dm-sanitizer 0.1.1

data/History.txt

@@ -0,0 +1,18 @@
+== 0.1.1 2009-06-01
+
+* 2 enhancements
+  * Change mode options syntax
+  * Raise errors on undefined sanitization mode assigning
+
+* 1 bug fix
+  * Don't sanitize clean values in old records
+
+== 0.0.2 2009-05-30
+
+* 1 bug fix:
+  * Don't sanitize nil and empty properties
+
+== 0.0.1 2009-05-29
+
+* 1 major enhancement:
+  * Initial release

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Sergei Zimakov
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Manifest.txt

@@ -0,0 +1,12 @@
+History.txt
+LICENSE
+Manifest.txt
+Rakefile
+README.txt
+TODO
+lib/dm-sanitizer.rb
+lib/dm-sanitizer/version.rb
+spec/dm-sanitizer_spec.rb
+spec/spec.opts
+spec/spec_helper.rb
+tasks/hoe.rb

data/README.txt

@@ -0,0 +1,98 @@
+= dm-sanitizer
+
+* http://github.com/pat/dm-sanitizer
+
+== Description:
+
+This package lets DataMapper properties be easily sanitized using Sanitize.
+
+== Features and problems:
+
+=== Features
+
+* Sanitize String based properties by default
+* Lets choose sanitization mode on per property basis
+* Allows user defined sanitization modes
+
+=== problems
+
+* None known. Contact me if you find them.
+
+== Synopsis:
+
+  require 'rubygems'
+  require 'dm-core'
+  require 'dm-sanitizer'
+
+  DataMapper.setup(:default, 'sqlite3::memory:')
+
+  class SomeModel
+    include DataMapper::Resource
+
+    property :id,     Serial
+    property :title,  String
+    property :story,  Text
+  end
+  SomeModel.auto_migrate!
+
+  obj = SomeModel.new
+  obj.title = '<h1>Hi there</h1>'
+  obj.story = '<em>Some sanitization <strong>needed</strong></em>'
+  obj.save
+  puts obj.title == 'Hi there'
+  puts obj.story == 'Some sanitization needed'
+
+  class SomeOtherModel
+    include DataMapper::Resource
+    sanitize :default_mode => :basic, :modes => {:restricted => :title}, :exclude => [:junk]
+
+    property :id,     Serial
+    property :title,  String
+    property :story,  Text
+    property :junk,   Text
+  end
+  SomeOtherModel.auto_migrate!
+
+  obj = SomeOtherModel.new
+  obj.title = '<h1><strong>Hi</strong> <a href="#">there</a></h1>'
+  obj.story = '<h3><a href="#">Scince</a> knows many gitiks</h3>'
+  obj.junk  = '<script>alert("xss")</script>'
+  obj.save
+
+  puts obj.title == '<strong>Hi</strong> there'
+  puts obj.story == '<a href="#" rel="nofollow">Scince</a> knows many gitiks'
+  puts obj.junk  == '<script>alert("xss")</script>'
+
+== Requirements:
+
+* DataMapper (dm-core)
+* Sanitize (sanitize)
+
+== Installation:
+
+sudo gem install dm-sanitizer
+
+== License
+
+(The MIT License)
+
+Copyright (c) 2009 Sergei Zimakov
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,81 @@
+require 'pathname'
+require 'rubygems'
+require 'rake'
+require "rake/clean"
+require "rake/gempackagetask"
+
+ROOT    = Pathname(__FILE__).dirname.expand_path
+JRUBY   = RUBY_PLATFORM =~ /java/
+WINDOWS = Gem.win_platform?
+SUDO    = (WINDOWS || JRUBY) ? '' : ('sudo' unless ENV['SUDOLESS'])
+
+require ROOT + 'lib/dm-sanitizer/version'
+
+AUTHOR = 'Sergei Zimakov'
+EMAIL  = 'zimakov@gmail.com'
+GEM_NAME = 'dm-sanitizer'
+GEM_VERSION = DataMapper::Sanitizer::VERSION
+GEM_DEPENDENCIES = [['dm-core', '>= 0.9.4'], ['sanitize', '>= 1.0.0']]
+GEM_CLEAN = %w[ log pkg coverage ]
+GEM_EXTRAS = { :has_rdoc => true, :extra_rdoc_files => %w[ README.txt LICENSE History.txt ] }
+
+PROJECT_NAME = 'dm-sanitizer'
+PROJECT_URL  = "http://github.com/pat/#{GEM_NAME}/tree/master/"
+PROJECT_DESCRIPTION = PROJECT_SUMMARY = 'DataMapper plugin for automated/configurable user input sanitization.'
+
+[ ROOT ].each do |dir|
+  Pathname.glob(dir.join('tasks/**/*.rb').to_s).each { |f| require f }
+end
+# 
+# spec = Gem::Specification.new do |s|
+#   s.name         = GEM_NAME
+#   s.version      = GEM_VERSION
+#   s.platform     = Gem::Platform::RUBY
+#   s.author       = AUTHOR
+#   s.email        = EMAIL
+#   s.homepage     = PROJECT_URL
+#   s.summary      = PROJECT_SUMMARY
+#   s.description  = PROJECT_DESCRIPTION
+#   s.require_path = 'lib'
+#   s.files        = %w[ LICENSE README.txt Rakefile History.txt TODO ] + Dir['lib/**/*'] + Dir['spec/**/*']
+#   s.rubyforge_project = GEM_NAME
+#  
+#   # rdoc
+#   s.has_rdoc         = false
+#   s.extra_rdoc_files = %w[ LICENSE README.txt History.txt ]
+#  
+#   # Dependencies
+#   GEM_DEPENDENCIES.each {|dep| s.add_dependency( dep[0], dep[1] )}
+# end
+#  
+# Rake::GemPackageTask.new(spec) do |package|
+#   package.gem_spec = spec
+# end
+# 
+# Specs
+
+begin
+  gem 'rspec', '~>1.2'
+  require 'spec'
+  require 'spec/rake/spectask'
+
+  task :default => [ :spec ]
+
+  desc 'Run specifications'
+  Spec::Rake::SpecTask.new(:spec) do |t|
+    t.spec_opts << '--options' << 'spec/spec.opts' if File.exists?('spec/spec.opts')
+    t.spec_files = Pathname.glob((ROOT + 'spec/**/*_spec.rb').to_s).map { |f| f.to_s }
+
+    begin
+      gem 'rcov', '~>0.8'
+      t.rcov = JRUBY ? false : (ENV.has_key?('NO_RCOV') ? ENV['NO_RCOV'] != 'true' : true)
+      t.rcov_opts << '--exclude' << 'spec'
+      t.rcov_opts << '--text-summary'
+      t.rcov_opts << '--sort' << 'coverage' << '--sort-reverse'
+    rescue LoadError
+      # rcov not installed
+    end
+  end
+rescue LoadError
+  # rspec not installed
+end

data/TODO

@@ -0,0 +1,8 @@
+TODO list
+=========
+
+* add options for before :valid? hooking
+* add options for redefining properties filtering method
+* add spec heplers for testing property sanitization options
+* add possibility for sanitizing dirty properties
+* validate options

data/lib/dm-sanitizer.rb

@@ -0,0 +1,111 @@
+require 'pathname'
+require 'rubygems'
+
+require Pathname(__FILE__).dirname.expand_path + 'dm-sanitizer/version'
+
+gem 'dm-core', '>= 0.9.4'
+require 'dm-core'
+
+gem 'sanitize', '>= 1.0.0'
+require 'sanitize'
+
+module DataMapper
+  module Sanitizer
+    def default_options
+      {
+        :mode_definitions  => {
+          :default      => Sanitize::Config::DEFAULT,
+          :restricted   => Sanitize::Config::RESTRICTED,
+          :basic        => Sanitize::Config::BASIC,
+          :relaxed      => Sanitize::Config::RELAXED
+        },
+        :default_mode   => :default
+      }
+    end
+    module_function :default_options
+    
+    module ClassMethods
+      def sanitize(options={})
+        self.class_eval <<-RUBY, __FILE__, __LINE__ + 1
+          def self.sanitization_options=(options)
+            @sanitization_options = options
+          end
+          
+          def self.sanitization_options
+            @sanitization_options
+          end
+          
+          def sanitization_options
+            self.class.sanitization_options
+          end
+        RUBY
+        
+        self.sanitization_options = DataMapper::Sanitizer.default_options.merge(options)
+        remap_sanitization_modes!
+        check_sanitization_modes
+        
+        before :save, :sanitize! unless hooks_with_scope(:instance)[:save][:before].include?({:name => :sanitize!, :from => self})
+      end
+      
+      def disable_sanitization
+        self.sanitization_options[:disabled] = true
+      end
+      
+      private
+      def remap_sanitization_modes!
+        return unless @sanitization_options[:modes]
+        result = {}
+        @sanitization_options[:modes].each do |mode, group|
+          if group.class == Array
+            group.each {|item| result[item] = mode}
+          else
+            result[group] = mode
+          end
+        end
+        @sanitization_options[:modes] = result
+      end
+      
+      def check_sanitization_modes
+        return unless @sanitization_options[:modes]
+        @sanitization_options[:modes].each do |property, mode|
+          raise Exception.new("Sanitization mode :#{mode} is not defined") unless @sanitization_options[:mode_definitions].has_key?(mode)
+        end
+      end
+    end
+    
+    module InstanceMethods
+      def sanitize!
+        options = self.class.sanitization_options
+        return false if options[:disabled]
+        
+        self.class.properties.each do |property|
+          property_name = property.name.to_sym
+          
+          next unless property.type == String || property.type == DataMapper::Types::Text
+          next if !new_record? && !attribute_dirty?(property.name.to_sym)
+          next if options[:exclude] && options[:exclude].include?(property_name)
+          
+          property_mode = options[:modes] ? options[:modes][property_name] || options[:default_mode] : options[:default_mode]
+          
+          sanitize_property!(property_name, property_mode)
+        end
+        return true
+      end
+      
+      def sanitize_property!(name, mode)
+        value = self.send( name )
+        return if value.nil? || value.empty?
+        sanitized_value = Sanitize.clean(value, self.class.sanitization_options[:mode_definitions][mode])
+        self.send( name.to_s+'=', sanitized_value)
+      end
+    end
+    
+    def self.included(receiver)
+      receiver.extend( ClassMethods )
+      receiver.send( :include, InstanceMethods )
+      receiver.send( :sanitize )
+    end
+  end
+end
+
+DataMapper::Resource.append_inclusions DataMapper::Sanitizer

data/lib/dm-sanitizer/version.rb

@@ -0,0 +1,5 @@
+module DataMapper
+  module Sanitizer
+    VERSION = '0.1.1'
+  end  
+end

data/spec/dm-sanitizer_spec.rb

@@ -0,0 +1,137 @@
+require 'pathname'
+require Pathname(__FILE__).dirname.expand_path + 'spec_helper'
+
+if HAS_SQLITE3 || HAS_MYSQL || HAS_POSTGRES
+
+  class CleanCell
+    include DataMapper::Resource
+
+    property :id,     Serial
+    property :title,  String
+    property :story,  Text
+  end
+  CleanCell.auto_migrate!
+
+  class DirtyCell
+    include DataMapper::Resource
+    disable_sanitization
+
+    property :id,     Serial
+    property :title,  String
+    property :story,  Text
+  end
+  DirtyCell.auto_migrate!
+
+
+  describe DataMapper::Model do
+    it "should have options" do
+      CleanCell.new.sanitization_options.should be_an_instance_of(Hash)
+    end
+  end
+
+  describe DataMapper::Model, 'without sanitization' do
+    before(:each) do
+      @object = DirtyCell.new
+    end
+    
+    it "should have disabling option" do
+      @object.sanitization_options[:disabled].should be_true
+    end
+    
+    it "should not sanitize before save (sanitize! should return false)" do
+      @object.should_receive(:sanitize!).and_return(false)
+      @object.save
+    end
+  end
+
+  describe DataMapper::Model, "with sanitization" do
+    before(:each) do
+      @object = CleanCell.new
+    end
+    
+    it "should call sanitize! once before save" do
+      @object.should_receive(:sanitize!).with().once.and_return(true)
+      @object.save
+    end
+    
+    it "should sanitize String and Text properties by default" do
+      @object.should_receive(:sanitize_property!).with(:title,anything).once.ordered
+      @object.should_receive(:sanitize_property!).with(:story,anything).once.ordered
+      @object.save
+    end
+    
+    it "should not sanitize property if its exluded" do
+      @object.class.sanitize :exclude => [:title]
+      @object.should_not_receive(:sanitize_property!).with(:title,anything)
+      @object.should_receive(:sanitize_property!).with(:story,anything).once.ordered
+      @object.save
+    end
+    
+    it "should use changed default_mode" do
+      @object.class.sanitize :default_mode => :basic
+      @object.should_receive(:sanitize_property!).with(:title, :basic)
+      @object.should_receive(:sanitize_property!).with(:story, :basic)
+      @object.save
+    end
+    
+    it "should use changed mode" do
+      @object.class.sanitize :modes => {:restricted => :title, :relaxed => :story}
+      @object.should_receive(:sanitize_property!).with(:title, :restricted)
+      @object.should_receive(:sanitize_property!).with(:story, :relaxed)
+      @object.save
+    end
+    
+    it "should accept array style mode setting" do
+      @object.class.sanitize :modes => {:restricted => [:title, :story]}
+      @object.should_receive(:sanitize_property!).with(:title, :restricted)
+      @object.should_receive(:sanitize_property!).with(:story, :restricted)
+      @object.save
+    end
+    
+    it "should raise error on undefined sanitization mode" do
+      lambda {
+        @object.class.sanitize :modes => {:desanitizedtwice => :title}
+      }.should raise_error
+    end
+    
+    it "should not sanitize not dirty properties in not new records by default" do
+      @object.should_receive(:sanitize_property!).with(:title,anything).twice
+      @object.should_receive(:sanitize_property!).with(:story,anything).once
+      @object.save
+      @object.title = 'Really new <strong>value</strong>'
+      @object.save
+    end
+  end
+  
+  describe "DataMapper::Model sanitize_property! method" do
+    before(:each) do
+      @object = CleanCell.new
+      @object.title = '<em>hi</em>'
+    end
+    
+    it "should call Sanitize.clean with property and mode" do
+      Sanitize.should_receive(:clean).with(@object.title, @object.sanitization_options[:mode_definitions][:restricted])
+      @object.sanitize_property!(:title, :restricted)
+    end
+    
+    it "should set property to sanitized value" do
+      @object.sanitize_property!(:title, :default)
+      @object.title.should == Sanitize.clean(@object.title, @object.sanitization_options[:mode_definitions][:default])
+    end
+    
+    it "should not sanitize nil properties" do
+      @object.title = nil
+      Sanitize.should_not_receive(:clean)
+      @object.sanitize_property!(:title, :default)
+      @object.title.should == nil
+    end
+    
+    it "should not sanitize empty properties" do
+      @object.title = ''
+      Sanitize.should_not_receive(:clean)
+      @object.sanitize_property!(:title, :default)
+      @object.title.should == ''
+    end
+  end
+
+end

data/spec/spec.opts

@@ -0,0 +1 @@
+--colour

data/spec/spec_helper.rb

@@ -0,0 +1,32 @@
+require 'pathname'
+require 'rubygems'
+ 
+gem 'rspec', '~>1.2'
+require 'spec'
+ 
+gem 'dm-core', '>= 0.9.4'
+require 'dm-core'
+
+gem 'sanitize', '>= 1.0.0'
+require 'sanitize'
+ 
+require Pathname(__FILE__).dirname.parent.expand_path + 'lib/dm-sanitizer'
+ 
+def load_driver(name, default_uri)
+  return false if ENV['ADAPTER'] != name.to_s
+ 
+  begin
+    DataMapper.setup(name, ENV["#{name.to_s.upcase}_SPEC_URI"] || default_uri)
+    DataMapper::Repository.adapters[:default] =  DataMapper::Repository.adapters[name]
+    true
+  rescue LoadError => e
+    warn "Could not load do_#{name}: #{e}"
+    false
+  end
+end
+ 
+ENV['ADAPTER'] ||= 'sqlite3'
+ 
+HAS_SQLITE3  = load_driver(:sqlite3,  'sqlite3::memory:')
+HAS_MYSQL    = load_driver(:mysql,    'mysql://localhost/dm_core_test')
+HAS_POSTGRES = load_driver(:postgres, 'postgres://postgres@localhost/dm_core_test')

data/tasks/hoe.rb

@@ -0,0 +1,46 @@
+require 'hoe'
+
+@config_file = "~/.rubyforge/user-config.yml"
+@config = nil
+RUBYFORGE_USERNAME = "unknown"
+def rubyforge_username
+  unless @config
+    begin
+      @config = YAML.load(File.read(File.expand_path(@config_file)))
+    rescue
+      puts <<-EOS
+ERROR: No rubyforge config file found: #{@config_file}
+Run 'rubyforge setup' to prepare your env for access to Rubyforge
+ - See http://newgem.rubyforge.org/rubyforge.html for more details
+      EOS
+      exit
+    end
+  end
+  RUBYFORGE_USERNAME.replace @config["username"]
+end
+
+# Remove hoe dependency
+class Hoe
+  def extra_dev_deps
+    @extra_dev_deps.reject! { |dep| dep[0] == "hoe" }
+    @extra_dev_deps
+  end
+end
+
+hoe = Hoe.new(GEM_NAME, GEM_VERSION) do |p|
+
+  p.developer(AUTHOR, EMAIL)
+
+  p.description = PROJECT_DESCRIPTION
+  p.summary = PROJECT_SUMMARY
+  p.url = PROJECT_URL
+
+  p.rubyforge_name = PROJECT_NAME if PROJECT_NAME
+  p.clean_globs |= GEM_CLEAN
+  p.spec_extras = GEM_EXTRAS if GEM_EXTRAS
+
+  GEM_DEPENDENCIES.each do |dep|
+    p.extra_deps << dep
+  end
+
+end

metadata

@@ -0,0 +1,87 @@
+--- !ruby/object:Gem::Specification 
+name: dm-sanitizer
+version: !ruby/object:Gem::Version 
+  version: 0.1.1
+platform: ruby
+authors: 
+- Sergei Zimakov
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-06-02 00:00:00 +04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: dm-core
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.9.4
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: sanitize
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.0.0
+    version: 
+description: DataMapper plugin for automated/configurable user input sanitization.
+email: 
+- zimakov@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.txt
+- LICENSE
+- History.txt
+files: 
+- History.txt
+- LICENSE
+- Manifest.txt
+- Rakefile
+- README.txt
+- TODO
+- lib/dm-sanitizer.rb
+- lib/dm-sanitizer/version.rb
+- spec/dm-sanitizer_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+- tasks/hoe.rb
+has_rdoc: true
+homepage: http://github.com/pat/dm-sanitizer/tree/master/
+post_install_message: 
+rdoc_options: 
+- --main
+- README.txt
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: dm-sanitizer
+rubygems_version: 1.3.1
+signing_key: 
+specification_version: 2
+summary: DataMapper plugin for automated/configurable user input sanitization.
+test_files: []
+