filterrific 5.0.1 → 5.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: cdf8a79ceb47199242045fe675a29bae23a2c05a
4
- data.tar.gz: 5f06c14fbc9c712bcf280cd51aaa2b6a45a5377d
3
+ metadata.gz: 805e2e150dc2f940f7a1553b69d1840fa8c63a19
4
+ data.tar.gz: 90e9b1385a67e35473b733e6617558d827b3b403
5
5
  SHA512:
6
- metadata.gz: ef082a1dea5d3c989cd65b032bef0931e5fb75a6d0758f1ee4729b04d019e6e887a4633e9691991da387e9b92bae0c839a868c997d3fcf7947203719ced90bb6
7
- data.tar.gz: 8ec955b62c7a8054f9e91ab070a0cdc3154dc37f82fa2583f0df2f561bf31376a52dd74b1fb249021b89f13c571a5e09481f4ba7f636fd316f9ef90927d09227
6
+ metadata.gz: 735745de77b4388f221f94eb2f801a6a0ff14d94881807a4320aaeb0a353ea3fc0e5c35d47283f93a60fb298658be0ec5f90bee82f0085c518cc4a06c1815f93
7
+ data.tar.gz: a15233320c33c518f9bddeacf8ff9e839f56916f77ce67e07fcb62f4778e3cafd2103464b401ba6382d4360b922c9d008b86d06f534b5f9d252c67b63b03e965
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
7
7
 
8
8
  Filterrific major versions match the Ruby on Rails major versions they work with.
9
9
 
10
+ ## [5.1.0] - Aug. 3, 2018
11
+
12
+ * Breaking change: all Filterrific params are sanitized by default to prevent XSS attacks. You can disable sanitization (you really shouldn't!) by setting the :sanitize_params option to false when calling #initialize_filterrific in the controller.
13
+
10
14
  ## [5.0.1] - Jan. 2, 2018
11
15
 
12
16
  * Changed all instances of #deep_stringify_keys back to #stringify_keys. This was changed in 5.0.0, but it shouldn't have been changed.
@@ -2,7 +2,12 @@
2
2
 
3
3
  ## TODO
4
4
 
5
- * add check that no filter_name conflicts with existing methods on included ActiveRecord class (See https://github.com/jhund/filterrific/issues/17)
5
+ * [x] Go to deep_stringify_keys (in ActionControllerExtension#initialize_filterrific)
6
+ * [x] Lock Gemfile to correct version of Rails
7
+ * [x] Add Rails major version check to filterrific.rb
8
+ * [ ] In ParamSet#condition_filterrific_params: Why are we type casting integers?
9
+ * [ ] add check that no filter_name conflicts with existing methods on included ActiveRecord class (See https://github.com/jhund/filterrific/issues/17)
10
+ * [x] I think this is done: fix reset url, make controller method, helper method
6
11
 
7
12
  ## Travis
8
13
 
@@ -25,6 +30,7 @@ Ruby 1.8.7
25
30
  Ruby 1.9.3
26
31
  Ruby 2.0
27
32
  Ruby 2.1
33
+ Ruby 2.2 No No No No
28
34
 
29
35
  Each combination is also tested for postgres and mysql
30
36
 
@@ -26,6 +26,9 @@ module Filterrific
26
26
  # @option opts [Hash, optional] :select_options
27
27
  # these are available in the view to populate select lists and other
28
28
  # dynamic values.
29
+ # @option opts [Boolean, optional] :sanitize_params
30
+ # if true, sanitizes all filterrific params to prevent reflected (or stored) XSS attacks.
31
+ # Defaults to true.
29
32
  # @return [Filterrific::ParamSet]
30
33
  def initialize_filterrific(model_class, filterrific_params, opts = {})
31
34
  f_params = (filterrific_params || {}).stringify_keys
@@ -60,8 +63,12 @@ module Filterrific
60
63
  # @param model_class [ActiveRecord::Base]
61
64
  # @param filterrific_params [ActionController::Params, Hash]
62
65
  # @param opts [Hash]
66
+ # @option opts [Boolean, optional] "sanitize_params"
67
+ # if true, sanitizes all filterrific params to prevent reflected (or stored) XSS attacks.
68
+ # Defaults to true.
63
69
  # @param persistence_id [String, nil]
64
70
  def compute_filterrific_params(model_class, filterrific_params, opts, persistence_id)
71
+ opts = { "sanitize_params" => true }.merge(opts.stringify_keys)
65
72
  r = (
66
73
  filterrific_params.presence || # start with passed in params
67
74
  (persistence_id && session[persistence_id].presence) || # then try session persisted params if persistence_id is present
@@ -69,8 +76,35 @@ module Filterrific
69
76
  model_class.filterrific_default_filter_params # finally use model_class defaults
70
77
  ).stringify_keys
71
78
  r.slice!(*opts['available_filters'].map(&:to_s)) if opts['available_filters']
79
+ # Sanitize params to prevent reflected XSS attack
80
+ if opts["sanitize_params"]
81
+ r.each { |k,v| r[k] = sanitize_filterrific_param(r[k]) }
82
+ end
72
83
  r
73
84
  end
74
85
 
