bot-away 1.2.0 → 2.0.0

data/.travis.yml

@@ -0,0 +1,14 @@
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - ree
+  - jruby
+  - ruby-head
+  - rbx-2.0
+
+gemfile:
+  # No longer developing against Rails 2.3
+  # - gemfiles/Gemfile.rails-2.3.x
+  - gemfiles/Gemfile.rails-3.0.x
+  - gemfiles/Gemfile.rails-3.1.x

data/History.txt

@@ -1,3 +1,23 @@
+=== 2.0.0 2012-01-13
+* Bumped major version number to signify that the version for Rails v2.x is no longer under active development.
+  Use v1.2.x under Rails 2. BotAway now officially supports only Rails 3.0.x and up.
+* Enhancements:
+  * Removed sc-core-ext as a dependency, reducing bloat.
+  * Added BotAway::TestCase and friends, in case you need to do some spec'ing of your own. Just include the modules
+    and away you go!
+  * Added I18n support! BotAway supports English language for 3 honeypot warnings out of the box. See README for
+    customization instructions.
+  * Honeypot warning messages are constructed as reversed, unicode-escaped strings displayed within right-to-left
+    directional tags (which are standard in HTML 4 and should be recognized by all browsers), so that in the unlikely
+    event a bot can figure out what your I18n locale's "don't fill this in" text means, it'll also have to figure out
+    how to read the text in reverse after unescaping the unicode characters. Obviously, human users won't have this
+    problem.
+  * To disable obfuscation of the honeypot warning messages (that is, serve them as plain left-to-right text), add
+    the line `BotAway.obfuscate_honeypot_warning_messages = false` to `config/initializers/bot-away.rb`.
+* Bugfix
+  * Select tag options untainted (#1). Select tags now produce html-safe options tags, so they don't culminate
+    in mass confusion.
+
 === 1.2.0 2010-10-14
 * Enhancements:
   * Rails 3 / RSpec 2 support! Yay!

data/README.md

@@ -0,0 +1,198 @@
+# bot-away [![Build Status](https://secure.travis-ci.org/sinisterchipmunk/bot-away.png)](http://travis-ci.org/sinisterchipmunk/bot-away)
+
+* http://github.com/sinisterchipmunk/bot-away
+
+Unobtrusively detects form submissions made by spambots, and silently drops those submissions. The key word here is
+"unobtrusive" -- this is NOT a CAPTCHA. This is a transparent, modular implementation of the bot-catching techniques
+discussed by Ned Batchelder at http://nedbatchelder.com/text/stopbots.html.
+
+## How It Works
+
+If a bot submission is detected, the params hash is cleared, so the data can't be used. Since this includes the
+authenticity token, Rails should complain about an invalid or missing authenticity token. Congrats, spam blocked.
+
+The specifics of the techniques employed for filtering spambots are discussed Ned's site in the description; however,
+here's a brief run-down of what's going on:
+
+* Your code stays the same. After the Bot-Away gem has been activated, all Rails-generated forms on your site
+  will automatically be transformed into bot-resistent forms.
+* All of the form elements that you create (for instance, a "comment" model with a "body" field) are turned into
+  dummy elements, or honeypots, and are made invisible to the end user. This is done using div elements and inline 
+  CSS stylesheets (I decided against a JavaScript option because it's the most likely to be disabled on a legitimate
+  client). There are several ways an element can be hidden, and these approaches are chosen at random to help
+  minimize predictability.
+  * In the rare event that a real user actually can see the element, it has a label next to it
+    along the lines of "Leave this blank" -- though the exact message is randomized to help prevent detection by
+    bots.
+* All of the form elements are mirrored by hashes. The hashes are generated using the session's authenticity token,
+  so they can't be predicted.
+* When data is submitted, Bot-Away steps in and
+  1. validates that no honeypots have been filled in; and
+  2. converts the hashed elements back into the field names that you are expecting (replacing the honeypot fields).
+     Your code is never aware of the difference; it's just business as usual as long as the user is legitimate.
+* If a honeypot has been filled in, or a hashed element is missing where it was expected, then the request is
+  considered to be either spam, or tampered with; and the entire params hash is emptied. Since this happens at the
+  lowest level, the most likely result is that Rails will complain that the user's authenticity token is invalid. If
+  that does not happen, then your code will be passed a params hash containing only a "suspected_bot" key, and an
+  error will result. Either way, the spambot has been foiled!
+
+## Installation:
+
+* gem install bot-away
+
+## Usage:
+
+Whether you're on Rails 2 or Rails 3, adding Bot-Away to your project is as easy as telling Rails where to find it.
+
+### Rails 2.x
+
+The Rails 2.x version will still receive bug fixes, but is no longer under active development. To use bot-away with Rails 2, pull in bot-away v1.x:
+
+    # in config/environment.rb:
+    config.gem 'bot-away', '~> 1.2'
+
+### Rails 3
+
+    # in Gemfile
+    gem 'bot-away', '~> 2.0'
+
+That's it.
+
+## Whitelists
+
+Sometimes you don't care about whether or not a bot is filling out a particular form. Even more, sometimes it's
+preferable to make a form bot-friendly. I'm talking specifically about login forms, where all sorts of people
+use bots (their Web browsers, usually) in order to prefill the form with their login information. This is perfectly
+harmless, and even a malicious bot is not going to be able to cause any trouble on a form like this because it'll only be denied access to the site.
+
+In cases like these, you'll want to go ahead and disable Bot-Away. Since Bot-Away is only disabled on a per-controller or per-action basis, it stays active throughout the remainder of your site, which prevents bots from (for example) creating new users.
+
+To disable Bot-Away for an entire controller, add this line to a file called `config/initializers/bot-away.rb`:
+
+    BotAway.disabled_for :controller => 'sessions'
+  
+And here's how to do the same for a specific action, leaving Bot-Away active for all other actions:
+
+    BotAway.disabled_for :controller => 'sessions', :action => 'login'
+  
+You can also disable Bot-Away for a given action in every controller, but I'm not sure how useful that is. In any case, here's how to do it:
+
+    BotAway.disabled_for :action => 'index' # all we did was omit :controller
+  
+This line can be specified multiple times, for each of the controllers and/or actions that you need it disabled for.
+  
+## Disabling Bot-Away in Development
+
+If, while developing your app, you find yourself viewing the HTML source code, it'll probably be more helpful
+to have Bot-Away disabled entirely so that you're not confused by MD5 tags and legions of honeypots. This is easy enough to do:
+
+    BotAway.disabled_for :mode => 'development'
+    
+## Accepting Unfiltered Params
+
+Sometimes you need to tell Bot-Away to explicitly _not_ filter a parameter. This is most notable with fields you've
+dynamically added via JavaScript, since those can confuse Bot-Away's catching techniques. (It tends to think Javascript-
+generated fields are honeypots, and raises an error based on that.) Here's how to tell Bot-Away that such fields are
+not to be checked:
+
+    BotAway.accepts_unfiltered_params "name_of_param", "name_of_another_param"
+
+Note that these parameters can be either model keys, field keys or exact matches. For example, imagine the following
+scenario: you have two models, `User` and `Group`, and each `has_many :roles`. That means you'll likely have an administration screen somewhere with check boxes representing user roles and group roles. Here are the different ways you can control how Bot-Away interacts with these fields:
+
+    BotAway.accepts_unfiltered_params "user"
+      # disables BotAway filtering for ALL fields belonging to 'user', but NO fields belonging to 'group'
+
+    BotAway.accepts_unfiltered_params 'user[role_ids]', 'group[role_ids]'
+      # disables BotAway filtering for ONLY the 'role_ids' field belonging to BOTH 'user' and 'group', while leaving
+      # filtering enabled for ALL OTHER fields.
+
+    BotAway.accepts_unfiltered_params 'role_ids'
