mongoid-rails 3.0.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +11 -15
  3. data/lib/mongoid-rails.rb +3 -2
  4. data/lib/mongoid-rails/forbidden_attributes_protection.rb +13 -0
  5. data/lib/mongoid-rails/forbidden_query_protection.rb +1 -24
  6. data/lib/mongoid-rails/should_permit.rb +23 -0
  7. data/mongoid-rails.gemspec +2 -3
  8. metadata +12 -24
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 938a8a7267f6eafce011f4b5c8287cd01d635f0c
4
- data.tar.gz: 111bff05388d968211405b09c78543140b77bf71
3
+ metadata.gz: 4aea5ee9cb7fac68f175dfecf0501e5d33e5e43e
4
+ data.tar.gz: 808273d3448c20c3d40958412e79ed4f30516c85
5
5
  SHA512:
6
- metadata.gz: 8b793092250e4d6208ffacf660239f6ec43905c32fd12590a0d13ebb153f92c4dc58d05bb5509a4ec8025786786c8483ffcae539ad9b28477464ce6dba98d1f8
7
- data.tar.gz: e1ccb692a26fe2e6b610ceac7998c7faf64b97dca97427fa60aa004e783ad4f0ef60e2ffbd935db31f85018a84e3fc0262c0ba32c6d63f959d8cd533444e34a9
6
+ metadata.gz: 5b536055b801ce792f26d15329e399ca1e3f46fa40f1b9b0ba902e874a78c5f598ffabc489d8e56af01b72708889858c6e7be98b5e1378e8f41b82c235e9c6ce
7
+ data.tar.gz: 48938aa44dc4aa138f0223ddef933f4f45919f2bea1763e133422aa2f9661205caaf7394b21bad86eba3b6b74b0a6d1592ac46abbeca03e6fab493b91d5f33bf
data/README.md CHANGED
@@ -1,5 +1,4 @@
1
- mongoid-rails is the safest way to use MongoDB with Rails.
2
-
1
+ mongoid-rails is the safest way to use MongoDB with Rails 3 or 4.
3
2
 
4
3
  Installation
5
4
  ------------
@@ -12,23 +11,23 @@ gem 'mongoid-rails'
12
11
 
13
12
  Then run `bundle install`.
14
13
 
14
+ What does it do?
15
+ ----------------
15
16
 
16
- Usage
17
- -----
18
-
19
- You don't need to use `mongoid-rails` explicitly, instead it adds protection against a few known hash injection attacks automatically.
17
+ Mongoid rails provides protection against [hash-injection
18
+ attacks](http://cirw.in/blog/hash-injection) in mongoid.
20
19
 
21
20
  ### Forbidden attributes protection
22
21
 
23
- This causes things like `User.create(params[:user])` to raise an exception. If
22
+ This causes things like `User.create(setings: params[:settings])` to raise an exception. If
24
23
  you want to create a user from parameters, you need to explicitly permit the
25
24
  fields that you want to allow.
26
25
 
27
26
  ```ruby
28
- User.create(params[:user].permit(:name, :email))
27
+ User.create(settings: params[:settings].permit(:favorite_color))
29
28
  ```
30
29
 
31
- This prevents an attacker from sneakily setting `params[:user][:admin] = true` or similar.
30
+ This prevents an attacker from sneakily setting `params[:settings][:admin] = true` or similar.
32
31
 
33
32
  ### Forbidden query protection
34
33
 
@@ -38,14 +37,11 @@ This protects you against query injection attacks. It makes the following code s
38
37
  User.where(api_token: params[:api_token])
39
38
  ```
40
39
 
41
- Without `mongoid-rails` an attacker can send `?api_token[$regex]=.*` to guess
42
- api tokens from your app. With `mongoid-rails` that will cause an exception to
43
- be raised.
40
+ Without `mongoid-rails` an attacker can send `?api_token[$gt]=` to guess api
41
+ tokens from your app. With `mongoid-rails` that will cause an exception to be
42
+ raised.
44
43
 
45
44
  Meta
46
45
  ----
47
46
 
48
47
  `mongoid-rails` is released under the MIT license. See `LICENCE.MIT` for details.
49
-
50
- It currently only supports rails3 with the strong parameters gem installed. I'd
51
- love a patch to make it work with the mongoid4 beta releases.
data/lib/mongoid-rails.rb CHANGED
@@ -1,9 +1,10 @@
1
1
  require 'mongoid'
2
- require 'strong_parameters'
2
+ require 'mongoid-rails/should_permit'
3
+ require 'mongoid-rails/forbidden_attributes_protection'
3
4
  require 'mongoid-rails/forbidden_query_protection'
4
5
 
5
6
  # From https://github.com/rails/strong_parameters/issues/32
6
- Mongoid::Document.send(:include, ActiveModel::ForbiddenAttributesProtection)
7
+ Mongoid::Document.send(:include, MongoidRails::ForbiddenAttributesProtection)
7
8
 
8
9
  # From https://github.com/mongoid/mongoid/commit/f02144f3af7f798187ec2133dfb615c973334ffe
9
10
  Mongoid::Criteria.send(:include, MongoidRails::ForbiddenQueryProtection)
data/lib/mongoid-rails/forbidden_attributes_protection.rb ADDED
@@ -0,0 +1,13 @@
1
+ module MongoidRails
2
+ module ForbiddenAttributesProtection
3
+
4
+ def sanitize_for_mass_assignment(attributes)
5
+ if MongoidRails.should_permit?(attributes)
6
+ attributes
7
+ else
8
+ raise ActiveModel::ForbiddenAttributesError
9
+ end
10
+ end
11
+ alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
12
+ end
13
+ end
data/lib/mongoid-rails/forbidden_query_protection.rb CHANGED
@@ -3,32 +3,9 @@ module MongoidRails
3
3
  # Redefine all query methods to be safe against hash injection attacks.
4
4
  Origin::Selectable.instance_methods(false).each do |method|
5
5
  define_method method do |*criteria|
6
- raise ActiveModel::ForbiddenAttributes.new(klass, method, criteria) unless should_permit?(criteria)
6
+ raise ActiveModel::ForbiddenAttributesError unless MongoidRails.should_permit?(criteria)
7
7
  super(*criteria)
8
8
  end
9
9
  end
10
-
11
- private
12
-
13
- # Ensure that the criteria are permitted.
14
- #
15
- # @example Ignoring ActionController::Parameters
16
- # should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
17
- #
18
- # @api private
19
- #
20
- # @param [ Object ] criteria
21
- # @return [ Boolean ] if should permit
22
- def should_permit?(criteria)
23
- if criteria.respond_to?(:permitted?)
24
- return criteria.permitted?
25
- elsif Hash === criteria || Array === criteria
26
- criteria.each do |criterion|
27
- return false unless should_permit?(criterion)
28
- end
29
- end
30
-
31
- true
32
- end
33
10
  end
34
11
  end
data/lib/mongoid-rails/should_permit.rb ADDED
@@ -0,0 +1,23 @@
1
+
2
+ module MongoidRails
3
+ # Ensure that the criteria are permitted.
4
+ #
5
+ # @example Ignoring ActionController::Parameters
6
+ # should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
7
+ #
8
+ # @api private
9
+ #
10
+ # @param [ Object ] criteria
11
+ # @return [ Boolean ] if should permit
12
+ def self.should_permit?(criteria)
13
+ if criteria.respond_to?(:permitted?)
14
+ return criteria.permitted?
15
+ elsif Hash === criteria || Array === criteria
16
+ criteria.each do |criterion|
17
+ return false unless should_permit?(criterion)
18
+ end
19
+ end
20
+
21
+ true
22
+ end
23
+ end
data/mongoid-rails.gemspec CHANGED
@@ -1,14 +1,13 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = "mongoid-rails"
3
- s.version = "3.0.1"
3
+ s.version = "4.0.0"
4
4
  s.author = "Conrad Irwin"
5
5
  s.email = "conrad.irwin@gmail.com"
6
6
  s.homepage = "https://github.com/ConradIrwin/mongoid-rails"
7
7
  s.summary = "Strong parameter integration between rails and mongoid"
8
8
  s.license = "MIT"
9
9
 
10
- s.add_dependency("mongoid", ["~> 3.1"])
11
- s.add_dependency("strong_parameters", ["~> 0.2"])
10
+ s.add_dependency("mongoid", ["~> 4.0"])
12
11
 
13
12
  s.files = `git ls-files`.split("\n")
14
13
  s.require_path = 'lib'
metadata CHANGED
@@ -1,54 +1,42 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mongoid-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.1
4
+ version: 4.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Conrad Irwin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-01-17 00:00:00.000000000 Z
11
+ date: 2014-08-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: mongoid
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - ~>
17
+ - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '3.1'
19
+ version: '4.0'
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - ~>
24
+ - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '3.1'
27
- - !ruby/object:Gem::Dependency
28
- name: strong_parameters
29
- requirement: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - ~>
32
- - !ruby/object:Gem::Version
33
- version: '0.2'
34
- type: :runtime
35
- prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - ~>
39
- - !ruby/object:Gem::Version
40
- version: '0.2'
26
+ version: '4.0'
41
27
  description:
42
28
  email: conrad.irwin@gmail.com
43
29
  executables: []
44
30
  extensions: []
45
31
  extra_rdoc_files: []
46
32
  files:
47
- - .gitignore
33
+ - ".gitignore"
48
34
  - LICENCE.MIT
49
35
  - README.md
50
36
  - lib/mongoid-rails.rb
37
+ - lib/mongoid-rails/forbidden_attributes_protection.rb
51
38
  - lib/mongoid-rails/forbidden_query_protection.rb
39
+ - lib/mongoid-rails/should_permit.rb
52
40
  - mongoid-rails.gemspec
53
41
  homepage: https://github.com/ConradIrwin/mongoid-rails
54
42
  licenses:
@@ -60,17 +48,17 @@ require_paths:
60
48
  - lib
61
49
  required_ruby_version: !ruby/object:Gem::Requirement
62
50
  requirements:
63
- - - '>='
51
+ - - ">="
64
52
  - !ruby/object:Gem::Version
65
53
  version: '0'
66
54
  required_rubygems_version: !ruby/object:Gem::Requirement
67
55
  requirements:
68
- - - '>='
56
+ - - ">="
69
57
  - !ruby/object:Gem::Version
70
58
  version: '0'
71
59
  requirements: []
72
60
  rubyforge_project:
73
- rubygems_version: 2.0.3
61
+ rubygems_version: 2.2.2
74
62
  signing_key:
75
63
  specification_version: 4
76
64
  summary: Strong parameter integration between rails and mongoid