bullet_train-scope_validator 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +6 -12
- data/lib/bullet_train/scope_validator/version.rb +1 -1
- data/lib/bullet_train/scope_validator.rb +2 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f7deee0cb7bca1d0e45c645f5845e598c6b7efa35da8d5bd21c9d2f3c0c0c0ee
|
4
|
+
data.tar.gz: 255b5f4fce08fa730d3280254b9d3b149775e849cf118410d73d59f901aa25cd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5f5b4778c1f8b4d48fa0ace2026f36fa7690f2b5692bbfec4fdb0a9cb8ebf8ebce7cb1b0df7c8a7a50f08f548c06d2448642798b644606df43abdaf1e777583e
|
7
|
+
data.tar.gz: 92c1011af64d3647dfc3ed183fafded26b962f0fce604f96b5928fdbe710b16e4addfd599b86f57a2343f0a7b9d79584dace0fadc9f5b6077ced4e86595080e2
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -1,13 +1,10 @@
|
|
1
1
|
# Bullet Train Scope Validator
|
2
2
|
|
3
|
-
Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID
|
4
|
-
stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver).
|
3
|
+
Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver) and extracted from [Bullet Train](https://bullettrain.co).
|
5
4
|
|
6
5
|
## Illustrating the Problem
|
7
6
|
|
8
|
-
By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a
|
9
|
-
`belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed
|
10
|
-
data from other tenants.
|
7
|
+
By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a `belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed data from other tenants.
|
11
8
|
|
12
9
|
Consider the following example from a customer relationship management (CRM) system that two competitive companies use:
|
13
10
|
|
@@ -49,9 +46,7 @@ class DealsController < ApplicationController
|
|
49
46
|
end
|
50
47
|
```
|
51
48
|
|
52
|
-
☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating
|
53
|
-
the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate
|
54
|
-
validation logic in our API controllers and other places. This is a responsibility of the model.
|
49
|
+
☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate validation logic in our API controllers and other places. This is a responsibility of the model.
|
55
50
|
|
56
51
|
### Example Form
|
57
52
|
|
@@ -75,8 +70,7 @@ A malicious user can:
|
|
75
70
|
- Inspect the DOM and replace the `<select>` element for `customer_id` with an `<input type="text">` element.
|
76
71
|
- Set the value to any number, particularly numbers that are IDs they know don't belong to their account.
|
77
72
|
- Submit the form to create the deal.
|
78
|
-
- When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of
|
79
|
-
another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
|
73
|
+
- When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
|
80
74
|
|
81
75
|
## Usage
|
82
76
|
|
@@ -105,13 +99,13 @@ class Deal < ApplicationRecord
|
|
105
99
|
end
|
106
100
|
```
|
107
101
|
|
108
|
-
|
102
|
+
If you're wondering what the connection between `validates :customer, scope: true` and `def valid_customers` is, it's just a convention that the former will call the latter based on the name of the attibute being validated. We've favored a full-blown method definition for this instead of simply passing in a proc into the validator because having a method allows us to also DRY up our form view to use the same definition of valid options, like so:
|
109
103
|
|
110
104
|
```
|
111
105
|
<%= form.collection_select(:customer_id, form.object.valid_customers, :id, :name) %>
|
112
106
|
```
|
113
107
|
|
114
|
-
|
108
|
+
So with that, you're done! Any attempts to stuff IDs will be met with an "invalid" Active Record error message.
|
115
109
|
|
116
110
|
## Contributing
|
117
111
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: bullet_train-scope_validator
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Culver
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-01-
|
11
|
+
date: 2022-01-16 00:00:00.000000000 Z
|
12
12
|
dependencies: []
|
13
13
|
description: Protect `belongs_to` attributes from ID stuffing.
|
14
14
|
email:
|