mongoid-rails 3.0.1 → 4.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +11 -15
  3. data/lib/mongoid-rails.rb +3 -2
  4. data/lib/mongoid-rails/forbidden_attributes_protection.rb +13 -0
  5. data/lib/mongoid-rails/forbidden_query_protection.rb +1 -24
  6. data/lib/mongoid-rails/should_permit.rb +23 -0
  7. data/mongoid-rails.gemspec +2 -3
  8. metadata +12 -24
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 938a8a7267f6eafce011f4b5c8287cd01d635f0c
4
- data.tar.gz: 111bff05388d968211405b09c78543140b77bf71
3
+ metadata.gz: 4aea5ee9cb7fac68f175dfecf0501e5d33e5e43e
4
+ data.tar.gz: 808273d3448c20c3d40958412e79ed4f30516c85
5
5
  SHA512:
6
- metadata.gz: 8b793092250e4d6208ffacf660239f6ec43905c32fd12590a0d13ebb153f92c4dc58d05bb5509a4ec8025786786c8483ffcae539ad9b28477464ce6dba98d1f8
7
- data.tar.gz: e1ccb692a26fe2e6b610ceac7998c7faf64b97dca97427fa60aa004e783ad4f0ef60e2ffbd935db31f85018a84e3fc0262c0ba32c6d63f959d8cd533444e34a9
6
+ metadata.gz: 5b536055b801ce792f26d15329e399ca1e3f46fa40f1b9b0ba902e874a78c5f598ffabc489d8e56af01b72708889858c6e7be98b5e1378e8f41b82c235e9c6ce
7
+ data.tar.gz: 48938aa44dc4aa138f0223ddef933f4f45919f2bea1763e133422aa2f9661205caaf7394b21bad86eba3b6b74b0a6d1592ac46abbeca03e6fab493b91d5f33bf
data/README.md CHANGED
@@ -1,5 +1,4 @@
1
- mongoid-rails is the safest way to use MongoDB with Rails.
2
-
1
+ mongoid-rails is the safest way to use MongoDB with Rails 3 or 4.
3
2
 
4
3
  Installation
5
4
  ------------
@@ -12,23 +11,23 @@ gem 'mongoid-rails'
12
11
 
13
12
  Then run `bundle install`.
14
13
 
14
+ What does it do?
15
+ ----------------
15
16
 
16
- Usage
17
- -----
18
-
19
- You don't need to use `mongoid-rails` explicitly, instead it adds protection against a few known hash injection attacks automatically.
17
+ Mongoid rails provides protection against [hash-injection
18
+ attacks](http://cirw.in/blog/hash-injection) in mongoid.
20
19
 
21
20
  ### Forbidden attributes protection
22
21
 
23
- This causes things like `User.create(params[:user])` to raise an exception. If
22
+ This causes things like `User.create(setings: params[:settings])` to raise an exception. If
24
23
  you want to create a user from parameters, you need to explicitly permit the
25
24
  fields that you want to allow.
26
25
 
27
26
  ```ruby
28
- User.create(params[:user].permit(:name, :email))
27
+ User.create(settings: params[:settings].permit(:favorite_color))
29
28
  ```
30
29
 
31
- This prevents an attacker from sneakily setting `params[:user][:admin] = true` or similar.
30
+ This prevents an attacker from sneakily setting `params[:settings][:admin] = true` or similar.
32
31
 
