bullet_train-scope_validator 1.0.1 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +2 -1
  3. data/LICENSE.txt +1 -1
  4. data/README.md +7 -13
  5. data/lib/bullet_train/scope_validator/version.rb +1 -1
  6. data/lib/bullet_train/scope_validator.rb +2 -0
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ea9dcbec389cebbb7a24a9d868f080a27a11c29a39276e0dae7416b00265af9f
4
- data.tar.gz: 379772ea2451665352e8a824c60e71d246fbdaeb3dd400d68f8025250243866d
3
+ metadata.gz: 6e6ff9937e99a2db86d2a11e59c2ccb68bad991f08fa9001c0065a402831b7ef
4
+ data.tar.gz: baefbc0f181bd28ec6ef0599f23644e306d7f8f0bea9d5b8400c0dd06ca53c7f
5
5
  SHA512:
6
- metadata.gz: f991bdb484df712fa4020f39690a6d62b900a5c8d62e629bc00b7d8bd124346fe2a3652e1be0a230dbf7aa21a1352791f3727474d1aebc9aaf22735b57ccf2c7
7
- data.tar.gz: 8f7a628c033553e81313e42912567d16237212e284ff0eb7a270a22fa1ccbd026fb24734c53c7e56a3405f252372fde56075d154cb52bafca4a76698b5dd3325
6
+ metadata.gz: 8280fcc5d0c7108eecf676fb46091f7beba8d69f5ca717f170b00e06069197def6026f3fec272375dd8f499400ac99ee235417f2fd8192b6c6fe3085dc382793
7
+ data.tar.gz: 8b24138c75c75e34c763ac6d184401462a85b282f8a2f7618b26ee8faa3fa5e8b3ffaaea04737ff60f3d36437a10a6526898f4cb2daa5332cb5bdd08bc7dbd76
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- bullet_train-scope_validator (1.0.1)
4
+ bullet_train-scope_validator (1.2.0)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
@@ -36,6 +36,7 @@ GEM
36
36
  unicode-display_width (2.1.0)
37
37
 
38
38
  PLATFORMS
39
+ arm64-darwin-20
39
40
  arm64-darwin-21
40
41
 
41
42
  DEPENDENCIES
data/LICENSE.txt CHANGED
@@ -1,6 +1,6 @@
1
1
  The MIT License (MIT)
2
2
 
3
- Copyright (c) 2022 Andrew Culver
3
+ Copyright (c) 2022 Bullet Train, Inc.
4
4
 
5
5
  Permission is hereby granted, free of charge, to any person obtaining a copy
6
6
  of this software and associated documentation files (the "Software"), to deal
data/README.md CHANGED
@@ -1,13 +1,10 @@
1
1
  # Bullet Train Scope Validator
2
2
 
3
- Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID
4
- stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver).
3
+ Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver) and extracted from [Bullet Train](https://bullettrain.co).
5
4
 
6
5
  ## Illustrating the Problem
7
6
 
8
- By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a
9
- `belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed
10
- data from other tenants.
7
+ By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a `belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed data from other tenants.
11
8
 
12
9
  Consider the following example from a customer relationship management (CRM) system that two competitive companies use:
13
10
 
@@ -49,9 +46,7 @@ class DealsController < ApplicationController
49
46
  end
50
47
  ```
51
48
 
52
- ☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating
53
- the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate
54
- validation logic in our API controllers and other places. This is a responsibility of the model.
49
+ ☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate validation logic in our API controllers and other places. This is a responsibility of the model.
55
50
 
56
51
  ### Example Form
57
52
 
@@ -75,8 +70,7 @@ A malicious user can:
75
70
  - Inspect the DOM and replace the `<select>` element for `customer_id` with an `<input type="text">` element.
76
71
  - Set the value to any number, particularly numbers that are IDs they know don't belong to their account.
77
72
  - Submit the form to create the deal.
78
- - When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of
79
- another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
73
+ - When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
80
74
 
81
75
  ## Usage
82
76
 
@@ -92,7 +86,7 @@ gem "bullet_train-scope_validator"
92
86
 
93
87
  Then we add a `scope: true` validation and `def valid_customers` method in the model, like so:
94
88
 
95
- ```
89
+ ```ruby
96
90
  class Deal < ApplicationRecord
97
91
  belongs_to :team
98
92
  belongs_to :customer
@@ -105,13 +99,13 @@ class Deal < ApplicationRecord
105
99
  end
106
100
  ```
107
101
 
108
- Finally, we can also DRY up our form to use the same definition of valid options:
102
+ If you're wondering what the connection between `validates :customer, scope: true` and `def valid_customers` is, it's just a convention that the former will call the latter based on the name of the attibute being validated. We've favored a full-blown method definition for this instead of simply passing in a proc into the validator because having a method allows us to also DRY up our form view to use the same definition of valid options, like so:
109
103
 
110
104
  ```
111
105
  <%= form.collection_select(:customer_id, form.object.valid_customers, :id, :name) %>
112
106
  ```
113
107
 
114
- That's it. You're done! Any attempts to stuff IDs will be met with an "invalid" Active Record error message.
108
+ So with that, you're done! Any attempts to stuff IDs will be met with an "invalid" Active Record error message.
115
109
 
116
110
  ## Contributing
117
111
 
data/lib/bullet_train/scope_validator/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module BulletTrain
4
4
  module ScopeValidator
5
- VERSION = "1.0.1"
5
+ VERSION = "1.2.0"
6
6
  end
7
7
  end
data/lib/bullet_train/scope_validator.rb CHANGED
@@ -2,6 +2,8 @@
2
2
 
3
3
  require_relative "scope_validator/version"
4
4
 
5
+ require_relative "../validators/scope_validator"
6
+
5
7
  module BulletTrain
6
8
  module ScopeValidator
7
9
  class Error < StandardError; end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bullet_train-scope_validator
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Culver
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-01-15 00:00:00.000000000 Z
11
+ date: 2022-12-15 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Protect `belongs_to` attributes from ID stuffing.
14
14
  email:
@@ -52,7 +52,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
52
52
  - !ruby/object:Gem::Version
53
53
  version: '0'
54
54
  requirements: []
55
- rubygems_version: 3.2.22
55
+ rubygems_version: 3.3.7
56
56
  signing_key:
57
57
  specification_version: 4
58
58
  summary: Protect `belongs_to` attributes from ID stuffing.