bot-away 2.0.0 → 2.0.1

data/.travis.yml

@@ -3,12 +3,16 @@ rvm:
   - 1.9.2
   - 1.9.3
   - ree
-  - jruby
+  # rails 3.2 doesn't build on these right now
+  # TODO enable again when rails 3.2 works
+  # - jruby
+  # - rbx-2.0
   - ruby-head
-  - rbx-2.0
 
 gemfile:
   # No longer developing against Rails 2.3
   # - gemfiles/Gemfile.rails-2.3.x
   - gemfiles/Gemfile.rails-3.0.x
   - gemfiles/Gemfile.rails-3.1.x
+  - gemfiles/Gemfile.rails-3.1.1
+  - gemfiles/Gemfile.rails-3.2.x

data/History.txt

@@ -1,3 +1,9 @@
+=== 2.0.1 2012-01-20
+* Bugfix
+  * Params always emty (#2). In certain situations, BotAway would prefill the request.parameters hash and this
+    was conflicting with Rails because once the parameters hash exists, Rails won't add path parameters (such
+    as :id) to it. Now, BotAway checks request.POST directly so that Rails can fill request.parameters as usual.
+
 === 2.0.0 2012-01-13
 * Bumped major version number to signify that the version for Rails v2.x is no longer under active development.
   Use v1.2.x under Rails 2. BotAway now officially supports only Rails 3.0.x and up.

data/gemfiles/Gemfile.rails-3.1.1

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in bot-away.gemspec
+gemspec :path => ".."
+
+gem 'rails', '= 3.1.1'
+gem 'rspec', '~> 2.6.0'
+gem 'rspec-rails', '~> 2.6.1'

data/gemfiles/Gemfile.rails-3.1.1.lock

@@ -0,0 +1,131 @@
+PATH
+  remote: /Users/colin/projects/gems/bot-away
+  specs:
+    bot-away (2.0.0)
+      actionpack (>= 2.3.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.1.1)
+      actionpack (= 3.1.1)
+      mail (~> 2.3.0)
+    actionpack (3.1.1)
+      activemodel (= 3.1.1)
+      activesupport (= 3.1.1)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6)
+      rack (~> 1.3.2)
+      rack-cache (~> 1.1)
+      rack-mount (~> 0.8.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.0.2)
+    activemodel (3.1.1)
+      activesupport (= 3.1.1)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.1)
+      activemodel (= 3.1.1)
+      activesupport (= 3.1.1)
+      arel (~> 2.2.1)
+      tzinfo (~> 0.3.29)
+    activeresource (3.1.1)
+      activemodel (= 3.1.1)
+      activesupport (= 3.1.1)
+    activesupport (3.1.1)
+      multi_json (~> 1.0)
+    arel (2.2.1)
+    builder (3.0.0)
+    capybara (1.1.2)
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      selenium-webdriver (~> 2.0)
+      xpath (~> 0.1.4)
+    childprocess (0.3.0)
+      ffi (~> 1.0.6)
+    diff-lcs (1.1.3)
+    erubis (2.7.0)
+    ffi (1.0.11)
+    hike (1.2.1)
+    i18n (0.6.0)
+    json (1.6.5)
+    mail (2.3.0)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.17.2)
+    multi_json (1.0.4)
+    nokogiri (1.5.0)
+    polyglot (0.3.3)
+    rack (1.3.6)
+    rack-cache (1.1)
+      rack (>= 0.4)
+    rack-mount (0.8.3)
+      rack (>= 1.0.0)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.1.1)
+      actionmailer (= 3.1.1)
+      actionpack (= 3.1.1)
+      activerecord (= 3.1.1)
+      activeresource (= 3.1.1)
+      activesupport (= 3.1.1)
+      bundler (~> 1.0)
+      railties (= 3.1.1)
+    railties (3.1.1)
+      actionpack (= 3.1.1)
+      activesupport (= 3.1.1)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.6)
+    rake (0.9.2.2)
+    rdoc (3.12)
+      json (~> 1.4)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.4)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+    rspec-rails (2.6.1)
+      actionpack (~> 3.0)
+      activesupport (~> 3.0)
+      railties (~> 3.0)
+      rspec (~> 2.6.0)
+    rubyzip (0.9.5)
+    selenium-webdriver (2.17.0)
+      childprocess (>= 0.2.5)
+      ffi (~> 1.0.9)
+      multi_json (~> 1.0.4)
+      rubyzip
+    sprockets (2.0.3)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    thor (0.14.6)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.31)
+    xpath (0.1.4)
+      nokogiri (~> 1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bot-away!
+  capybara (~> 1.1.2)
+  rails (= 3.1.1)
+  rake (~> 0.9.2)
+  rspec (~> 2.6.0)
+  rspec-rails (~> 2.6.1)

data/gemfiles/Gemfile.rails-3.2.x

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in bot-away.gemspec
+gemspec :path => ".."
+
+gem 'rails', '~> 3.2.0.rc2'
+gem 'rspec', '~> 2.6.0'
+gem 'rspec-rails', '~> 2.6.1'

data/gemfiles/Gemfile.rails-3.2.x.lock

@@ -0,0 +1,129 @@
+PATH
+  remote: /Users/colin/projects/gems/bot-away
+  specs:
+    bot-away (2.0.0)
+      actionpack (>= 2.3.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.2.0.rc2)
+      actionpack (= 3.2.0.rc2)
+      mail (~> 2.3.0)
+    actionpack (3.2.0.rc2)
+      activemodel (= 3.2.0.rc2)
+      activesupport (= 3.2.0.rc2)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      journey (~> 1.0.0.rc1)
+      rack (~> 1.4.0)
+      rack-cache (~> 1.1)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.1.2)
+    activemodel (3.2.0.rc2)
+      activesupport (= 3.2.0.rc2)
+      builder (~> 3.0.0)
+    activerecord (3.2.0.rc2)
+      activemodel (= 3.2.0.rc2)
+      activesupport (= 3.2.0.rc2)
+      arel (~> 3.0.0.rc1)
+      tzinfo (~> 0.3.29)
+    activeresource (3.2.0.rc2)
+      activemodel (= 3.2.0.rc2)
+      activesupport (= 3.2.0.rc2)
+    activesupport (3.2.0.rc2)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.0)
+    builder (3.0.0)
+    capybara (1.1.2)
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      selenium-webdriver (~> 2.0)
+      xpath (~> 0.1.4)
+    childprocess (0.3.0)
+      ffi (~> 1.0.6)
+    diff-lcs (1.1.3)
+    erubis (2.7.0)
+    ffi (1.0.11)
+    hike (1.2.1)
+    i18n (0.6.0)
+    journey (1.0.0)
+    json (1.6.5)
+    mail (2.3.0)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.17.2)
+    multi_json (1.0.4)
+    nokogiri (1.5.0)
+    polyglot (0.3.3)
+    rack (1.4.0)
+    rack-cache (1.1)
+      rack (>= 0.4)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.2.0.rc2)
+      actionmailer (= 3.2.0.rc2)
+      actionpack (= 3.2.0.rc2)
+      activerecord (= 3.2.0.rc2)
+      activeresource (= 3.2.0.rc2)
+      activesupport (= 3.2.0.rc2)
+      bundler (~> 1.0)
+      railties (= 3.2.0.rc2)
+    railties (3.2.0.rc2)
+      actionpack (= 3.2.0.rc2)
+      activesupport (= 3.2.0.rc2)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.6)
+    rake (0.9.2.2)
+    rdoc (3.12)
+      json (~> 1.4)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.4)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+    rspec-rails (2.6.1)
+      actionpack (~> 3.0)
+      activesupport (~> 3.0)
+      railties (~> 3.0)
+      rspec (~> 2.6.0)
+    rubyzip (0.9.5)
+    selenium-webdriver (2.17.0)
+      childprocess (>= 0.2.5)
+      ffi (~> 1.0.9)
+      multi_json (~> 1.0.4)
+      rubyzip
+    sprockets (2.1.2)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    thor (0.14.6)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.31)
+    xpath (0.1.4)
+      nokogiri (~> 1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bot-away!
+  capybara (~> 1.1.2)
+  rails (~> 3.2.0.rc2)
+  rake (~> 0.9.2)
+  rspec (~> 2.6.0)
+  rspec-rails (~> 2.6.1)

data/lib/bot-away.rb

@@ -2,7 +2,7 @@ require 'action_controller'
 require 'action_view'
 
 require 'bot-away/param_parser'
-require 'bot-away/action_dispatch/params_parser'
+require 'bot-away/middleware'
 require 'bot-away/action_view/helpers/instance_tag'
 require 'bot-away/spinner'
 require 'bot-away/version'