33
32
  ### Forbidden query protection
34
33
 
@@ -38,14 +37,11 @@ This protects you against query injection attacks. It makes the following code s
38
37
  User.where(api_token: params[:api_token])
39
38
  ```
40
39
 
41
- Without `mongoid-rails` an attacker can send `?api_token[$regex]=.*` to guess
42
- api tokens from your app. With `mongoid-rails` that will cause an exception to
43
- be raised.
40
+ Without `mongoid-rails` an attacker can send `?api_token[$gt]=` to guess api
41
+ tokens from your app. With `mongoid-rails` that will cause an exception to be
42
+ raised.
44
43
 
45
44
  Meta
46
45
  ----
47
46
 
48
47
  `mongoid-rails` is released under the MIT license. See `LICENCE.MIT` for details.
49
-
50
- It currently only supports rails3 with the strong parameters gem installed. I'd
51
- love a patch to make it work with the mongoid4 beta releases.
data/lib/mongoid-rails.rb CHANGED
@@ -1,9 +1,10 @@
1
1
  require 'mongoid'
2
- require 'strong_parameters'
2
+ require 'mongoid-rails/should_permit'
3
+ require 'mongoid-rails/forbidden_attributes_protection'
3
4
  require 'mongoid-rails/forbidden_query_protection'
4
5
 
5
6
  # From https://github.com/rails/strong_parameters/issues/32
6
- Mongoid::Document.send(:include, ActiveModel::ForbiddenAttributesProtection)
7
+ Mongoid::Document.send(:include, MongoidRails::ForbiddenAttributesProtection)
7
8
 
8
9
  # From https://github.com/mongoid/mongoid/commit/f02144f3af7f798187ec2133dfb615c973334ffe
9
10
  Mongoid::Criteria.send(:include, MongoidRails::ForbiddenQueryProtection)
data/lib/mongoid-rails/forbidden_attributes_protection.rb ADDED
@@ -0,0 +1,13 @@
1
+ module MongoidRails
2
+ module ForbiddenAttributesProtection
3
+
4
+ def sanitize_for_mass_assignment(attributes)
5
+ if MongoidRails.should_permit?(attributes)
6
+ attributes
7
+ else
8
+ raise ActiveModel::ForbiddenAttributesError
9
+ end
10
+ end
11
+ alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
12
+ end
13
+ end
data/lib/mongoid-rails/forbidden_query_protection.rb CHANGED
@@ -3,32 +3,9 @@ module MongoidRails
3
3
  # Redefine all query methods to be safe against hash injection attacks.
4
4
  Origin::Selectable.instance_methods(false).each do |method|
5
5
  define_method method do |*criteria|
6
- raise ActiveModel::ForbiddenAttributes.new(klass, method, criteria) unless should_permit?(criteria)
6
+ raise ActiveModel::ForbiddenAttributesError unless MongoidRails.should_permit?(criteria)
7
7
  super(*criteria)
8
8
  end
9
9
  end
10
-
11
- private
12
-
13
- # Ensure that the criteria are permitted.
14
- #
15
- # @example Ignoring ActionController::Parameters
16
- # should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
17
- #
18
- # @api private
19
- #
20
- # @param [ Object ] criteria
21
- # @return [ Boolean ] if should permit
22
- def should_permit?(criteria)
23
- if criteria.respond_to?(:permitted?)
24
- return criteria.permitted?
25
- elsif Hash === criteria || Array === criteria
26
- criteria.each do |criterion|
27
- return false unless should_permit?(criterion)
28
- end
29
- end
30
-
31
- true
32
- end
33
10
  end
34
11
  end
data/lib/mongoid-rails/should_permit.rb ADDED
@@ -0,0 +1,23 @@
1
+
2
+ module MongoidRails
3
+ # Ensure that the criteria are permitted.
4
+ #
5
+ # @example Ignoring ActionController::Parameters
6
+ # should_permit?({_id: ActionController::Parameters.new("$size" => 1)})
7
+ #
8
+ # @api private
9
+ #
10
+ # @param [ Object ] criteria
11
+ # @return [ Boolean ] if should permit
12
+ def self.should_permit?(criteria)
13
+ if criteria.respond_to?(:permitted?)
14
+ return criteria.permitted?
15
+ elsif Hash === criteria || Array === criteria
16
+ criteria.each do |criterion|
17
+ return false unless should_permit?(criterion)
18
+ end
19
+ end
20
+
21
+ true
22
+ end
23
+ end
data/mongoid-rails.gemspec CHANGED
@@ -1,14 +1,13 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = "mongoid-rails"
3
- s.version = "3.0.1"
3
+ s.version = "4.0.0"
4
4
  s.author = "Conrad Irwin"
5
5
  s.email = "conrad.irwin@gmail.com"
6
6
  s.homepage = "https://github.com/ConradIrwin/mongoid-rails"
7
7
  s.summary = "Strong parameter integration between rails and mongoid"
8
8
  s.license = "MIT"
9
9
 
10
- s.add_dependency("mongoid", ["~> 3.1"])
11
- s.add_dependency("strong_parameters", ["~> 0.2"])
10
+ s.add_dependency("mongoid", ["~> 4.0"])
12
11
 
13
12
  s.files = `git ls-files`.split("\n")
14
13
  s.require_path = 'lib'
metadata CHANGED
@@ -1,54 +1,42 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mongoid-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.1
4
+ version: 4.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Conrad Irwin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-01-17 00:00:00.000000000 Z
11
+ date: 2014-08-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: mongoid
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - ~>
17
+ - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '3.1'
19
+ version: '4.0'
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - ~>
24
+ - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '3.1'
27
- - !ruby/object:Gem::Dependency
28
- name: strong_parameters
29
- requirement: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - ~>
32
- - !ruby/object:Gem::Version
33
- version: '0.2'
34
- type: :runtime
35
- prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - ~>
39
- - !ruby/object:Gem::Version
40
- version: '0.2'
26
+ version: '4.0'
41
27
  description:
42
28
  email: conrad.irwin@gmail.com
43
29
  executables: []
44
30
  extensions: []
45
31
  extra_rdoc_files: []
46
32
  files:
47
- - .gitignore
33
+ - ".gitignore"
48
34
  - LICENCE.MIT
49
35
  - README.md
50
36
  - lib/mongoid-rails.rb
37
+ - lib/mongoid-rails/forbidden_attributes_protection.rb
51
38
  - lib/mongoid-rails/forbidden_query_protection.rb
39
+ - lib/mongoid-rails/should_permit.rb
52
40
  - mongoid-rails.gemspec
53
41
  homepage: https://github.com/ConradIrwin/mongoid-rails
54
42
  licenses:
@@ -60,17 +48,17 @@ require_paths:
60
48
  - lib
61
49
  required_ruby_version: !ruby/object:Gem::Requirement
62
50
  requirements:
63
- - - '>='
51
+ - - ">="
64
52
  - !ruby/object:Gem::Version
65
53
  version: '0'
66
54
  required_rubygems_version: !ruby/object:Gem::Requirement
67
55
  requirements:
68
- - - '>='
56
+ - - ">="
69
57
  - !ruby/object:Gem::Version
70
58
  version: '0'
71
59
  requirements: []
72
60
  rubyforge_project:
73
- rubygems_version: 2.0.3
61
+ rubygems_version: 2.2.2
74
62
  signing_key:
75
63
  specification_version: 4
76
64
  summary: Strong parameter integration between rails and mongoid