bot-away 1.0.3 → 1.1.0

data/History.txt

@@ -1,3 +1,12 @@
+=== 1.1.0 2010-06-21
+* Minor enhancements:
+  * ActionController::Request.accepts_unfiltered_params is now accessible as BotAway.accepts_unfiltered_params
+  * BotAway.show_honeypots = true will show honeypots as visible elements within the form, for debugging.
+  * BotAway.dump_params = true will dump the params hash as it was before BotAway modified it, for debugging.
+  * BotAway will no longer generate hashes for, or disguise, elements whose names have been added to
+    BotAway.unfiltered_params. This should resolve issues where JavaScript is involved (case in point:
+    CalendarDateSelect).
+    
 === 1.0.3 2010-06-13
 * Bugfixes:
   * Resolved: On or before Rails 2.3.8, honeypots were generated as escaped HTML. This was because Rails started

data/README.rdoc

@@ -50,10 +50,10 @@ here's a brief run-down of what's going on:
 
 * I feel this library has been fairly well-tested (99.5% test coverage as of this writing), but if you discover a bug
   and can't be bothered to let me know about it (or you just don't have time to wait for a fix or fix it yourself),
-  then you can simply add the name of the offending form element to the ActionController::Request.unfiltered_params
+  then you can simply add the name of the offending form element to the BotAway.unfiltered_params
   array like so:
-    ActionController::Request.accepts_unfiltered_params 'role_ids'
-    ActionController::Request.accepts_unfiltered_params 'user' # this can be called multiple times
+    BotAway.accepts_unfiltered_params 'role_ids'
+    BotAway.accepts_unfiltered_params 'user' # this can be called multiple times
   You should also take note that this is an array, not a hash. So if you have a user[role_ids] as well as a
   group[role_ids], the +role_ids+ will not be matched on EITHER of these models.
 
@@ -77,6 +77,25 @@ In your Rails config/environment.rb:
 
 That's it.
 
+== OPTIONAL CONFIGURATION:
+
+In general, there's not much to the configuration of Bot-Away. Most options are here for your debugging pleasure, in
+case something isn't quite working as you'd expected and Bot-Away seems to be a potential cause. To set a configuration
+option, you should do so from a Rails initializer -- just create a file with any name (ending with ".rb", of course)
+in your config/initializers directory, and it'll get run during server start-up. Configuration options available to you
+for Bot-Away are as follows:
+
+  BotAway.accepts_unfiltered_params "name_of_param", "name_of_another_param"
+    # Causes the specified parameter to NOT be filtered. If, for instance, "role_ids" is given, then parameters such as
+    #   user[role_ids], group[role_ids], etc. will not be processed by Bot-Away.
+  BotAway.show_honeypots = true
+    # Causes Bot-Away to NOT disguise honeypots with CSS or any other technique. This will cause honeypot elements to
+    # be displayed on your page. Not ideal for production, but helpful for debugging browser auto-fill issues.
+  BotAway.dump_params = true
+    # Probably a major security risk in a production application, but again useful in development for gaining insight
+    # into what, exactly, is being passed by the browser into Rails before Bot-Away does its thing. If you're getting
+    # false positives, this may prove helpful in figuring out why.
+
 == LICENSE:
 
 (The MIT License)

data/lib/bot-away.rb

@@ -12,7 +12,29 @@ require 'bot-away/action_view/helpers/instance_tag'
 require 'bot-away/spinner'
 
 module BotAway
-  VERSION = '1.0.3'
+  VERSION = '1.1.0'
+  
+  class << self
+    attr_accessor :show_honeypots, :dump_params
+    
+    def unfiltered_params(*args)
+      ActionController::Request.unfiltered_params(*args)
+    end
+    
+    alias accepts_unfiltered_params unfiltered_params
+    
+    def excluded?(object_name, method_name)
+      unfiltered_params.collect! { |u| u.to_s }
+      if (object_name &&
+              (unfiltered_params.include?(object_name.to_s) ||
+                      unfiltered_params.include?("#{object_name}[#{method_name}]")) ||
+          unfiltered_params.include?(method_name.to_s))
+        true
+      else
+        false
+      end
+    end
+  end
 end
 
 # WHY do I have to do this???

data/lib/bot-away/action_view/helpers/instance_tag.rb

@@ -3,7 +3,8 @@ class ActionView::Helpers::InstanceTag
 
   def initialize_with_spinner(object_name, method_name, template_object, object = nil)
     initialize_without_spinner(object_name, method_name, template_object, object)
-    if template_object.controller.send(:protect_against_forgery?)
+    if template_object.controller.send(:protect_against_forgery?) && !BotAway.excluded?(object_name, method_name)
+      puts "#{object_name.inspect} => #{method_name.inspect}"
       @spinner = BotAway::Spinner.new(template_object.request.ip, object_name, template_object.form_authenticity_token)
     end
   end
@@ -29,7 +30,7 @@ class ActionView::Helpers::InstanceTag
     yield if object
     object
   end
-
+  
   def honeypot_tag(name, options = nil, *args)
     tag_without_honeypot(name, honeypot_options(options.dup? || {}), *args)
   end
@@ -84,6 +85,7 @@ class ActionView::Helpers::InstanceTag
   alias_method_chain :content_tag, :obfuscation
 