data/lib/bot-away/middleware.rb

@@ -0,0 +1,18 @@
+module BotAway
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+    
+    def call(env)
+      request = ActionDispatch::Request.new(env)
+
+      # ignore GET params
+      unless (post = request.POST).empty?
+        post.merge! BotAway::ParamParser.new(request.ip, post).params
+      end
+      
+      @app.call env
+    end
+  end
+end

data/lib/bot-away/railtie.rb

@@ -7,4 +7,8 @@ class BotAway::Railtie < Rails::Engine
   else
     paths["config/locales"] = File.expand_path("../locale/honeypots.yml", File.dirname(__FILE__))
   end
+  
+  initializer "bot_away.use_middleware" do |app|
+    app.middleware.use BotAway::Middleware
+  end
 end

data/lib/bot-away/version.rb

@@ -2,7 +2,7 @@ module BotAway
   module Version
     MAJOR = 2
     MINOR = 0
-    PATCH = 0
+    PATCH = 1
     BUILD = nil
     
     STRING = BUILD ? [MAJOR, MINOR, PATCH, BUILD].join('.') : [MAJOR, MINOR, PATCH].join('.')

data/spec/integration/get_with_params_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe "GET params" do
+  before do
+    visit '/tests/proc_form/1?one=1'
+  end
+  
+  it "should show the params" do
+    page.body.should match(/id: ['"]1["']/)
+    page.body.should match(/one: ['"]1["']/)
+    page.should_not have_content("suspected_bot")
+  end
+end

data/spec/integration/put_with_params_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe "PUT params" do
+  before do
+    visit '/tests/model_form/1'
+  end
+  
+  describe "filling in a honeypot" do
+    before do
+      fill_in 'post[subject]', :with => "this is a subject"
+      click_button 'submit'
+    end
+    
+    it "should be considered a bot" do
+      page.should have_content('suspected_bot')
+    end
+    
+    it "should not include legit params" do
+      page.should_not have_content("subject:")
+    end
+    
+    it "should drop data from the honeypots" do
+      page.should_not have_content("this is a subject")
+    end
+
+    it "should drop the hidden value" do
+      page.should_not have_content('hidden_value')
+    end
+  end
+
+  describe "filling in a legit field" do
+    before do
+      fill_in '00a1168ac1379bdbe9b59e678fe486b1', :with => "this is a subject"
+      click_button 'submit'
+    end
+    
+    it "should include the hidden value" do
+      page.should have_content('hidden_value')
+    end
+    
+    it "should have kept legit data" do
+      page.should have_content('this is a subject')
+    end
+    
+    it "should not be considered a bot" do
+      page.should_not have_content('suspected_bot')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -5,12 +5,15 @@ Bundler.setup
 ENV['RAILS_ENV'] = 'development'
 
 require 'rails'
-require 'active_support/secure_random'
+require 'active_support'
 require 'action_controller/railtie'
 require 'action_mailer/railtie'
 require 'active_resource/railtie'
 require 'bot-away'
 
+# only for Rails 3.0.x
+begin; require 'active_support/secure_random'; rescue LoadError; end
+
 class BotAway::TestRailsApp < Rails::Application
   base = File.expand_path("test_rails_app", File.dirname(__FILE__))
   config.secret_token = "some secret phrase of at least 30 characters" * 30
@@ -22,10 +25,11 @@ class BotAway::TestRailsApp < Rails::Application
     config.paths.app.views        = File.join(base, 'app/views')
     config.paths.config.locales   = File.join(base, 'config/locales/bot-away-overrides.yml')
   end
+  config.action_dispatch.show_exceptions = false
 end
 
 BotAway::TestRailsApp.initialize!
-Rails.application.routes.draw { match '/:controller/:action' }
+Rails.application.routes.draw { match '/:controller/:action(/:id)' }
 Rails.application.routes.finalize!
 Dir[File.expand_path('test_rails_app/**/*.rb', File.dirname(__FILE__))].each { |f| require f }
 

data/spec/test_rails_app/app/controllers/tests_controller.rb

@@ -2,7 +2,7 @@ class TestsController < ActionController::Base
   protect_from_forgery
   
   def model_form
-    @post = Post.new
+    @post = Post.new(:persisted => !!params[:id])
   end
 
   def proc_form

data/spec/test_rails_app/app/models/post.rb

@@ -10,4 +10,12 @@ class Post
   def to_key
     [1]
   end
+  
+  def persisted?
+    @persisted
+  end
+  
+  def initialize(options = {})
+    @persisted = options.delete(:persisted)
+  end
 end

data/spec/test_rails_app/app/views/tests/model_form.html.erb

@@ -1,4 +1,6 @@
-<%= form_for @post, :url => url_for('proc_form') do |f| %>
+<%= form_for @post, :url => url_for(:action => 'proc_form') do |f| %>
+  <input type="hidden" name="hidden_name" value="hidden_value" />
+  
   <p>
     <%= f.label :subject %><br/>
     <%= f.text_field :subject %>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bot-away
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-01-14 00:00:00.000000000Z
+date: 2012-01-20 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
-  requirement: &2156004240 !ruby/object:Gem::Requirement
+  requirement: &2153647860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 2.3.5
   type: :runtime
   prerelease: false
-  version_requirements: *2156004240
+  version_requirements: *2153647860
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &2156001080 !ruby/object:Gem::Requirement
+  requirement: &2153647140 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :development
   prerelease: false
-  version_requirements: *2156001080
+  version_requirements: *2153647140
 - !ruby/object:Gem::Dependency
   name: capybara
-  requirement: &2155998940 !ruby/object:Gem::Requirement
+  requirement: &2153646660 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,7 +43,7 @@ dependencies:
         version: 1.1.2
   type: :development
   prerelease: false
-  version_requirements: *2155998940
+  version_requirements: *2153646660
 description: Unobtrusively detects form submissions made by spambots, and silently
   drops those submissions.
 email:
@@ -64,11 +64,15 @@ files:
 - bot-away.gemspec
 - gemfiles/Gemfile.rails-3.0.x
 - gemfiles/Gemfile.rails-3.0.x.lock
+- gemfiles/Gemfile.rails-3.1.1
+- gemfiles/Gemfile.rails-3.1.1.lock
 - gemfiles/Gemfile.rails-3.1.x
 - gemfiles/Gemfile.rails-3.1.x.lock
+- gemfiles/Gemfile.rails-3.2.x
+- gemfiles/Gemfile.rails-3.2.x.lock
 - lib/bot-away.rb
-- lib/bot-away/action_dispatch/params_parser.rb
 - lib/bot-away/action_view/helpers/instance_tag.rb
+- lib/bot-away/middleware.rb
 - lib/bot-away/param_parser.rb
 - lib/bot-away/railtie.rb
 - lib/bot-away/spinner.rb
@@ -86,7 +90,9 @@ files:
 - script/generate
 - spec/controllers/basic_form_view_spec.rb
 - spec/controllers/tests_controller_spec.rb
+- spec/integration/get_with_params_spec.rb
 - spec/integration/params_post_spec.rb
+- spec/integration/put_with_params_spec.rb
 - spec/lib/action_view/helpers/instance_tag_spec.rb
 - spec/lib/action_view/param_parser_spec.rb
 - spec/spec_helper.rb
@@ -124,7 +130,9 @@ summary: Unobtrusively detects form submissions made by spambots, and silently d
 test_files:
 - spec/controllers/basic_form_view_spec.rb
 - spec/controllers/tests_controller_spec.rb
+- spec/integration/get_with_params_spec.rb
 - spec/integration/params_post_spec.rb
+- spec/integration/put_with_params_spec.rb
 - spec/lib/action_view/helpers/instance_tag_spec.rb
 - spec/lib/action_view/param_parser_spec.rb
 - spec/spec_helper.rb

data/lib/bot-away/action_dispatch/params_parser.rb

@@ -1,22 +0,0 @@
-require 'action_dispatch/middleware/params_parser'
-
-# We're overriding ActionDispatch::ParamsParser
-# instead of just attaching a custom param parser so that others' custom param parsers can do
-# their jobs without conflict. Also, overriding the parser allows us to deobfuscate all params,
-# not just the ones I'm smart enough to predict will be used.
-class ActionDispatch::ParamsParser
-  def parse_formatted_parameters_with_deobfuscation(env)
-    request = ActionDispatch::Request.new(env)
-    params = parse_formatted_parameters_without_deobfuscation(env)
-    if params
-      BotAway::ParamParser.new(request.ip, params).params
-    else
-      request_parameters = request.parameters.dup
-      request.parameters.clear
-      request.parameters.merge! BotAway::ParamParser.new(request.ip, request_parameters).params
-      params
-    end
-  end
-
-  alias_method_chain :parse_formatted_parameters, :deobfuscation
-end