+      # disables BotAway filtering for ONLY the 'role_ids' fields belonging to ALL MODELS, while leaving all
+      # other fields enabled.
+
+You can specify this option as many times as you need to do.
+
+## I18n
+
+BotAway is mostly code, and produces mostly code, so there's not that much to translate. However, as mentioned above, the honeypots could theoretically be seen by humans in some rare cases (if they have an exceedingly simplistic browser or have disabled such fundamental Web controls as CSS). In these rare cases, BotAway prefixes the honeypot fields with a message akin to "Leave This Field Empty".
+
+To further confound smart bots, these messages are chosen at random and by default there are 3 such messages BotAway can choose from. However, BotAway only supports the English language by default, so if you are targeting other languages you'll want to add translations. Also, to give your Web app a bit of personalization (highly recommended, if you want to keep the bot-builders guessing!) then you'll want to override and/or add to the English messages as well!
+
+To do this, create a file in `config/locales/bot-away.yml` and add content such as this:
+
+    en:
+      bot_away:
+        number_of_honeypot_warning_messages: 3
+        honeypot_warning_1: "Leave this empty: "
+        honeypot_warning_2: "Don't fill this in: "
+        honeypot_warning_3: "Keep this blank: "
+
+Shown above is exactly what resides in the default BotAway locale. Change the contents of warning strings 1 through 3 within your own app to override them; change the `number_of_honeypot_warning_messages` field to cause BotAway to choose randomly from more or fewer messages. Also, as the above example implies, you can set a different number of randomized warnings per language.
+
+* If you'd like to add some warning messages to BotAway in currently-unsupported languages (or if you just want
+  BotAway to have more messages to choose from) then your additions are welcome! Please fork this project,
+  update the
+  [lib/locale/honeypots.yml](https://github.com/sinisterchipmunk/bot-away/blob/master/lib/locale/honeypots.yml)
+  file with your changes, and then send me a pull request!
+
+* Honeypot warning messages are obfuscated: they are sent as reversed, unicode-escaped strings displayed within
+  right-to-left directional tags (which are standard in HTML 4 and should be recognized by all browsers), so that in
+  the unlikely event a bot can figure out what your I18n locale's "don't fill this in" text means, it'll also have to
+  figure out how to read the text in reverse after unescaping the unicode characters. Obviously, human users won't
+  have this problem.
+  * To disable obfuscation of the honeypot warning messages (that is, serve them as plain left-to-right text), add 
+    the line `BotAway.obfuscate_honeypot_warning_messages = false` to `config/initializers/bot-away.rb`.
+
+
+## Further Configuration (Mostly for Debugging):
+
+In general, Bot-Away doesn't have that much to configure. Most options only exist for your debugging pleasure, in
+case something isn't quite working as you'd expected. As shown above, these settings should be specified in a file
+called `config/initializers/bot-away.rb`. Configuration options available to you are as follows:
+
+### Showing the Honeypots
+
+Generally, you want to keep honeypots hidden, because they will clutter your interface and confuse your users. However, there was an issue awhile back (near the 1.0 release of Bot-Away) where Safari was a bit smarter than its competitors, successfully prefilling honeypots with data where Chrome, FF and IE all failed to do so. Eventually, I added the ability to show honeypots on the screen, proving my suspicion that Safari was being "too smart". After resolving the issue, I decided to leave this option available to Bot-Away as a debugging tool for handling future issues. To enable:
+    
+    BotAway.show_honeypots = true
+
+### Dumping Params
+
+Like showing honeypots, above, this option is only useful if you're debugging issues in development
+mode. You can enable this if you need to see exactly what Rails sees _before_ Bot-Away steps in to intervene. Enabling this is a major security risk in production mode because it'll include sensitive data such as passwords; but it's very useful for debugging false positives (that is, Bot-Away thinks you're a bot, but you're not).
+
+    BotAway.dump_params = true
+  
+## Features / Problems:
+
+* Wherever protection from forgery is not enabled in your Rails app, the Rails forms will be generated as if this gem
+  did not exist. That means hashed elements won't be generated, honeypots won't be generated, and posted forms will
+  not be intercepted.
+
+* By default, protection from forgery is enabled for all Rails controllers, so by default the above-mentioned checks
+  will also be triggered. For more details on forgery protection, see:
+  http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
+  
+* The techniques implemented by this library will be very difficult for a spambot to circumvent. However, keep in
+  mind that since the pages have to be machine-readable by definition, and since this gem has to follow certain
+  protocols in order to avoid confusing lots of humans (such as hiding the honeypots), it is always theoretically
+  possible for a spambot to get around it. It's just very, very difficult.
+
+* I feel this library has been fairly well-tested (99.21% test coverage as of this writing), but if you discover a
+  bug and can't be bothered to let me know about it (or you just don't have time to wait for a fix or fix it 
+  yourself), then you can simply add the name of the offending form element to the BotAway.unfiltered_params
+  array like so:
+      BotAway.accepts_unfiltered_params 'role_ids'
+      BotAway.accepts_unfiltered_params 'user' # this can be called multiple times
+  You should also take note that this is an array, not a hash. So if you have a `user[role_ids]` as well as a
+  `group[role_ids]`, the `role_ids` will not be filtered on EITHER of these models.
+
+* Currently, there's no direct support for per-request configuration of unfiltered params. This is mostly due to
+  Bot-Away's low-level approach to filtering bots: the params have already been filtered by the time your controller
+  is created. I'd like to revisit per-request filtering sometime in the future, once I figure out the best way to do
+  it.
+
+## Requirements:
+
+* Rails 3.0 or better.