   def disguise(element)
+    return element.replace("Honeypot(#{element})") if BotAway.show_honeypots
     case rand(3)
       when 0 # Hidden
         element.replace "<div style='display:none;'>Leave this empty: #{element}</div>"

data/lib/bot-away/param_parser.rb

@@ -4,6 +4,7 @@ module BotAway
 
     def initialize(ip, params, authenticity_token = params[:authenticity_token])
       @ip, @params, @authenticity_token = ip, params, authenticity_token
+      Rails.logger.debug(params.inspect) if BotAway.dump_params
       if authenticity_token
         if catch(:bastard) { deobfuscate! } == :took_the_bait
           params.clear
@@ -18,7 +19,7 @@ module BotAway
       end
       
       current.each do |key, value|
-        if object_name && !value.kind_of?(Hash) && !ActionController::Request.unfiltered_params.include?(key)
+        if object_name && !value.kind_of?(Hash) && !BotAway.excluded?(object_name, key)
           if value.blank? && params.keys.include?(spun_key = spinner.encode("#{object_name}[#{key}]"))
             current[key] = params.delete(spun_key)
           else

data/spec/lib/action_view/helpers/instance_tag_spec.rb

@@ -33,7 +33,7 @@ describe ActionView::Helpers::InstanceTag do
   context "with a valid input type=text tag" do
     before(:each) { @tag_options = ["input", {:type => 'text', 'name' => 'object_name[method_name]', 'id' => 'object_name_method_name', 'value' => 'method_value'}] }
     #subject { dump { default_instance_tag.tag(*@tag_options) } }
-
+    
     it "should turn off autocomplete for honeypots" do
       subject.honeypot_tag(*@tag_options).should =~ /autocomplete="off"/
     end

data/spec/lib/builder_spec.rb

@@ -14,7 +14,22 @@ describe ActionView::Helpers::FormBuilder do
   it "should not create honeypots with default values" do
     builder.text_field(:method_name).should match(/name="object_name\[method_name\]"[^>]*?value=""/)
   end
-
+  
+  context "with BotAway.show_honeypots == true" do
+    before(:each) { BotAway.show_honeypots = true }
+    after(:each) { BotAway.show_honeypots = false }
+    
+    it "should not disguise honeypots" do
+      builder.text_area(method_name).should_not match(/<\/div>/)
+    end
+  end
+  
+  it "should not obfuscate names that have been explicitly ignored" do
+    BotAway.accepts_unfiltered_params 'method_name'
+    builder.text_field('method_name').should_not match(/name="a0844d45bf150668ff1d86a6eb491969/)
+    BotAway.unfiltered_params.delete 'method_name'
+  end
+  
   # select(method, choices, options = {}, html_options = {})
   obfuscates(:select) { builder.select(:method_name, {1 => :a, 2 => :b }) }
 

data/spec/lib/param_parser_spec.rb

@@ -14,6 +14,17 @@ describe BotAway::ParamParser do
   end
 
   subject { r = BotAway::ParamParser.new(@ip, @params); puts r.params.to_yaml; r }
+  
+  context "with dump_params == true" do
+    before(:each) { BotAway.dump_params = true }
+    after(:each) { BotAway.dump_params = false }
+    
+    it "should dump params as debug to Rails logger" do
+      @params = { 'test' => "hello", :posts => [1] }
+      Rails.logger.should_receive(:debug).with(@params.inspect)
+      subject
+    end
+  end
 
   context "with blank honeypots" do
     it "drops obfuscated params" do

data/spec/support/honeypot_matcher.rb

@@ -6,7 +6,11 @@ class HoneypotMatcher
   def matches?(target)
     target = target.call if target.kind_of?(Proc)
     @target = target
-    @rx = /name="#{Regexp::escape @object_name}\[#{Regexp::escape @method_name}/m
+    if @method_name.nil?
+      @rx = /name="#{Regexp::escape @object_name}/m
+    else
+      @rx = /name="#{Regexp::escape @object_name}\[#{Regexp::escape @method_name}/m
+    end
     @target[@rx]
   end
 

data/spec/support/obfuscation_helper.rb

@@ -24,12 +24,23 @@ module ObfuscationHelper
     @builder = ActionView::Helpers::FormBuilder.new(:object_name, MockObject.new, response.template, {}, proc {})
   end
 
-  def obfuscates(method, obfuscated_id = self.obfuscated_id, obfuscated_name = self.obfuscated_name)
+  def obfuscates(method, options = {}, unused = nil)
+    if !options.kind_of?(Hash)
+      options = { :obfuscated_id => options, :obfuscated_name => unused }
+    end
+    
+    obfuscated_id   = options[:obfuscated_id] || self.obfuscated_id
+    obfuscated_name = options[:obfuscatd_name] || self.obfuscated_name
+    
     value = yield
     context "##{method}" do
       subject { proc { dump { value } } }
 
-      includes_honeypot(object_name, method_name)
+      if options[:name]
+        includes_honeypot(options[:name], nil)
+      else
+        includes_honeypot(options[:object_name] || object_name, options[:method_name] || method_name)
+      end
       is_obfuscated_as(obfuscated_id, obfuscated_name)
     end
   end

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 1
+  - 1
   - 0
-  - 3
-  version: 1.0.3
+  version: 1.1.0
 platform: ruby
 authors: 
 - Colin MacKenzie IV
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-06-13 00:00:00 -04:00
+date: 2010-06-21 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency