mongoid-rails 3.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 02783fa03be4dd47c2bcf13e519ac1da42626d7b
+  data.tar.gz: 8e33a29510e747be3e1a2ad7fe486eef5c20a7c5
+SHA512:
+  metadata.gz: 3fa4ea333049ed5076d32f9bc85b6a837671837eff2421766e14e56442d24fbd62d8bd1ccd17eb953bd26da77b8a546926d239e73dfb75a5379bd3508a763057
+  data.tar.gz: a1f096e8e27fbdeb32efac515943ac6e0b3bfaf9c30adeaa6cae26c864c2e07f5fe5520a711af1160133a7bdd13d5540583d408e99d487d80a2b5469e22bbc9d

data/LICENCE.MIT

@@ -0,0 +1,19 @@
+Copyright (c) 2013 Conrad Irwin <conrad@bugsnag.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,51 @@
+mongoid-rails is the safest way to use Mongoid with Rails.
+
+
+Installation
+------------
+
+Add mongoid-rails to your Gemfile.
+
+```ruby
+gem 'mongoid-rails
+```
+
+Then run `bundle install`.
+
+
+Usage
+-----
+
+You don't need to use `mongoid-rails` explicitly, instead it adds protection against a few known hash injection attacks automatically.
+
+### Forbidden attributes protection
+
+This causes things like `User.create(params[:user])` to raise an exception. If
+you want to create a user from parameters, you need to explicitly permit the
+fields that you want to allow.
+
+```ruby
+User.create(params[:user].permit(:name, :email))
+```
+
+This prevents an attacker from sneakily setting `params[:user][:admin] = true` or similar.
+
+### Forbidden query protection
+
+This protects you against query injection attacks. It makes the following code safe:
+
+```ruby
+User.where(api_token: params[:api_token])
+```
+
+Without `mongoid-rails` an attacker can send `?api_token[$regex]=.*` to guess
+api tokens from your app. With `mongoid-rails` that will cause an exception to
+be raised.
+
+Meta
+----
+
+`mongoid-rails` is released under the MIT license. See `LICENCE.MIT` for details.
+
+It currently only supports rails3 with the strong parameters gem installed. I'd
+love a patch to make it work with the mongoid4 beta releases.

data/lib/mongoid-rails.rb

@@ -0,0 +1,9 @@
+require 'mongoid'
+require 'strong_parameters'
+require 'mongoid-rails/forbidden_query_protection'
+
+# From https://github.com/rails/strong_parameters/issues/32
+Mongoid::Document.send(:include, ActiveModel::ForbiddenAttributesProtection)
+
+# From https://github.com/mongoid/mongoid/commit/f02144f3af7f798187ec2133dfb615c973334ffe
+Mongoid::Criteria.send(:include, MongoidRails::ForbiddenQueryProtection)

data/lib/mongoid-rails/forbidden_query_protection.rb

@@ -0,0 +1,34 @@
+module MongoidRails
+  module ForbiddenQueryProtection
+    # Redefine all query methods to be safe against hash injection attacks.
+    Origin::Selectable.instance_methods(false).each do |method|
+      define_method method do |*criteria|
+        raise ActiveModel::ForbiddenAttributes.new(klass, method, criteria) unless should_permit?(criteria)
+        super(*criteria)
+      end
+    end
+
+    private
+
+    # Ensure that the criteria are permitted.
+    #
+    # @example Ignoring ActionController::Parameters
+    #   should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
+    #
+    # @api private
+    #
+    # @param [ Object ] criteria
+    # @return [ Boolean ] if should permit
+    def should_permit?(criteria)
+      if criteria.respond_to?(:permitted?)
+        return criteria.permitted?
+      elsif criteria.respond_to?(:each)
+        criteria.each do |criterion|
+          return false unless should_permit?(criterion)
+        end
+      end
+
+      true
+    end
+  end
+end

data/mongoid-rails.gemspec

@@ -0,0 +1,15 @@
+Gem::Specification.new do |s|
+  s.name        = "mongoid-rails"
+  s.version     = "3.0.0"
+  s.author      = "Conrad Irwin"
+  s.email       = "conrad.irwin@gmail.com"
+  s.homepage    = "https://github.com/ConradIrwin/mongoid-rails"
+  s.summary     = "Strong parameter integration between rails and mongoid"
+  s.license     = "MIT"
+
+  s.add_dependency("mongoid", ["~> 3.1"])
+  s.add_dependency("strong_parameters", ["~> 0.2"])
+
+  s.files        = `git ls-files`.split("\n")
+  s.require_path = 'lib'
+end

metadata

@@ -0,0 +1,77 @@
+--- !ruby/object:Gem::Specification
+name: mongoid-rails
+version: !ruby/object:Gem::Version
+  version: 3.0.0
+platform: ruby
+authors:
+- Conrad Irwin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-01-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: mongoid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: strong_parameters
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.2'
+description: 
+email: conrad.irwin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENCE.MIT
+- README.md
+- lib/mongoid-rails.rb
+- lib/mongoid-rails/forbidden_query_protection.rb
+- mongoid-rails.gemspec
+homepage: https://github.com/ConradIrwin/mongoid-rails
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.3
+signing_key: 
+specification_version: 4
+summary: Strong parameter integration between rails and mongoid
+test_files: []
+has_rdoc: