTag do
+  include BotAway::TestCase::InstanceTagTestCase
+
+  subject { default_instance_tag }
+  
+  context "honeypot" do
+    subject { default_instance_tag.honeypot_tag(:input, :type => :text, :name => 'name') }
+    it { should be_html_safe }
+  end
+  
+  it "should have bdo in the instance tag" do
+    subject.tag(:input, :type => :text).to_s.should =~ /<bdo/
+  end
+
+  context "honeypot warning text" do
+    before { default_instance_tag.honeypot_index = 1 } # always produce the same honeypot
+    subject { default_instance_tag.honeypot_warning_tag }
+    
+    it "should obfuscate honeypot warning text" do
+      # 'Leave this empty: ' reversed and then converted to HTML escaped unicode:
+      subject.should =~ /#{Regexp::escape '&#x20;&#x3a;&#x79;&#x74;&#x70;&#x6d;&#x65;&#x20;&#x73;&#x69;&#x68;&#x74;&#x20;&#x65;&#x76;&#x61;&#x65;&#x4c;'}/
+    end
+    
+    context "with honeypot warning obfuscation disabled" do
+      before { BotAway.obfuscate_honeypot_warning_messages = false }
+      
+      it "should not obfuscate honeypot warning text" do
+        subject.should =~ /Leave this empty: /
+      end
+    end
+  
+    it "should use bdo to display honeypot warning text accurately" do
+      subject.should match(/<bdo dir=['"]rtl["']>.*?<\/bdo>/)
+    end
+    
+    context "I18n" do
+      it "should allow overridden honeypot warning" do
+        default_instance_tag.honeypot_index = 2
+        CGI.unescapeHTML(default_instance_tag.honeypot_warning_message).reverse.should == "Overridden honeypot warning"
+      end
+      
+      it "shold allow additional honeypot warnings" do
+        I18n.t('bot_away.number_of_honeypot_warning_messages').to_i.should == 4
+        
+        default_instance_tag.honeypot_index = 4
+        CGI.unescapeHTML(default_instance_tag.honeypot_warning_message).reverse.should == "Additional honeypot warning"
+      end
+    end
+  end
+  
+  context "with a valid text area tag" do
+    subject do
+      dump { default_instance_tag.to_text_area_tag }
+    end
+
+    it "should produce blank honeypot value" do
+      subject.should_not =~ /name="object_name\[method_name\]"[^>]+>method_value<\/textarea>/
+    end
+  end
+
+  context "with a valid input type=text tag" do
+    before(:each) { @tag_options = ["input", {:type => 'text', 'name' => 'object_name[method_name]', 'id' => 'object_name_method_name', 'value' => 'method_value'}] }
+    
+    it "should turn off autocomplete for honeypots" do
+      subject.honeypot_tag(*@tag_options).should =~ /autocomplete="off"/
+    end
+
+    it "should obfuscate tag name" do
+      subject.obfuscated_tag(*@tag_options).should =~ /name="#{obfuscated_name}"/
+    end
+
+    it "should obfuscate tag id" do
+      subject.obfuscated_tag(*@tag_options).should =~ /id="#{obfuscated_id}"/
+    end
+
+    it "should include unobfuscated tag value" do
+      subject.obfuscated_tag(*@tag_options).should =~ /value="method_value"/
+    end
+
+    it "should create honeypot name" do
+      subject.honeypot_tag(*@tag_options).should =~ /name="object_name\[method_name\]"/
+    end
+
+    it "should create honeypot id" do
+      subject.honeypot_tag(*@tag_options).should =~ /id="object_name_method_name"/
+    end
+
+    it "should create empty honeypot tag value" do
+      subject.honeypot_tag(*@tag_options).should =~ /value=""/
+    end
+  end
+end

data/spec/{views/lib → lib/action_view}/param_parser_spec.rb

@@ -8,23 +8,23 @@ describe BotAway::ParamParser do
            }.merge(honeypots).with_indifferent_access
   end
 
-  before(:each) do
+  before do
     # Root level is encoded with 208.77.188.166/test/1234
     #    which resolves to a spinner digest of 86ba3fd99e851587a849ad9ed9817f9b
     @ip = '208.77.188.166'
-    @params = params('test' => { 'name' => '', 'posts' => [] })
+    params('test' => { 'name' => '', 'posts' => [] })
   end
 
-  subject { dump { BotAway::ParamParser.new(@ip, @params) } }
+  subject { BotAway::ParamParser.new(@ip, @params) }
   
   it "should default BotAway.dump_params => false" do
     (!!BotAway.dump_params).should == false
   end
   
   context "with dump_params == true" do
-    before(:each) { BotAway.dump_params = true }
-    after(:each) { BotAway.dump_params = false }
-    
+    before { BotAway.dump_params = true  }
+    after  { BotAway.dump_params = false }
+
     it "should dump params as debug to Rails logger" do
       @params = { 'test' => "hello", :posts => [1] }
       Rails.logger.should_receive(:debug).exactly(3).times #with(@params.inspect)
@@ -53,8 +53,8 @@ describe BotAway::ParamParser do
   end
 
   context "with a filled honeypot" do
-    before(:each) { @params = params({'test' => {'name' => 'colin', 'posts' => []}}) }
-    subject { dump { BotAway::ParamParser.new(@ip, @params) } }
+    before { params({'test' => {'name' => 'colin', 'posts' => []}}) }
+    subject { BotAway::ParamParser.new(@ip, @params) }
 
     it "drops all parameters" do
       subject.params.should == { "suspected_bot" => true }
@@ -62,8 +62,8 @@ describe BotAway::ParamParser do
   end
 
   context "with a filled sub-honeypot" do
-    before(:each) { @params = params({'test' => {'name' => '', 'posts' => [1, 2]}}) }
-    subject {  dump { BotAway::ParamParser.new(@ip, @params) } }
+    before { params({'test' => {'name' => '', 'posts' => [1, 2]}}) }
+    subject { BotAway::ParamParser.new(@ip, @params) }
 
     it "drops all parameters" do
       subject.params.should == { "suspected_bot" => true }

data/spec/spec_helper.rb

@@ -1,113 +1,45 @@
-ENV['RAILS_ENV'] ||= 'test'
-
-require 'rubygems'
-require 'action_controller'
-require 'action_view'
-
-begin
-  # rails 2.x
-  ActionController::Routing::Routes.load!
-  ActionController::Base.session = { :key => "_myapp_session", :secret => "12345"*6 }
-  ActionController::Base.view_paths << File.expand_path(File.join(File.dirname(__FILE__), "support/views"))
-  RAILS_VERSION = "2.3"
-rescue
-  # rails 3
-  #require 'active_record/railtie'
-  require 'action_controller/railtie'
-  require 'action_mailer/railtie'
-  require 'active_resource/railtie'
-  require 'rails/test_unit/railtie'
-
-  # stub out the csrf token so that it always produces a predictable (testable) result
-  module ActionView
-    # = Action View CSRF Helper
-    module Helpers
-      module CsrfHelper
-        # Returns a meta tag with the cross-site request forgery protection token
-        # for forms to use. Place this in your head.
-        def csrf_meta_tag
-          if protect_against_forgery?
-            %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="1234"/>).html_safe
-          end
-        end
-      end
-    end
-  end
-
-  class BotAwayApp < Rails::Application
-    config.session_store :cookie_store, :key => "_myapp_session", :secret => "12345"*6
-    paths.app.views = File.expand_path(File.join(File.dirname(__FILE__), "support/views"))
-    config.active_support.deprecation = :stderr
-  end
-  BotAwayApp.initialize!
-  BotAwayApp.routes.draw do
-    match '/:controller/:action'
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path("../gemfiles/Gemfile.rails-3.1.x", File.dirname(__FILE__))
+require 'bundler'
+Bundler.setup
+
+ENV['RAILS_ENV'] = 'development'
+
+require 'rails'
+require 'active_support/secure_random'
+require 'action_controller/railtie'
+require 'action_mailer/railtie'
+require 'active_resource/railtie'
+require 'bot-away'
+
+class BotAway::TestRailsApp < Rails::Application
+  base = File.expand_path("test_rails_app", File.dirname(__FILE__))
+  config.secret_token = "some secret phrase of at least 30 characters" * 30
+  config.active_support.deprecation = :log
+  config.paths['app/controllers'] = File.join(base, 'app/controllers')
+  config.paths['app/views']       = File.join(base, 'app/views')
+  config.paths['config/locales']  = File.join(base, 'config/locales/bot-away-overrides.yml')
+  if Rails::VERSION::MINOR == 0 # rails 3.0.x
+    config.paths.app.views        = File.join(base, 'app/views')
+    config.paths.config.locales   = File.join(base, 'config/locales/bot-away-overrides.yml')
   end
-  
-  RAILS_VERSION = "3.0"
 end
 
