bot-away 1.2.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. data/.travis.yml +14 -0
  2. data/History.txt +20 -0
  3. data/README.md +198 -0
  4. data/Rakefile +14 -94
  5. data/bot-away.gemspec +20 -87
  6. data/gemfiles/Gemfile.rails-3.0.x +8 -0
  7. data/gemfiles/Gemfile.rails-3.0.x.lock +121 -0
  8. data/gemfiles/Gemfile.rails-3.1.x +8 -0
  9. data/gemfiles/Gemfile.rails-3.1.x.lock +133 -0
  10. data/lib/bot-away.rb +15 -13
  11. data/lib/bot-away/action_dispatch/params_parser.rb +22 -0
  12. data/lib/bot-away/action_view/helpers/instance_tag.rb +36 -12
  13. data/lib/bot-away/param_parser.rb +2 -2
  14. data/lib/bot-away/railtie.rb +10 -0
  15. data/lib/bot-away/test_case.rb +58 -0
  16. data/lib/bot-away/test_case/controller_test_case.rb +11 -0
  17. data/lib/bot-away/test_case/instance_tag_test_case.rb +15 -0
  18. data/lib/bot-away/test_case/matchers.rb +20 -0
  19. data/lib/bot-away/test_case/matchers/honeypot_matcher.rb +30 -0
  20. data/lib/bot-away/test_case/matchers/obfuscation_matcher.rb +30 -0
  21. data/lib/bot-away/test_case/mock_object.rb +16 -0
  22. data/lib/bot-away/version.rb +12 -0
  23. data/lib/locale/honeypots.yml +6 -0
  24. data/spec/controllers/basic_form_view_spec.rb +112 -0
  25. data/spec/controllers/{test_controller_spec.rb → tests_controller_spec.rb} +29 -80
  26. data/spec/integration/params_post_spec.rb +42 -0
  27. data/spec/lib/action_view/helpers/instance_tag_spec.rb +94 -0
  28. data/spec/{views/lib → lib/action_view}/param_parser_spec.rb +10 -10
  29. data/spec/spec_helper.rb +37 -105
  30. data/spec/test_rails_app/app/controllers/tests_controller.rb +11 -0
  31. data/spec/test_rails_app/app/models/post.rb +13 -0
  32. data/spec/test_rails_app/app/views/tests/basic_form.html.erb +5 -0
  33. data/spec/test_rails_app/app/views/tests/model_form.html.erb +12 -0
  34. data/spec/test_rails_app/config/locales/bot-away-overrides.yml +6 -0
  35. data/spec/views/form_builder_spec.rb +118 -0
  36. metadata +94 -137
  37. data/Manifest.txt +0 -23
  38. data/README.rdoc +0 -179
  39. data/VERSION +0 -1
  40. data/lib/bot-away/action_dispatch/request.rb +0 -20
  41. data/spec/rspec_version.rb +0 -19
  42. data/spec/support/honeypot_matcher.rb +0 -30
  43. data/spec/support/obfuscation_helper.rb +0 -123
  44. data/spec/support/obfuscation_matcher.rb +0 -28
  45. data/spec/support/rails/mock_logger.rb +0 -21
  46. data/spec/support/test_controller.rb +0 -28
  47. data/spec/support/views/test/index.html.erb +0 -4
  48. data/spec/support/views/test/model_form.html.erb +0 -6
  49. data/spec/views/lib/action_view/helpers/instance_tag_spec.rb +0 -75
  50. data/spec/views/lib/disabled_for_spec.rb +0 -101
  51. data/spec/views/lib/form_builder_spec.rb +0 -56
metadata CHANGED
@@ -1,179 +1,136 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: bot-away
3
- version: !ruby/object:Gem::Version
4
- prerelease: false
5
- segments:
6
- - 1
7
- - 2
8
- - 0
9
- version: 1.2.0
3
+ version: !ruby/object:Gem::Version
4
+ version: 2.0.0
5
+ prerelease:
10
6
  platform: ruby
11
- authors:
7
+ authors:
12
8
  - Colin MacKenzie IV
13
9
  autorequire:
14
10
  bindir: bin
15
11
  cert_chain: []
16
-
17
- date: 2010-10-14 00:00:00 -04:00
18
- default_executable:
19
- dependencies:
20
- - !ruby/object:Gem::Dependency
12
+ date: 2012-01-14 00:00:00.000000000Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
21
15
  name: actionpack
22
- prerelease: false
23
- requirement: &id001 !ruby/object:Gem::Requirement
16
+ requirement: &2156004240 !ruby/object:Gem::Requirement
24
17
  none: false
25
- requirements:
26
- - - ">="
27
- - !ruby/object:Gem::Version
28
- segments:
29
- - 2
30
- - 3
31
- - 5
18
+ requirements:
19
+ - - ! '>='
20
+ - !ruby/object:Gem::Version
32
21
  version: 2.3.5
33
22
  type: :runtime
34
- version_requirements: *id001
35
- - !ruby/object:Gem::Dependency
36
- name: sc-core-ext
37
- prerelease: false
38
- requirement: &id002 !ruby/object:Gem::Requirement
39
- none: false
40
- requirements:
41
- - - ">="
42
- - !ruby/object:Gem::Version
43
- segments:
44
- - 1
45
- - 1
46
- - 1
47
- version: 1.1.1
48
- type: :runtime
49
- version_requirements: *id002
50
- - !ruby/object:Gem::Dependency
51
- name: jeweler
52
23
  prerelease: false
53
- requirement: &id003 !ruby/object:Gem::Requirement
24
+ version_requirements: *2156004240
25
+ - !ruby/object:Gem::Dependency
26
+ name: rake
27
+ requirement: &2156001080 !ruby/object:Gem::Requirement
54
28
  none: false
55
- requirements:
56
- - - ">="
57
- - !ruby/object:Gem::Version
58
- segments:
59
- - 1
60
- - 4
61
- - 0
62
- version: 1.4.0
29
+ requirements:
30
+ - - ~>
31
+ - !ruby/object:Gem::Version
32
+ version: 0.9.2
63
33
  type: :development
64
- version_requirements: *id003
65
- - !ruby/object:Gem::Dependency
66
- name: rspec
67
34
  prerelease: false
68
- requirement: &id004 !ruby/object:Gem::Requirement
35
+ version_requirements: *2156001080
36
+ - !ruby/object:Gem::Dependency
37
+ name: capybara
38
+ requirement: &2155998940 !ruby/object:Gem::Requirement
69
39
  none: false
70
- requirements:
71
- - - ">="
72
- - !ruby/object:Gem::Version
73
- segments:
74
- - 1
75
- - 3
76
- - 0
77
- version: 1.3.0
40
+ requirements:
41
+ - - ~>
42
+ - !ruby/object:Gem::Version
43
+ version: 1.1.2
78
44
  type: :development
79
- version_requirements: *id004
80
- - !ruby/object:Gem::Dependency
81
- name: rspec-rails
82
45
  prerelease: false
83
- requirement: &id005 !ruby/object:Gem::Requirement
84
- none: false
85
- requirements:
86
- - - ">="
87
- - !ruby/object:Gem::Version
88
- segments:
89
- - 1
90
- - 3
91
- - 2
92
- version: 1.3.2
93
- type: :development
94
- version_requirements: *id005
95
- description: Unobtrusively detects form submissions made by spambots, and silently drops those submissions.
96
- email: sinisterchipmunk@gmail.com
46
+ version_requirements: *2155998940
47
+ description: Unobtrusively detects form submissions made by spambots, and silently
48
+ drops those submissions.
49
+ email:
50
+ - sinisterchipmunk@gmail.com
97
51
  executables: []
98
-
99
52
  extensions: []
100
-
101
- extra_rdoc_files:
53
+ extra_rdoc_files:
102
54
  - LICENSE
103
- - README.rdoc
104
- files:
55
+ - README.md
56
+ - History.txt
57
+ files:
105
58
  - .gitignore
59
+ - .travis.yml
106
60
  - History.txt
107
61
  - LICENSE
108
- - Manifest.txt
109
- - README.rdoc
62
+ - README.md
110
63
  - Rakefile
111
- - VERSION
112
64
  - bot-away.gemspec
65
+ - gemfiles/Gemfile.rails-3.0.x
66
+ - gemfiles/Gemfile.rails-3.0.x.lock
67
+ - gemfiles/Gemfile.rails-3.1.x
68
+ - gemfiles/Gemfile.rails-3.1.x.lock
113
69
  - lib/bot-away.rb
114
- - lib/bot-away/action_dispatch/request.rb
70
+ - lib/bot-away/action_dispatch/params_parser.rb
115
71
  - lib/bot-away/action_view/helpers/instance_tag.rb
116
72
  - lib/bot-away/param_parser.rb
73
+ - lib/bot-away/railtie.rb
117
74
  - lib/bot-away/spinner.rb
75
+ - lib/bot-away/test_case.rb
76
+ - lib/bot-away/test_case/controller_test_case.rb
77
+ - lib/bot-away/test_case/instance_tag_test_case.rb
78
+ - lib/bot-away/test_case/matchers.rb
79
+ - lib/bot-away/test_case/matchers/honeypot_matcher.rb
80
+ - lib/bot-away/test_case/matchers/obfuscation_matcher.rb
81
+ - lib/bot-away/test_case/mock_object.rb
82
+ - lib/bot-away/version.rb
83
+ - lib/locale/honeypots.yml
118
84
  - script/console
119
85
  - script/destroy
120
86
  - script/generate
121
- - spec/controllers/test_controller_spec.rb
122
- - spec/rspec_version.rb
87
+ - spec/controllers/basic_form_view_spec.rb
88
+ - spec/controllers/tests_controller_spec.rb
89
+ - spec/integration/params_post_spec.rb
90
+ - spec/lib/action_view/helpers/instance_tag_spec.rb
91
+ - spec/lib/action_view/param_parser_spec.rb
123
92
  - spec/spec_helper.rb
124
- - spec/support/honeypot_matcher.rb
125
- - spec/support/obfuscation_helper.rb
126
- - spec/support/obfuscation_matcher.rb
127
- - spec/support/rails/mock_logger.rb
128
- - spec/support/test_controller.rb
129
- - spec/support/views/test/index.html.erb
130
- - spec/support/views/test/model_form.html.erb
131
- - spec/views/lib/action_view/helpers/instance_tag_spec.rb
132
- - spec/views/lib/disabled_for_spec.rb
133
- - spec/views/lib/form_builder_spec.rb
134
- - spec/views/lib/param_parser_spec.rb
135
- has_rdoc: true
136
- homepage: http://www.thoughtsincomputation.com
93
+ - spec/test_rails_app/app/controllers/tests_controller.rb
94
+ - spec/test_rails_app/app/models/post.rb
95
+ - spec/test_rails_app/app/views/tests/basic_form.html.erb
96
+ - spec/test_rails_app/app/views/tests/model_form.html.erb
97
+ - spec/test_rails_app/config/locales/bot-away-overrides.yml
98
+ - spec/views/form_builder_spec.rb
99
+ homepage: http://github.com/sinisterchipmunk/bot-away
137
100
  licenses: []
138
-
139
101
  post_install_message:
140
- rdoc_options:
141
- - --charset=UTF-8
142
- require_paths:
102
+ rdoc_options: []
103
+ require_paths:
143
104
  - lib
144
- required_ruby_version: !ruby/object:Gem::Requirement
105
+ required_ruby_version: !ruby/object:Gem::Requirement
145
106
  none: false
146
- requirements:
147
- - - ">="
148
- - !ruby/object:Gem::Version
149
- segments:
150
- - 0
151
- version: "0"
152
- required_rubygems_version: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ! '>='
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ required_rubygems_version: !ruby/object:Gem::Requirement
153
112
  none: false
154
- requirements:
155
- - - ">="
156
- - !ruby/object:Gem::Version
157
- segments:
158
- - 0
159
- version: "0"
113
+ requirements:
114
+ - - ! '>='
115
+ - !ruby/object:Gem::Version
116
+ version: '0'
160
117
  requirements: []
161
-
162
- rubyforge_project:
163
- rubygems_version: 1.3.7
118
+ rubyforge_project: bot-away
119
+ rubygems_version: 1.8.10
164
120
  signing_key:
165
121
  specification_version: 3
166
- summary: Unobtrusively detects form submissions made by spambots, and silently drops those submissions.
167
- test_files:
168
- - spec/controllers/test_controller_spec.rb
169
- - spec/rspec_version.rb
122
+ summary: Unobtrusively detects form submissions made by spambots, and silently drops
123
+ those submissions.
124
+ test_files:
125
+ - spec/controllers/basic_form_view_spec.rb
126
+ - spec/controllers/tests_controller_spec.rb
127
+ - spec/integration/params_post_spec.rb
128
+ - spec/lib/action_view/helpers/instance_tag_spec.rb
129
+ - spec/lib/action_view/param_parser_spec.rb
170
130
  - spec/spec_helper.rb
171
- - spec/support/honeypot_matcher.rb
172
- - spec/support/obfuscation_helper.rb
173
- - spec/support/obfuscation_matcher.rb
174
- - spec/support/rails/mock_logger.rb
175
- - spec/support/test_controller.rb
176
- - spec/views/lib/action_view/helpers/instance_tag_spec.rb
177
- - spec/views/lib/disabled_for_spec.rb
178
- - spec/views/lib/form_builder_spec.rb
179
- - spec/views/lib/param_parser_spec.rb
131
+ - spec/test_rails_app/app/controllers/tests_controller.rb
132
+ - spec/test_rails_app/app/models/post.rb
133
+ - spec/test_rails_app/app/views/tests/basic_form.html.erb
134
+ - spec/test_rails_app/app/views/tests/model_form.html.erb
135
+ - spec/test_rails_app/config/locales/bot-away-overrides.yml
136
+ - spec/views/form_builder_spec.rb
@@ -1,23 +0,0 @@
1
- History.txt
2
- Manifest.txt
3
- README.rdoc
4
- Rakefile
5
- lib/bot-away.rb
6
- lib/bot-away/action_controller/request.rb
7
- lib/bot-away/action_view/helpers/instance_tag.rb
8
- lib/bot-away/param_parser.rb
9
- lib/bot-away/spinner.rb
10
- script/console
11
- script/destroy
12
- script/generate
13
- spec/controllers/test_controller_spec.rb
14
- spec/lib/action_view/helpers/instance_tag_spec.rb
15
- spec/lib/builder_spec.rb
16
- spec/lib/param_parser_spec.rb
17
- spec/spec_helper.rb
18
- spec/support/controllers/test_controller.rb
19
- spec/support/honeypot_matcher.rb
20
- spec/support/obfuscation_helper.rb
21
- spec/support/obfuscation_matcher.rb
22
- spec/support/views/test/index.html.erb
23
- spec/support/views/test/model_form.html.erb
@@ -1,179 +0,0 @@
1
- = bot-away
2
-
3
- * http://github.com/sinisterchipmunk/bot-away
4
-
5
- Unobtrusively detects form submissions made by spambots, and silently drops those submissions. The key word here is
6
- "unobtrusive" -- this is NOT a CAPTCHA. This is a transparent, modular implementation of the bot-catching techniques
7
- discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html.
8
-
9
- == How It Works
10
-
11
- If a bot submission is detected, the params hash is cleared, so the data can't be used. Since this includes the
12
- authenticity token, Rails should complain about an invalid or missing authenticity token. Congrats, spam blocked.
13
-
14
- The specifics of the techniques employed for filtering spambots are discussed Ned's site in the description; however,
15
- here's a brief run-down of what's going on:
16
-
17
- * Your code stays the same. After the Bot-Away gem has been activated, all Rails-generated forms on your site
18
- will automatically be transformed into bot-resistent forms.
19
- * All of the form elements that you create (for instance, a "comment" model with a "body" field) are turned into
20
- dummy elements, or honeypots, and are made invisible to the end user. This is done using div elements and inline CSS
21
- stylesheets (I decided against a JavaScript option because it's the most likely to be disabled on a legitimate
22
- client). There are several ways an element can be hidden, and these approaches are chosen at random to help
23
- minimize predictability.
24
-
25
- In the rare event that a real user actually can see the element, it has a label next to it
26
- along the lines of "Leave this blank" -- though the exact message is randomized to help prevent detection.
27
- * All of the form elements are mirrored by hashes. The hashes are generated using the session's authenticity token,
28
- so they can't be predicted.
29
- * When data is submitted, Bot-Away steps in and
30
- 1. validates that no honeypots have been filled in; and
31
- 2. converts the hashed elements back into the field names that you are expecting (replacing the honeypot fields). Your
32
- code is never aware of the difference; it's just business as usual as long as the user is legitimate.
33
- * If a honeypot has been filled in, or a hashed element is missing where it was expected, then the request is
34
- considered to be either spam, or tampered with; and the entire params hash is emptied. Since this happens at the
35
- lowest level, the most likely result is that Rails will complain that the user's authenticity token is invalid. If
36
- that does not happen, then your code will be passed a params hash containing only a "suspected_bot" key, and an error
37
- will result. Either way, the spambot has been foiled!
38
-
39
- == Installation:
40
-
41
- * gem install bot-away
42
-
43
- == Usage:
44
-
45
- Whether you're on Rails 2 or Rails 3, adding Bot-Away to your project is as easy as telling Rails where to find it.
46
-
47
- === Rails 2.x
48
-
49
- In your Rails config/environment.rb:
50
-
51
- config.gem 'bot-away'
52
-
53
- === Rails 3
54
-
55
- In your Gemfile:
56
-
57
- gem 'bot-away'
58
-
59
- That's it.
60
-
61
- == Whitelists
62
-
63
- Sometimes you don't care about whether or not a bot is filling out a particular form. Even more, sometimes it's
64
- preferable to make a form bot-friendly. I'm talking specifically about login forms, where all sorts of people
65
- use bots (their Web browsers, usually) in order to prefill the form with their login information. This is perfectly
66
- harmless, and even a malicious bot is not going to be able to cause any trouble on a form like this because it'll only
67
- be denied access to the site.
68
-
69
- In cases like this, you'll want to go ahead and disable Bot-Away. Since Bot-Away is only disabled on a per-controller
70
- or per-action basis, it stays active throughout the remainder of your site, which prevents bots from (for example)
71
- creating new users.
72
-
73
- To disable Bot-Away for an entire controller, add this line to a file called <em>config/initializers/bot-away.rb</em>:
74
-
75
- BotAway.disabled_for :controller => 'sessions'
76
-
77
- And here's how to do the same for a specific action, leaving Bot-Away active for all other actions:
78
-
79
- BotAway.disabled_for :controller => 'sessions', :action => 'login'
80
-
81
- You can also disable Bot-Away for a given action in every controller, but I'm not sure how useful that is. In any case,
82
- here's how to do it:
83
-
84
- BotAway.disabled_for :action => 'index' # all we did was omit :controller
85
-
86
- This line can be specified multiple times, for each of the controllers and/or actions that you need it disabled for.
87
-
88
- == Disabling Bot-Away in Development
89
-
90
- If, while developing your app, you find yourself viewing the HTML source code, it'll probably be more helpful
91
- to have Bot-Away disabled entirely so that you're not confused by MD5 tags and legions of honeypots. This is easy enough
92
- to do:
93
-
94
- BotAway.disabled_for :mode => :development
95
-
96
-
97
- == Further Configuration (Mostly for Debugging):
98
-
99
- In general, Bot-Away doesn't have that much to configure. Most options only exist for your debugging pleasure, in
100
- case something isn't quite working as you'd expected. As shown above, these settings should be specified in a file
101
- called <em>config/initializers/bot-away.rb</em>. Configuration options available to you are as follows:
102
-
103
- === Accepting Unfiltered Params
104
-
105
- Sometimes you need to tell Bot-Away to explicitly _not_ filter a parameter. This is most notable with fields you've
106
- dynamically added via JavaScript, since those can confuse Bot-Away's catching techniques. (It tends to think Javascript-
107
- generated fields are honeypots, and raises an error based on that.) Here's how to tell Bot-Away that such fields are
108
- not to be checked:
109
-
110
- BotAway.accepts_unfiltered_params "name_of_param", "name_of_another_param"
111
-
112
- Note that these parameters can be either model keys, field keys or exact matches. For example, imagine the following
113
- scenario: you have two models, User and Group, and each has_many :roles. That means you'll likely have an administration
114
- screen somewhere with check boxes representing user roles and group roles. Here are the different ways you can control
115
- how Bot-Away interacts with these fields:
116
-
117
- BotAway.accepts_unfiltered_params "user"
118
- # disables BotAway filtering for ALL fields belonging to 'user', but NO fields belonging to 'group'
119
-
120
- BotAway.accepts_unfiltered_params 'user[role_ids]', 'group[role_ids]'
121
- # disables BotAway filtering for ONLY the 'role_ids' field belonging to BOTH 'user' and 'group', while leaving
122
- # filtering enabled for ALL OTHER fields.
123
-
124
- BotAway.accepts_unfiltered_params 'role_ids'
125
- # disables BotAway filtering for ONLY the 'role_ids' fields belonging to ALL MODELS, while leaving all
126
- # other fields enabled.
127
-
128
- You can specify this option as many times as you need to do.
129
-
130
- === Showing the Honeypots
131
-
132
- Generally, you want to keep honeypots hidden, because they will clutter your interface and confuse your users. However,
133
- there was an issue awhile back (near the 1.0 release of Bot-Away) where Safari was a bit smarter than its competitors,
134
- successfully prefilling honeypots with data where Chrome, FF and IE all failed to do so. Eventually, I added the ability
135
- to show honeypots on the screen, proving my suspicion that Safari was being "too smart". After resolving the issue, I
136
- decided to leave this option available to Bot-Away as a debugging tool for handling future issues. To enable:
137
-
138
- BotAway.show_honeypots = true
139
-
140
- === Dumping Params
141
-
142
- Like showing honeypots, above, this option is only useful if you're debugging issues in development
143
- mode. You can enable this if you need to see exactly what Rails sees _before_ Bot-Away steps in to intervene. Enabling
144
- this is a major security risk in production mode because it'll include sensitive data such as passwords; but it's very
145
- useful for debugging false positives (that is, Bot-Away thinks you're a bot, but you're not).
146
-
147
- BotAway.dump_params = true
148
-
149
- == Features / Problems:
150
-
151
- * Wherever protection from forgery is not enabled in your Rails app, the Rails forms will be generated as if this gem
152
- did not exist. That means hashed elements won't be generated, honeypots won't be generated, and posted forms will not
153
- be intercepted.
154
-
155
- * By default, protection from forgery is enabled for all Rails controllers, so by default the above-mentioned checks
156
- will also be triggered. For more details on forgery protection, see:
157
- http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
158
-
159
- * The techniques implemented by this library will be very difficult for a spambot to circumvent. However, keep in mind
160
- that since the pages have to be machine-readable by definition, and since this gem has to follow certain protocols
161
- in order to avoid confusing lots of humans (such as hiding the honeypots), it is always theoretically possible for
162
- a spambot to get around it. It's just very, very difficult.
163
-
164
- * I feel this library has been fairly well-tested (99.5% test coverage as of this writing), but if you discover a bug
165
- and can't be bothered to let me know about it (or you just don't have time to wait for a fix or fix it yourself),
166
- then you can simply add the name of the offending form element to the BotAway.unfiltered_params
167
- array like so:
168
- BotAway.accepts_unfiltered_params 'role_ids'
169
- BotAway.accepts_unfiltered_params 'user' # this can be called multiple times
170
- You should also take note that this is an array, not a hash. So if you have a user[role_ids] as well as a
171
- group[role_ids], the +role_ids+ will not be filtered on EITHER of these models.
172
-
173
- * Currently, there's no direct support for per-request configuration of unfiltered params. This is mostly due to
174
- Bot-Away's low-level approach to filtering bots: the params have already been filtered by the time your controller
175
- is created. I'd like to revisit per-request filtering sometime in the future, once I figure out the best way to do it.
176
-
177
- == Requirements:
178
-
179
- * Rails 2.3.5 or better.