data/Rakefile

@@ -1,102 +1,22 @@
-require 'rubygems'
-require 'rake'
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path("gemfiles/Gemfile.rails-3.1.x", File.dirname(__FILE__))
+require 'bundler/gem_tasks'
 
-begin
-  require 'jeweler'
-  Jeweler::Tasks.new do |gem|
-    gem.name = 'bot-away'
-    gem.summary = %Q{Unobtrusively detects form submissions made by spambots, and silently drops those submissions.}
-    gem.description = %Q{Unobtrusively detects form submissions made by spambots, and silently drops those submissions.}
-    gem.email = "sinisterchipmunk@gmail.com"
-    gem.homepage = "http://www.thoughtsincomputation.com"
-    gem.authors = ["Colin MacKenzie IV"]
-    gem.add_dependency "actionpack", ">= 2.3.5"
-    gem.add_dependency "sc-core-ext", ">= 1.1.1"
-    gem.add_development_dependency "jeweler", ">= 1.4.0"
-    gem.add_development_dependency "rspec", ">= 1.3.0"
-    gem.add_development_dependency "rspec-rails", ">= 1.3.2"
-  end
-  Jeweler::GemcutterTasks.new
-rescue LoadError
-  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
 end
 
-require File.join(File.dirname(__FILE__), "spec/rspec_version")
-
-if RSPEC_VERSION >= "2.0.0"
-  RSpec::Core::RakeTask.new(:spec) do |spec|
-    spec.pattern = 'spec/**/*_spec.rb'
-  end
-else # Rake task for 1.3.x
-  Spec::Rake::SpecTask.new(:spec) do |spec|
-    spec.libs << 'lib' << 'spec'
-    spec.spec_files = FileList['spec/**/*_spec.rb']
+desc  "Run all specs with rcov"
+begin
+  require 'rcov'
+  RSpec::Core::RakeTask.new(:rcov) do |t|
+    t.rcov = true
+    t.rcov_opts = %w{--exclude osx\/objc,gems\/,spec\/,features\/,lib\/bot-away\/test_case\/}
   end
-  
-  Spec::Rake::SpecTask.new(:rcov) do |spec|
-    spec.libs << 'lib' << 'spec'
-    spec.pattern = 'spec/**/*_spec.rb'
-    spec.rcov = true
+rescue LoadError
+  task :rcov do
+    raise "Install rcov first: gem install rcov"
   end
 end
 
-task :spec => :check_dependencies
 task :default => :spec
-
-require 'rake/rdoctask'
-Rake::RDocTask.new do |rdoc|
-  version = File.exist?("VERSION") ? File.read("VERSION") : ""
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title = "bot-away #{version}"
-  rdoc.rdoc_files.include("README*")
-  rdoc.rdoc_files.include("*")
-  rdoc.rdoc_files.include("lib/**/*.rb")
-end
-
-=begin
-require 'rubygems'
-gem 'hoe', '>= 2.1.0'
-require 'hoe'
-require 'fileutils'
-require './lib/bot-away'
-
-Hoe.plugin :newgem
-# Hoe.plugin :website
-# Hoe.plugin :cucumberfeatures
-
-# Generate all the Rake tasks
-# Run 'rake -T' to see list of generated tasks (from gem root directory)
-$hoe = Hoe.spec 'bot-away' do
-  self.developer 'Colin MacKenzie IV', 'sinisterchipmunk@gmail.com'
-  self.extra_deps         = [['actionpack','>= 2.3.5'],['sc-core-ext','>= 1.1.1']]
-  self.readme_file = "README.rdoc"
-end
-
-Rake::RDocTask.new(:docs) do |rdoc|
-  files = ['README.rdoc', # 'LICENSE', 'CHANGELOG',
-           'lib/**/*.rb', 'doc/**/*.rdoc']#, 'spec/*.rb']
-  rdoc.rdoc_files.add(files)
-  rdoc.main = 'README.rdoc'
-  rdoc.title = 'Bot-Away Documentation'
-  #rdoc.template = '/path/to/gems/allison-2.0/lib/allison'
-  rdoc.rdoc_dir = 'doc'
-  rdoc.options << '--line-numbers' << '--inline-source'
-end
-
-
-require 'newgem/tasks'
-Dir['tasks/**/*.rake'].each { |t| load t }
-
-require 'spec/rake/spectask'
-
-desc "Run all examples with RCov"
-Spec::Rake::SpecTask.new('rcov') do |t|
-  t.spec_files = FileList['spec/**/*_spec.rb']
-  t.rcov = true
-  t.rcov_opts = ['--exclude', 'spec,/home/*']
-end
-
-# TODO - want other tests/tasks run by default? Add them to the list
-# remove_task :default
-# task :default => [:spec, :features]
-=end

data/bot-away.gemspec

@@ -1,96 +1,29 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
 # -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "bot-away/version"
 
 Gem::Specification.new do |s|
-  s.name = %q{bot-away}
-  s.version = "1.2.0"
-
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Colin MacKenzie IV"]
-  s.date = %q{2010-10-14}
+  s.name        = "bot-away"
+  s.version     = BotAway::VERSION
+  s.authors     = ["Colin MacKenzie IV"]
+  s.email       = ["sinisterchipmunk@gmail.com"]
+  s.homepage    = "http://github.com/sinisterchipmunk/bot-away"
+  s.summary     = %q{Unobtrusively detects form submissions made by spambots, and silently drops those submissions.}
   s.description = %q{Unobtrusively detects form submissions made by spambots, and silently drops those submissions.}
-  s.email = %q{sinisterchipmunk@gmail.com}
+
+  s.rubyforge_project = "bot-away"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
   s.extra_rdoc_files = [
     "LICENSE",
-     "README.rdoc"
-  ]
-  s.files = [
-    ".gitignore",
-     "History.txt",
-     "LICENSE",
-     "Manifest.txt",
-     "README.rdoc",
-     "Rakefile",
-     "VERSION",
-     "bot-away.gemspec",
-     "lib/bot-away.rb",
-     "lib/bot-away/action_dispatch/request.rb",
-     "lib/bot-away/action_view/helpers/instance_tag.rb",
-     "lib/bot-away/param_parser.rb",
-     "lib/bot-away/spinner.rb",
-     "script/console",
-     "script/destroy",
-     "script/generate",
-     "spec/controllers/test_controller_spec.rb",
-     "spec/rspec_version.rb",
-     "spec/spec_helper.rb",
-     "spec/support/honeypot_matcher.rb",
-     "spec/support/obfuscation_helper.rb",
-     "spec/support/obfuscation_matcher.rb",
-     "spec/support/rails/mock_logger.rb",
-     "spec/support/test_controller.rb",
-     "spec/support/views/test/index.html.erb",
-     "spec/support/views/test/model_form.html.erb",
-     "spec/views/lib/action_view/helpers/instance_tag_spec.rb",
-     "spec/views/lib/disabled_for_spec.rb",
-     "spec/views/lib/form_builder_spec.rb",
-     "spec/views/lib/param_parser_spec.rb"
-  ]
-  s.homepage = %q{http://www.thoughtsincomputation.com}
-  s.rdoc_options = ["--charset=UTF-8"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.7}
-  s.summary = %q{Unobtrusively detects form submissions made by spambots, and silently drops those submissions.}
-  s.test_files = [
-    "spec/controllers/test_controller_spec.rb",
-     "spec/rspec_version.rb",
-     "spec/spec_helper.rb",
-     "spec/support/honeypot_matcher.rb",
-     "spec/support/obfuscation_helper.rb",
-     "spec/support/obfuscation_matcher.rb",
-     "spec/support/rails/mock_logger.rb",
-     "spec/support/test_controller.rb",
-     "spec/views/lib/action_view/helpers/instance_tag_spec.rb",
-     "spec/views/lib/disabled_for_spec.rb",
-     "spec/views/lib/form_builder_spec.rb",
-     "spec/views/lib/param_parser_spec.rb"
+    "README.md",
+    "History.txt"
   ]
 
-  if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
-    s.specification_version = 3
-
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<actionpack>, [">= 2.3.5"])
-      s.add_runtime_dependency(%q<sc-core-ext>, [">= 1.1.1"])
-      s.add_development_dependency(%q<jeweler>, [">= 1.4.0"])
-      s.add_development_dependency(%q<rspec>, [">= 1.3.0"])
-      s.add_development_dependency(%q<rspec-rails>, [">= 1.3.2"])
-    else
-      s.add_dependency(%q<actionpack>, [">= 2.3.5"])
-      s.add_dependency(%q<sc-core-ext>, [">= 1.1.1"])
-      s.add_dependency(%q<jeweler>, [">= 1.4.0"])
-      s.add_dependency(%q<rspec>, [">= 1.3.0"])
-      s.add_dependency(%q<rspec-rails>, [">= 1.3.2"])
-    end
-  else
-    s.add_dependency(%q<actionpack>, [">= 2.3.5"])
-    s.add_dependency(%q<sc-core-ext>, [">= 1.1.1"])
-    s.add_dependency(%q<jeweler>, [">= 1.4.0"])
-    s.add_dependency(%q<rspec>, [">= 1.3.0"])
-    s.add_dependency(%q<rspec-rails>, [">= 1.3.2"])
-  end
+  s.add_runtime_dependency('actionpack', ">= 2.3.5")
+  s.add_development_dependency 'rake', '~> 0.9.2'
+  s.add_development_dependency 'capybara', '~> 1.1.2'
 end
-