86
+ # Sanitizes value to prevent xss attack.
87
+ # Uses Rails ActionView::Helpers::SanitizeHelper.
88
+ # @param val [Object] the value to sanitize. Can be any kind of object. Collections
89
+ # will have their members sanitized recursively.
90
+ def sanitize_filterrific_param(val)
91
+ case val
92
+ when Array
93
+ # Return Array
94
+ val.map { |e| sanitize_filterrific_param(e) }
95
+ when Hash
96
+ # Return Hash
97
+ val.inject({}) { |m, (k,v)| m[k] = sanitize_filterrific_param(v); m }
98
+ when NilClass
99
+ # Nothing to do, use val as is
100
+ val
101
+ when String
102
+ helpers.sanitize(val)
103
+ else
104
+ # Nothing to do, use val as is
105
+ val
106
+ end
107
+ end
108
+
75
109
  end
76
110
  end
@@ -0,0 +1,26 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ require 'filterrific/param_set'
4
+
5
+ require 'filterrific/action_controller_extension'
6
+ require 'filterrific/active_record_extension'
7
+
8
+ module Filterrific
9
+ class EngineApi < ::Rails::Engine
10
+
11
+ TODO: Since this is API only, I don't think we need an engine!
12
+ # It's an engine so that we can add javascript and image assets
13
+ # to the asset pipeline.
14
+
15
+ isolate_namespace Filterrific
16
+
17
+ ActiveSupport.on_load :action_controller do
18
+ include Filterrific::ActionControllerExtension
19
+ end
20
+
21
+ ActiveSupport.on_load :active_record do
22
+ extend Filterrific::ActiveRecordExtension
23
+ end
24
+
25
+ end
26
+ end
@@ -1,5 +1,5 @@
1
1
  # -*- coding: utf-8 -*-
2
2
 
3
3
  module Filterrific
4
- VERSION = "5.0.1"
4
+ VERSION = "5.1.0"
5
5
  end
@@ -0,0 +1,7 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ require 'filterrific/version'
4
+ require 'filterrific/engine_api'
5
+
6
+ module Filterrific
7
+ end
@@ -1,5 +1,6 @@
1
1
  require 'spec_helper'
2
2
  require 'filterrific/action_controller_extension'
3
+ require 'action_view/helpers/sanitize_helper'
3
4
 
4
5
  module Filterrific
5
6
 
@@ -9,6 +10,12 @@ module Filterrific
9
10
  include ActionControllerExtension
10
11
  def action_name; 'index'; end
11
12
  def controller_name; 'test_controller'; end
13
+ # In a production app the #helpers method makes Rails helpers available in
14
+ # a controller instance. For testing our module outside of rails, we just
15
+ # include the required helpers in the TestController class
16
+ # and then delegate #helpers to self.
17
+ include ActionView::Helpers::SanitizeHelper
18
+ def helpers; self; end
12
19
  def session
13
20
  {
14
21
  'test_controller#index' => {
@@ -100,6 +107,46 @@ module Filterrific
100
107
  ).must_equal({ 'filter1' => 1 })
101
108
  end
102
109
 
110
+ it "sanitizes filterrific params by default" do
111
+ TestController.new.send(
112
+ :compute_filterrific_params,
113
+ TestModelClass,
114
+ { 'filter1' => "1' <script>alert('xss attack!');</script>" },
115
+ { },
116
+ 'test_controller#index'
117
+ ).must_equal({ 'filter1' => "1' alert('xss attack!');" })
118
+ end
119
+
120
+ it "sanitizes filterrific Array params" do
121
+ TestController.new.send(
122
+ :compute_filterrific_params,
123
+ TestModelClass,
124
+ { 'filter1' => ["1' <script>alert('xss attack!');</script>", 3] },
125
+ { },
126
+ 'test_controller#index'
127
+ ).must_equal({ 'filter1' => ["1' alert('xss attack!');", 3] })
128
+ end
129
+
130
+ it "sanitizes filterrific Hash params" do
131
+ TestController.new.send(
132
+ :compute_filterrific_params,
133
+ TestModelClass,
134
+ { 'filter1' => { 1 => "1' <script>alert('xss attack!');</script>", 2 => 3} },
135
+ { },
136
+ 'test_controller#index'
137
+ ).must_equal({ 'filter1' => { 1 => "1' alert('xss attack!');", 2 => 3 } })
138
+ end
139
+
140
+ it "skips param sanitization if told so via options" do
141
+ TestController.new.send(
142
+ :compute_filterrific_params,
143
+ TestModelClass,
144
+ { 'filter1' => "1' <script>alert('xss attack!');</script>" },
145
+ { :sanitize_params => false },
146
+ 'test_controller#index'
147
+ ).must_equal({ 'filter1' => "1' <script>alert('xss attack!');</script>" })
148
+ end
149
+
103
150
  end
104
151
 
105
152
  describe '#reset_filterrific_url' do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: filterrific
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.1
4
+ version: 5.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jo Hund
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-03 00:00:00.000000000 Z
11
+ date: 2018-08-03 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Filterrific is a Rails Engine plugin that makes it easy to filter, search,
14
14
  and sort your ActiveRecord lists.
@@ -37,9 +37,11 @@ files:
37
37
  - lib/filterrific/action_view_extension.rb
38
38
  - lib/filterrific/active_record_extension.rb
39
39
  - lib/filterrific/engine.rb
40
+ - lib/filterrific/engine_api.rb
40
41
  - lib/filterrific/has_reset_filterrific_url_mixin.rb
41
42
  - lib/filterrific/param_set.rb
42
43
  - lib/filterrific/version.rb
44
+ - lib/filterrific_api.rb
43
45
  - spec/filterrific/action_controller_extension_spec.rb
44
46
  - spec/filterrific/action_view_extension_spec.rb
45
47
  - spec/filterrific/active_record_extension_spec.rb