-require File.join(File.dirname(__FILE__), '../lib/bot-away')
-require File.join(File.dirname(__FILE__), "rspec_version")
-
-class MockObject
-  attr_accessor :method_name
-  
-  def id
-    1
-  end
-  
-  # for testing grouped_collection_select
-  def object_name
-    [self]
-  end
-
-  def initialize
-    @method_name = 'method_value'
-  end
-end
+BotAway::TestRailsApp.initialize!
+Rails.application.routes.draw { match '/:controller/:action' }
+Rails.application.routes.finalize!
+Dir[File.expand_path('test_rails_app/**/*.rb', File.dirname(__FILE__))].each { |f| require f }
 
+require 'rspec/rails'
+require 'capybara/rails'
 
-if RSPEC_VERSION < "2.0"
-  Spec::Runner.configure do |config|
-    config.before(:each) do
-      BotAway.reset!
-    end
+RSpec.configure do |config|
+  config.before do
+    # for the CSRF token, which BA uses as a seed
+    SecureRandom.stub!(:base64).and_return("1234")
+    # reset any config changes
+    BotAway.reset!
+    enable_forgery_protection
   end
-  
-  if defined?(ActionController::TestProcess)
-    # note that this only matters for TEST requests; real ones use the params parser.
-    module ActionController::TestProcess
-      def process_with_deobfuscation(action, parameters = nil, session = nil, flash = nil, http_method = 'GET')
-        process_without_deobfuscation(action, parameters, session, flash, http_method)
-        @request.parameters.replace(BotAway::ParamParser.new(@request.ip, @request.params).params)
-      end
-    
-      alias_method_chain :process, :deobfuscation
-    end
-  end
-else
-  require 'rspec/rails'
-  
-  # note that this only matters for TEST requests; real ones use the params parser.
-  module ActionController::TestCase::Behavior
-    def process_with_deobfuscation(action, parameters = nil, session = nil, flash = nil, http_method = 'GET')
-      process_without_deobfuscation(action, parameters, session, flash, http_method)
-      request.parameters.replace(BotAway::ParamParser.new(request.ip, request.params).params)
-    end
-    
-    alias_method_chain :process, :deobfuscation
-  end
-      
-  RSpec.configure do |config|
-    config.before(:each) do
-      BotAway.reset!
-      # BotAway doesn't work without forgery protection, and RSpec-Rails 2 disables it. Lost way too many hours on this.
-      ActionController::Base.allow_forgery_protection = true
-    end
-  end
-end
 
-Dir[File.join(File.dirname(__FILE__), 'support/**/*.rb')].each do |fi|
-  require fi
+  config.include BotAway::TestCase
 end

data/spec/test_rails_app/app/controllers/tests_controller.rb

@@ -0,0 +1,11 @@
+class TestsController < ActionController::Base
+  protect_from_forgery
+  
+  def model_form
+    @post = Post.new
+  end
+
+  def proc_form
+    render :text => params.to_yaml
+  end
+end

data/spec/test_rails_app/app/models/post.rb

@@ -0,0 +1,13 @@
+class Post
+  attr_reader :subject, :body, :subscribers
+  
+  def subscribers
+    []
+  end
+  
+  extend ActiveModel::Naming
+  
+  def to_key
+    [1]
+  end
+end

data/spec/test_rails_app/app/views/tests/basic_form.html.erb

@@ -0,0 +1,5 @@
+<%= form_for :user do |f| %>
+  <%= f.text_field :login %>
+  <%= f.password_field :password %>
+  <%= f.submit %>
+<% end %>

data/spec/test_rails_app/app/views/tests/model_form.html.erb

@@ -0,0 +1,12 @@
+<%= form_for @post, :url => url_for('proc_form') do |f| %>
+  <p>
+    <%= f.label :subject %><br/>
+    <%= f.text_field :subject %>
+  </p>
+  
+  <p>
+    <%= f.select :subscribers, [["one", '1'], ['two', '2']] %>
+  </p>
+  
+  <%= f.submit 'submit' %>
+<%end%>

data/spec/test_rails_app/config/locales/bot-away-overrides.yml

@@ -0,0 +1,6 @@
+en:
+  bot_away:
+    number_of_honeypot_warning_messages: 4
+    honeypot_warning_2: "Overridden honeypot warning"
+    honeypot_warning_4: "Additional honeypot warning"
+    

data/spec/views/form_builder_spec.rb

@@ -0,0 +1,118 @@
+require 'spec_helper'
+
+describe ActionView::Helpers::FormBuilder do
+  include BotAway::TestCase::Matchers
+  
+  it "should not create honeypots with default values" do
+    builder.text_field(method_name).should match(/name="object_name\[method_name\]"[^>]*?value=""/)
+  end
+  
+  context "with BotAway.show_honeypots == true" do
+    before { BotAway.show_honeypots = true }
+    after { BotAway.show_honeypots = false }
+    
+    it "should not disguise honeypots" do
+      builder.text_area(method_name).should_not match(/<\/div>/)
+    end
+  end
+
+  it "should not obfuscate names that have been explicitly ignored" do
+    BotAway.accepts_unfiltered_params 'method_name'
+    builder.text_field('method_name').should_not match(/name="#{obfuscated_name}/)
+    BotAway.unfiltered_params.delete 'method_name'
+  end
+  
+  shared_examples_for "an obfuscated tag" do
+    it { should be_obfuscated }
+    it { should include_honeypot }
+  end
+  
+  shared_examples_for "an obfuscated select tag" do
+    it_should_behave_like "an obfuscated tag"
+    
+    it "should fill honeypots with html-safe options" do
+      subject.to_s.should match(/<select[^>]*><option[^>]*><\/option>/)
+    end
+  end
+  
+  # select(method, options)
+  context '#select' do
+    context "with options" do
+      subject { builder.select(method_name, {1 => :a, 2 => :b}) }
+      it_should_behave_like "an obfuscated select tag"
+    end
+  end
+  
+  # collection_select(method, collection, value_method, text_method, options = {}, html_options = {})
+  context '#collection_select' do
+    subject { builder.collection_select method_name, [mock_object], :method_name, :method_name }
+    it_should_behave_like "an obfuscated select tag"
+  end
+  
+  # grouped_collection_select(method, collection, group_method, group_label_method, option_key_method,
+  #                           option_value_method, options = {}, html_options = {})
+  context '#grouped_collection_select' do
+    subject { builder.grouped_collection_select method_name, [mock_object], object_name, method_name, method_name, :to_s }
+    it_should_behave_like "an obfuscated select tag"
+  end
+  
+  # time_zone_select(method, priority_zones = nil, options = {}, html_options = {})
+  context '#time_zone_select' do
+    subject { builder.time_zone_select method_name }
+    it_should_behave_like "an obfuscated tag"
+  end
+
+  context '#hidden_field' do
+    subject { builder.hidden_field method_name }
+    it_should_behave_like "an obfuscated tag"
+  end
+
+  context '#text_field' do
+    subject { builder.text_field method_name }
+    it_should_behave_like "an obfuscated tag"
+  end
+
+  context '#text_area' do
+    subject { builder.text_area method_name }
+    it_should_behave_like "an obfuscated tag"
+  end
+
+  context '#file_filed' do
+    subject { builder.file_field method_name }
+    it_should_behave_like "an obfuscated tag"
+  end
+
+  context '#password_field' do
+    subject { builder.password_field method_name }
+    it_should_behave_like "an obfuscated tag"
+  end
+
+  context '#check_box' do
+    subject { builder.check_box method_name }
+    it_should_behave_like "an obfuscated tag"
+  end
+  
+  context '#radio_button' do
+    subject { builder.radio_button method_name, :value }
+    it { should be_obfuscated_as obfuscated_name, '767c870add970ab6d64803043c4ccfbb' }
+    it { should include_honeypot_called tag_name, tag_id+'_value' }
+  end
+
+  context '#label' do
+    subject { builder.label method_name, :for => tag_id }
+    
+    it "links labels to their obfuscated elements" do
+      subject.should match(/for=["']#{obfuscated_id}['"]/)
+    end
+    
+    # TODO ideas for future implementation, but they may break nested tags
+    # it "obfuscates label text using bdo dir" do
+    #   subject.should match(/<bdo dir=['"]rtl["']/)
+    # end
+    # 
+    # it "uses reversed unicode entities for label text" do
+    #   # method_name => reversed(eman_dohtem)
+    #   subject.should match("&#x65;&#x6d;&#x61;&#x6e;&#x5f;&#x64;&#x6f;&#x68;&#x74;&#x65;&#x6d;")
+    # end
+  end
+end