mongoid-rails 3.0.1 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +11 -15
- data/lib/mongoid-rails.rb +3 -2
- data/lib/mongoid-rails/forbidden_attributes_protection.rb +13 -0
- data/lib/mongoid-rails/forbidden_query_protection.rb +1 -24
- data/lib/mongoid-rails/should_permit.rb +23 -0
- data/mongoid-rails.gemspec +2 -3
- metadata +12 -24
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4aea5ee9cb7fac68f175dfecf0501e5d33e5e43e
|
4
|
+
data.tar.gz: 808273d3448c20c3d40958412e79ed4f30516c85
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5b536055b801ce792f26d15329e399ca1e3f46fa40f1b9b0ba902e874a78c5f598ffabc489d8e56af01b72708889858c6e7be98b5e1378e8f41b82c235e9c6ce
|
7
|
+
data.tar.gz: 48938aa44dc4aa138f0223ddef933f4f45919f2bea1763e133422aa2f9661205caaf7394b21bad86eba3b6b74b0a6d1592ac46abbeca03e6fab493b91d5f33bf
|
data/README.md
CHANGED
@@ -1,5 +1,4 @@
|
|
1
|
-
mongoid-rails is the safest way to use MongoDB with Rails.
|
2
|
-
|
1
|
+
mongoid-rails is the safest way to use MongoDB with Rails 3 or 4.
|
3
2
|
|
4
3
|
Installation
|
5
4
|
------------
|
@@ -12,23 +11,23 @@ gem 'mongoid-rails'
|
|
12
11
|
|
13
12
|
Then run `bundle install`.
|
14
13
|
|
14
|
+
What does it do?
|
15
|
+
----------------
|
15
16
|
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
You don't need to use `mongoid-rails` explicitly, instead it adds protection against a few known hash injection attacks automatically.
|
17
|
+
Mongoid rails provides protection against [hash-injection
|
18
|
+
attacks](http://cirw.in/blog/hash-injection) in mongoid.
|
20
19
|
|
21
20
|
### Forbidden attributes protection
|
22
21
|
|
23
|
-
This causes things like `User.create(params[:
|
22
|
+
This causes things like `User.create(setings: params[:settings])` to raise an exception. If
|
24
23
|
you want to create a user from parameters, you need to explicitly permit the
|
25
24
|
fields that you want to allow.
|
26
25
|
|
27
26
|
```ruby
|
28
|
-
User.create(params[:
|
27
|
+
User.create(settings: params[:settings].permit(:favorite_color))
|
29
28
|
```
|
30
29
|
|
31
|
-
This prevents an attacker from sneakily setting `params[:
|
30
|
+
This prevents an attacker from sneakily setting `params[:settings][:admin] = true` or similar.
|
32
31
|
|
33
32
|
### Forbidden query protection
|
34
33
|
|
@@ -38,14 +37,11 @@ This protects you against query injection attacks. It makes the following code s
|
|
38
37
|
User.where(api_token: params[:api_token])
|
39
38
|
```
|
40
39
|
|
41
|
-
Without `mongoid-rails` an attacker can send `?api_token[$
|
42
|
-
|
43
|
-
|
40
|
+
Without `mongoid-rails` an attacker can send `?api_token[$gt]=` to guess api
|
41
|
+
tokens from your app. With `mongoid-rails` that will cause an exception to be
|
42
|
+
raised.
|
44
43
|
|
45
44
|
Meta
|
46
45
|
----
|
47
46
|
|
48
47
|
`mongoid-rails` is released under the MIT license. See `LICENCE.MIT` for details.
|
49
|
-
|
50
|
-
It currently only supports rails3 with the strong parameters gem installed. I'd
|
51
|
-
love a patch to make it work with the mongoid4 beta releases.
|
data/lib/mongoid-rails.rb
CHANGED
@@ -1,9 +1,10 @@
|
|
1
1
|
require 'mongoid'
|
2
|
-
require '
|
2
|
+
require 'mongoid-rails/should_permit'
|
3
|
+
require 'mongoid-rails/forbidden_attributes_protection'
|
3
4
|
require 'mongoid-rails/forbidden_query_protection'
|
4
5
|
|
5
6
|
# From https://github.com/rails/strong_parameters/issues/32
|
6
|
-
Mongoid::Document.send(:include,
|
7
|
+
Mongoid::Document.send(:include, MongoidRails::ForbiddenAttributesProtection)
|
7
8
|
|
8
9
|
# From https://github.com/mongoid/mongoid/commit/f02144f3af7f798187ec2133dfb615c973334ffe
|
9
10
|
Mongoid::Criteria.send(:include, MongoidRails::ForbiddenQueryProtection)
|
@@ -0,0 +1,13 @@
|
|
1
|
+
module MongoidRails
|
2
|
+
module ForbiddenAttributesProtection
|
3
|
+
|
4
|
+
def sanitize_for_mass_assignment(attributes)
|
5
|
+
if MongoidRails.should_permit?(attributes)
|
6
|
+
attributes
|
7
|
+
else
|
8
|
+
raise ActiveModel::ForbiddenAttributesError
|
9
|
+
end
|
10
|
+
end
|
11
|
+
alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
|
12
|
+
end
|
13
|
+
end
|
@@ -3,32 +3,9 @@ module MongoidRails
|
|
3
3
|
# Redefine all query methods to be safe against hash injection attacks.
|
4
4
|
Origin::Selectable.instance_methods(false).each do |method|
|
5
5
|
define_method method do |*criteria|
|
6
|
-
raise ActiveModel::
|
6
|
+
raise ActiveModel::ForbiddenAttributesError unless MongoidRails.should_permit?(criteria)
|
7
7
|
super(*criteria)
|
8
8
|
end
|
9
9
|
end
|
10
|
-
|
11
|
-
private
|
12
|
-
|
13
|
-
# Ensure that the criteria are permitted.
|
14
|
-
#
|
15
|
-
# @example Ignoring ActionController::Parameters
|
16
|
-
# should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
|
17
|
-
#
|
18
|
-
# @api private
|
19
|
-
#
|
20
|
-
# @param [ Object ] criteria
|
21
|
-
# @return [ Boolean ] if should permit
|
22
|
-
def should_permit?(criteria)
|
23
|
-
if criteria.respond_to?(:permitted?)
|
24
|
-
return criteria.permitted?
|
25
|
-
elsif Hash === criteria || Array === criteria
|
26
|
-
criteria.each do |criterion|
|
27
|
-
return false unless should_permit?(criterion)
|
28
|
-
end
|
29
|
-
end
|
30
|
-
|
31
|
-
true
|
32
|
-
end
|
33
10
|
end
|
34
11
|
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
|
2
|
+
module MongoidRails
|
3
|
+
# Ensure that the criteria are permitted.
|
4
|
+
#
|
5
|
+
# @example Ignoring ActionController::Parameters
|
6
|
+
# should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
|
7
|
+
#
|
8
|
+
# @api private
|
9
|
+
#
|
10
|
+
# @param [ Object ] criteria
|
11
|
+
# @return [ Boolean ] if should permit
|
12
|
+
def self.should_permit?(criteria)
|
13
|
+
if criteria.respond_to?(:permitted?)
|
14
|
+
return criteria.permitted?
|
15
|
+
elsif Hash === criteria || Array === criteria
|
16
|
+
criteria.each do |criterion|
|
17
|
+
return false unless should_permit?(criterion)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
true
|
22
|
+
end
|
23
|
+
end
|
data/mongoid-rails.gemspec
CHANGED
@@ -1,14 +1,13 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = "mongoid-rails"
|
3
|
-
s.version = "
|
3
|
+
s.version = "4.0.0"
|
4
4
|
s.author = "Conrad Irwin"
|
5
5
|
s.email = "conrad.irwin@gmail.com"
|
6
6
|
s.homepage = "https://github.com/ConradIrwin/mongoid-rails"
|
7
7
|
s.summary = "Strong parameter integration between rails and mongoid"
|
8
8
|
s.license = "MIT"
|
9
9
|
|
10
|
-
s.add_dependency("mongoid", ["~>
|
11
|
-
s.add_dependency("strong_parameters", ["~> 0.2"])
|
10
|
+
s.add_dependency("mongoid", ["~> 4.0"])
|
12
11
|
|
13
12
|
s.files = `git ls-files`.split("\n")
|
14
13
|
s.require_path = 'lib'
|
metadata
CHANGED
@@ -1,54 +1,42 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: mongoid-rails
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 4.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Conrad Irwin
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-08-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: mongoid
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- - ~>
|
17
|
+
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
19
|
+
version: '4.0'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
|
-
- - ~>
|
24
|
+
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
27
|
-
- !ruby/object:Gem::Dependency
|
28
|
-
name: strong_parameters
|
29
|
-
requirement: !ruby/object:Gem::Requirement
|
30
|
-
requirements:
|
31
|
-
- - ~>
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: '0.2'
|
34
|
-
type: :runtime
|
35
|
-
prerelease: false
|
36
|
-
version_requirements: !ruby/object:Gem::Requirement
|
37
|
-
requirements:
|
38
|
-
- - ~>
|
39
|
-
- !ruby/object:Gem::Version
|
40
|
-
version: '0.2'
|
26
|
+
version: '4.0'
|
41
27
|
description:
|
42
28
|
email: conrad.irwin@gmail.com
|
43
29
|
executables: []
|
44
30
|
extensions: []
|
45
31
|
extra_rdoc_files: []
|
46
32
|
files:
|
47
|
-
- .gitignore
|
33
|
+
- ".gitignore"
|
48
34
|
- LICENCE.MIT
|
49
35
|
- README.md
|
50
36
|
- lib/mongoid-rails.rb
|
37
|
+
- lib/mongoid-rails/forbidden_attributes_protection.rb
|
51
38
|
- lib/mongoid-rails/forbidden_query_protection.rb
|
39
|
+
- lib/mongoid-rails/should_permit.rb
|
52
40
|
- mongoid-rails.gemspec
|
53
41
|
homepage: https://github.com/ConradIrwin/mongoid-rails
|
54
42
|
licenses:
|
@@ -60,17 +48,17 @@ require_paths:
|
|
60
48
|
- lib
|
61
49
|
required_ruby_version: !ruby/object:Gem::Requirement
|
62
50
|
requirements:
|
63
|
-
- -
|
51
|
+
- - ">="
|
64
52
|
- !ruby/object:Gem::Version
|
65
53
|
version: '0'
|
66
54
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
67
55
|
requirements:
|
68
|
-
- -
|
56
|
+
- - ">="
|
69
57
|
- !ruby/object:Gem::Version
|
70
58
|
version: '0'
|
71
59
|
requirements: []
|
72
60
|
rubyforge_project:
|
73
|
-
rubygems_version: 2.
|
61
|
+
rubygems_version: 2.2.2
|
74
62
|
signing_key:
|
75
63
|
specification_version: 4
|
76
64
|
summary: Strong parameter integration between rails and mongoid
|