filterrific 5.0.1 → 5.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cdf8a79ceb47199242045fe675a29bae23a2c05a
-  data.tar.gz: 5f06c14fbc9c712bcf280cd51aaa2b6a45a5377d
+  metadata.gz: 805e2e150dc2f940f7a1553b69d1840fa8c63a19
+  data.tar.gz: 90e9b1385a67e35473b733e6617558d827b3b403
 SHA512:
-  metadata.gz: ef082a1dea5d3c989cd65b032bef0931e5fb75a6d0758f1ee4729b04d019e6e887a4633e9691991da387e9b92bae0c839a868c997d3fcf7947203719ced90bb6
-  data.tar.gz: 8ec955b62c7a8054f9e91ab070a0cdc3154dc37f82fa2583f0df2f561bf31376a52dd74b1fb249021b89f13c571a5e09481f4ba7f636fd316f9ef90927d09227
+  metadata.gz: 735745de77b4388f221f94eb2f801a6a0ff14d94881807a4320aaeb0a353ea3fc0e5c35d47283f93a60fb298658be0ec5f90bee82f0085c518cc4a06c1815f93
+  data.tar.gz: a15233320c33c518f9bddeacf8ff9e839f56916f77ce67e07fcb62f4778e3cafd2103464b401ba6382d4360b922c9d008b86d06f534b5f9d252c67b63b03e965

data/CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Filterrific major versions match the Ruby on Rails major versions they work with.
 
+## [5.1.0] - Aug. 3, 2018
+
+* Breaking change: all Filterrific params are sanitized by default to prevent XSS attacks. You can disable sanitization (you really shouldn't!) by setting the :sanitize_params option to false when calling #initialize_filterrific in the controller.
+
 ## [5.0.1] - Jan. 2, 2018
 
 * Changed all instances of #deep_stringify_keys back to #stringify_keys. This was changed in 5.0.0, but it shouldn't have been changed.

data/doc/scratchpad.md

@@ -2,7 +2,12 @@
 
 ## TODO
 
-* add check that no filter_name conflicts with existing methods on included ActiveRecord class (See https://github.com/jhund/filterrific/issues/17)
+* [x] Go to deep_stringify_keys (in ActionControllerExtension#initialize_filterrific)
+* [x] Lock Gemfile to correct version of Rails
+* [x] Add Rails major version check to filterrific.rb
+* [ ] In ParamSet#condition_filterrific_params: Why are we type casting integers?
+* [ ] add check that no filter_name conflicts with existing methods on included ActiveRecord class (See https://github.com/jhund/filterrific/issues/17)
+* [x] I think this is done: fix reset url, make controller method, helper method
 
 ## Travis
 
@@ -25,6 +30,7 @@ Ruby 1.8.7
 Ruby 1.9.3
 Ruby 2.0
 Ruby 2.1
+Ruby 2.2    No         No         No         No
 
 Each combination is also tested for postgres and mysql
 

data/lib/filterrific/action_controller_extension.rb

@@ -26,6 +26,9 @@ module Filterrific
     # @option opts [Hash, optional] :select_options
     #   these are available in the view to populate select lists and other
     #   dynamic values.
+    # @option opts [Boolean, optional] :sanitize_params
+    #   if true, sanitizes all filterrific params to prevent reflected (or stored) XSS attacks.
+    #   Defaults to true.
     # @return [Filterrific::ParamSet]
     def initialize_filterrific(model_class, filterrific_params, opts = {})
       f_params = (filterrific_params || {}).stringify_keys
@@ -60,8 +63,12 @@ module Filterrific
     # @param model_class [ActiveRecord::Base]
     # @param filterrific_params [ActionController::Params, Hash]
     # @param opts [Hash]
+    # @option opts [Boolean, optional] "sanitize_params"
+    #   if true, sanitizes all filterrific params to prevent reflected (or stored) XSS attacks.
+    #   Defaults to true.
     # @param persistence_id [String, nil]
     def compute_filterrific_params(model_class, filterrific_params, opts, persistence_id)
+      opts = { "sanitize_params" => true }.merge(opts.stringify_keys)
       r = (
         filterrific_params.presence || # start with passed in params
         (persistence_id && session[persistence_id].presence) || # then try session persisted params if persistence_id is present
@@ -69,8 +76,35 @@ module Filterrific
         model_class.filterrific_default_filter_params # finally use model_class defaults
       ).stringify_keys
       r.slice!(*opts['available_filters'].map(&:to_s))  if opts['available_filters']
+      # Sanitize params to prevent reflected XSS attack
+      if opts["sanitize_params"]
+        r.each { |k,v| r[k] = sanitize_filterrific_param(r[k]) }
+      end
       r
     end
 
+    # Sanitizes value to prevent xss attack.
+    # Uses Rails ActionView::Helpers::SanitizeHelper.
+    # @param val [Object] the value to sanitize. Can be any kind of object. Collections
+    #   will have their members sanitized recursively.
+    def sanitize_filterrific_param(val)
+      case val
+      when Array
+        # Return Array
+        val.map { |e| sanitize_filterrific_param(e) }
+      when Hash
+        # Return Hash
+        val.inject({}) { |m, (k,v)| m[k] = sanitize_filterrific_param(v); m }
+      when NilClass
+        # Nothing to do, use val as is
+        val
+      when String
+        helpers.sanitize(val)
+      else
+        # Nothing to do, use val as is
+        val
+      end
+    end
+
   end
 end

data/lib/filterrific/engine_api.rb

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+
+require 'filterrific/param_set'
+
+require 'filterrific/action_controller_extension'
+require 'filterrific/active_record_extension'
+
+module Filterrific
+  class EngineApi < ::Rails::Engine
+
+TODO: Since this is API only, I don't think we need an engine!
+    # It's an engine so that we can add javascript and image assets
+    # to the asset pipeline.
+
+    isolate_namespace Filterrific
+
+    ActiveSupport.on_load :action_controller do
+      include Filterrific::ActionControllerExtension
+    end
+
+    ActiveSupport.on_load :active_record do
+      extend Filterrific::ActiveRecordExtension
+    end
+
+  end
+end

data/lib/filterrific/version.rb

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
 
 module Filterrific
-  VERSION = "5.0.1"
+  VERSION = "5.1.0"
 end

data/lib/filterrific_api.rb

@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+
+require 'filterrific/version'
+require 'filterrific/engine_api'
+
+module Filterrific
+end

data/spec/filterrific/action_controller_extension_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'filterrific/action_controller_extension'
+require 'action_view/helpers/sanitize_helper'
 
 module Filterrific
 
@@ -9,6 +10,12 @@ module Filterrific
       include ActionControllerExtension
       def action_name; 'index'; end
       def controller_name; 'test_controller'; end
+      # In a production app the #helpers method makes Rails helpers available in
+      # a controller instance. For testing our module outside of rails, we just
+      # include the required helpers in the TestController class
+      # and then delegate #helpers to self.
+      include ActionView::Helpers::SanitizeHelper
+      def helpers; self; end
       def session
         {
           'test_controller#index' => {
@@ -100,6 +107,46 @@ module Filterrific
         ).must_equal({ 'filter1' => 1 })
       end
 
+      it "sanitizes filterrific params by default" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => "1' <script>alert('xss attack!');</script>" },
+          { },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => "1' alert('xss attack!');" })
+      end
+
+      it "sanitizes filterrific Array params" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => ["1' <script>alert('xss attack!');</script>", 3] },
+          { },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => ["1' alert('xss attack!');", 3] })
+      end
+
+      it "sanitizes filterrific Hash params" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => { 1 => "1' <script>alert('xss attack!');</script>", 2 =>  3} },
+          { },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => { 1 => "1' alert('xss attack!');", 2 => 3 } })
+      end
+
+      it "skips param sanitization if told so via options" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => "1' <script>alert('xss attack!');</script>" },
+          { :sanitize_params => false },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => "1' <script>alert('xss attack!');</script>" })
+      end
+
     end
 
     describe '#reset_filterrific_url' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: filterrific
 version: !ruby/object:Gem::Version
-  version: 5.0.1
+  version: 5.1.0
 platform: ruby
 authors:
 - Jo Hund
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-03 00:00:00.000000000 Z
+date: 2018-08-03 00:00:00.000000000 Z
 dependencies: []
 description: Filterrific is a Rails Engine plugin that makes it easy to filter, search,
   and sort your ActiveRecord lists.
@@ -37,9 +37,11 @@ files:
 - lib/filterrific/action_view_extension.rb
 - lib/filterrific/active_record_extension.rb
 - lib/filterrific/engine.rb
+- lib/filterrific/engine_api.rb
 - lib/filterrific/has_reset_filterrific_url_mixin.rb
 - lib/filterrific/param_set.rb
 - lib/filterrific/version.rb
+- lib/filterrific_api.rb
 - spec/filterrific/action_controller_extension_spec.rb
 - spec/filterrific/action_view_extension_spec.rb
 - spec/filterrific/active_record_extension_spec.rb