mongoid-rails 3.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +7 -0
  2. data/LICENCE.MIT +19 -0
  3. data/README.md +51 -0
  4. data/lib/mongoid-rails.rb +9 -0
  5. data/lib/mongoid-rails/forbidden_query_protection.rb +34 -0
  6. data/mongoid-rails.gemspec +15 -0
  7. metadata +77 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 02783fa03be4dd47c2bcf13e519ac1da42626d7b
4
+ data.tar.gz: 8e33a29510e747be3e1a2ad7fe486eef5c20a7c5
5
+ SHA512:
6
+ metadata.gz: 3fa4ea333049ed5076d32f9bc85b6a837671837eff2421766e14e56442d24fbd62d8bd1ccd17eb953bd26da77b8a546926d239e73dfb75a5379bd3508a763057
7
+ data.tar.gz: a1f096e8e27fbdeb32efac515943ac6e0b3bfaf9c30adeaa6cae26c864c2e07f5fe5520a711af1160133a7bdd13d5540583d408e99d487d80a2b5469e22bbc9d
data/LICENCE.MIT ADDED
@@ -0,0 +1,19 @@
1
+ Copyright (c) 2013 Conrad Irwin <conrad@bugsnag.com>
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining a copy
4
+ of this software and associated documentation files (the "Software"), to deal
5
+ in the Software without restriction, including without limitation the rights
6
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
7
+ copies of the Software, and to permit persons to whom the Software is
8
+ furnished to do so, subject to the following conditions:
9
+
10
+ The above copyright notice and this permission notice shall be included in
11
+ all copies or substantial portions of the Software.
12
+
13
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
19
+ THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,51 @@
1
+ mongoid-rails is the safest way to use Mongoid with Rails.
2
+
3
+
4
+ Installation
5
+ ------------
6
+
7
+ Add mongoid-rails to your Gemfile.
8
+
9
+ ```ruby
10
+ gem 'mongoid-rails
11
+ ```
12
+
13
+ Then run `bundle install`.
14
+
15
+
16
+ Usage
17
+ -----
18
+
19
+ You don't need to use `mongoid-rails` explicitly, instead it adds protection against a few known hash injection attacks automatically.
20
+
21
+ ### Forbidden attributes protection
22
+
23
+ This causes things like `User.create(params[:user])` to raise an exception. If
24
+ you want to create a user from parameters, you need to explicitly permit the
25
+ fields that you want to allow.
26
+
27
+ ```ruby
28
+ User.create(params[:user].permit(:name, :email))
29
+ ```
30
+
31
+ This prevents an attacker from sneakily setting `params[:user][:admin] = true` or similar.
32
+
33
+ ### Forbidden query protection
34
+
35
+ This protects you against query injection attacks. It makes the following code safe:
36
+
37
+ ```ruby
38
+ User.where(api_token: params[:api_token])
39
+ ```
40
+
41
+ Without `mongoid-rails` an attacker can send `?api_token[$regex]=.*` to guess
42
+ api tokens from your app. With `mongoid-rails` that will cause an exception to
43
+ be raised.
44
+
45
+ Meta
46
+ ----
47
+
48
+ `mongoid-rails` is released under the MIT license. See `LICENCE.MIT` for details.
49
+
50
+ It currently only supports rails3 with the strong parameters gem installed. I'd
51
+ love a patch to make it work with the mongoid4 beta releases.
data/lib/mongoid-rails.rb ADDED
@@ -0,0 +1,9 @@
1
+ require 'mongoid'
2
+ require 'strong_parameters'
3
+ require 'mongoid-rails/forbidden_query_protection'
4
+
5
+ # From https://github.com/rails/strong_parameters/issues/32
6
+ Mongoid::Document.send(:include, ActiveModel::ForbiddenAttributesProtection)
7
+
8
+ # From https://github.com/mongoid/mongoid/commit/f02144f3af7f798187ec2133dfb615c973334ffe
9
+ Mongoid::Criteria.send(:include, MongoidRails::ForbiddenQueryProtection)
data/lib/mongoid-rails/forbidden_query_protection.rb ADDED
@@ -0,0 +1,34 @@
1
+ module MongoidRails
2
+ module ForbiddenQueryProtection
3
+ # Redefine all query methods to be safe against hash injection attacks.
4
+ Origin::Selectable.instance_methods(false).each do |method|
5
+ define_method method do |*criteria|
6
+ raise ActiveModel::ForbiddenAttributes.new(klass, method, criteria) unless should_permit?(criteria)
7
+ super(*criteria)
8
+ end
9
+ end
10
+
11
+ private
12
+
13
+ # Ensure that the criteria are permitted.
14
+ #
15
+ # @example Ignoring ActionController::Parameters
16
+ # should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
17
+ #
18
+ # @api private
19
+ #
20
+ # @param [ Object ] criteria
21
+ # @return [ Boolean ] if should permit
22
+ def should_permit?(criteria)
23
+ if criteria.respond_to?(:permitted?)
24
+ return criteria.permitted?
25
+ elsif criteria.respond_to?(:each)
26
+ criteria.each do |criterion|
27
+ return false unless should_permit?(criterion)
28
+ end
29
+ end
30
+
31
+ true
32
+ end
33
+ end
34
+ end
data/mongoid-rails.gemspec ADDED
@@ -0,0 +1,15 @@
1
+ Gem::Specification.new do |s|
2
+ s.name = "mongoid-rails"
3
+ s.version = "3.0.0"
4
+ s.author = "Conrad Irwin"
5
+ s.email = "conrad.irwin@gmail.com"
6
+ s.homepage = "https://github.com/ConradIrwin/mongoid-rails"
7
+ s.summary = "Strong parameter integration between rails and mongoid"
8
+ s.license = "MIT"
9
+
10
+ s.add_dependency("mongoid", ["~> 3.1"])
11
+ s.add_dependency("strong_parameters", ["~> 0.2"])
12
+
13
+ s.files = `git ls-files`.split("\n")
14
+ s.require_path = 'lib'
15
+ end
metadata ADDED
@@ -0,0 +1,77 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: mongoid-rails
3
+ version: !ruby/object:Gem::Version
4
+ version: 3.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Conrad Irwin
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2014-01-17 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: mongoid
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ~>
18
+ - !ruby/object:Gem::Version
19
+ version: '3.1'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ~>
25
+ - !ruby/object:Gem::Version
26
+ version: '3.1'
27
+ - !ruby/object:Gem::Dependency
28
+ name: strong_parameters
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ~>
32
+ - !ruby/object:Gem::Version
33
+ version: '0.2'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ~>
39
+ - !ruby/object:Gem::Version
40
+ version: '0.2'
41
+ description:
42
+ email: conrad.irwin@gmail.com
43
+ executables: []
44
+ extensions: []
45
+ extra_rdoc_files: []
46
+ files:
47
+ - LICENCE.MIT
48
+ - README.md
49
+ - lib/mongoid-rails.rb
50
+ - lib/mongoid-rails/forbidden_query_protection.rb
51
+ - mongoid-rails.gemspec
52
+ homepage: https://github.com/ConradIrwin/mongoid-rails
53
+ licenses:
54
+ - MIT
55
+ metadata: {}
56
+ post_install_message:
57
+ rdoc_options: []
58
+ require_paths:
59
+ - lib
60
+ required_ruby_version: !ruby/object:Gem::Requirement
61
+ requirements:
62
+ - - '>='
63
+ - !ruby/object:Gem::Version
64
+ version: '0'
65
+ required_rubygems_version: !ruby/object:Gem::Requirement
66
+ requirements:
67
+ - - '>='
68
+ - !ruby/object:Gem::Version
69
+ version: '0'
70
+ requirements: []
71
+ rubyforge_project:
72
+ rubygems_version: 2.0.3
73
+ signing_key:
74
+ specification_version: 4
75
+ summary: Strong parameter integration between rails and mongoid
76
+ test_files: []
77
+ has_rdoc: