optin_parsing 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0dba66eb4acade9c0e1b6178f68c9ed4acf64b51
+  data.tar.gz: 7291ad94416495756a203944f098e61c6e067be8
+SHA512:
+  metadata.gz: ae20475ce706fe259e27049b5db4f640fb250e4b9ab1f55ee882e9b23322f4ba11fb504b35dc8c5f51b6e590518337046bce9ce986fea432891e6d5a183e3c1c
+  data.tar.gz: 85af8e502ce6308214b24b9b2b947cf82dd286bd65ef6b2d761f4ab59bb6aeb7ae6f9a9dabe9baa2254220bfb0eb8d9024eec80ecef664dbc1b7f037deab47e2

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/CHANGELOG

@@ -0,0 +1,4 @@
+0.2.0
+=====
+
+Honour ActionController's parameter filtering

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in optin_parsing.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Frederick Cheung
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,69 @@
+# OptinParsing
+
+Automatic parsing of json and xml request bodies requires care. Beyond vulnerabilities in the parameter parsing code itself the ability for a requester to be able to control the type of parameters combines badly with some of mysql's typecasting logic, for example
+
+    User.find_by_secret_token(0)
+
+returns a user with a secret token that does not look to mysql like a valid integer instead of returning nil. Rails 3.2.12 contains some mitigations for this (the above example does not work on rails 3.2.12 and above) but can't catch all cases. You can avoid this by calling `to_s` on parameters that should be strings. For more details see the [security advisory](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/64e747e461f98c25). It is easy to forget to do this and it goes against the philosophy of "secure by default".
+
+An easy mitigation is to simply disable this parsing by removing mime types from `ActionDispatch::ParamsParser::DEFAULT_PARSERS` this is a change that affects all controllers. 
+
+This gem allows the automatic parameter parsing to be turned on  per controller and per action, so that (for example) api endpoints that need to accept json and/or xml can continue to work (and be audited for their parameter usage) but reducing the surface of attack by not allowing json bodies for all those requests that do not need it.
+
+The default is for such parsing to be disabled for all controllers.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'optin_parsing'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install optin_parsing
+
+## Usage
+
+Allow a controller to parse xml bodies automatically
+
+    class MyController < ApplicationController
+      parses :xml
+    end
+
+Allow a controller to parse json bodies automatically, only for a certain action
+
+    class MyController < ApplicationController
+      parses :json, :only => :some_action
+    end
+
+Allow a controller to parse json bodies automatically, except for certain actions
+
+    class MyController < ApplicationController
+      parses :json, :except => [:some_exempt_action, :another_exempt_action]
+    end
+
+Allow a controller to parse a specific mime type, with a custom strategy
+
+    class MyController < ApplicationController
+      parses Mime::YAML do |raw_post|
+        #parse raw_post and return a hash of data
+      end
+    end
+
+Subclasses inherit their parent classes' settings
+
+## Caveats
+
+Ordinarily parameters are parsed by a Rack middleware. This gem defers parsing until the request is processed by the controller: the parsed parameters will not be available to middleware code that runs before this.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/optin_parsing.rb

@@ -0,0 +1,5 @@
+require "optin_parsing/version"
+require "optin_parsing/railtie"
+require "optin_parsing/controller_additions"
+module OptinParsing
+end

data/lib/optin_parsing/controller_additions.rb

@@ -0,0 +1,98 @@
+module OptinParsing
+  module ControllerAdditions
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :parse_strategies
+      self.parse_strategies = {}
+      hide_action :decode_formatted_parameters
+    end
+
+    module ClassMethods
+      # Declares that you want to parse a specific body type, for this controller and its subclasses
+      # You can either pass the symbols +:xml+ or +:json+ or an instance of Mime::Type. If you pass
+      # a Mime::Type you must also supply a block. The block will be passed the request raw post data
+      # and should return a hash of parsed parameter data
+      #
+      # You can also supply a hash of options containing the keys +:except+ or +:only+ to restrict which
+      # actions will be parsed
+      #
+      #
+      # @param [Symbol, Mime::Type] mime_type_or_short_cut
+      # @option options [Array,Symbol] :except A list of actions for which parsing should not be enabled
+      # @option options [Array,Symbol] :only A list of actions for which parsing should be enabled
+
+      def parses mime_type_or_short_cut, options={}, &block
+
+        case mime_type_or_short_cut
+        when Mime::Type
+          raise ArgumentError, "You must supply a block when specifying a mime type" unless block
+          self.parse_strategies = parse_strategies.merge(mime_type_or_short_cut => [block, normalize_optin_options(options)])
+        when :xml
+          self.parse_strategies = parse_strategies.merge(Mime::XML => [:xml, normalize_optin_options(options)])
+        when :json
+          self.parse_strategies = parse_strategies.merge(Mime::JSON => [:json, normalize_optin_options(options)])
+        end
+      end
+      private
+
+      def normalize_optin_options options
+        options.each_with_object({}) do |(key,value), options|
+          options[key] = Array(value).collect {|action_name| action_name.to_s}
+        end
+      end
+    end
+
+    def process_action(method_name, *args)
+      strategy, options = parse_strategies[request.content_mime_type]
+      if strategy
+        if should_decode_body(options)
+          if data = decode_formatted_parameters(strategy)
+            params.merge!(data)
+            log_parsed(apply_filter_parameters(data))
+          end
+        end
+      end
+      super
+    end
+
+    private
+
+    def should_decode_body options
+      if options[:only]
+        options[:only].include?(action_name)
+      elsif options[:except]
+        !options[:except].include?(action_name)
+      else
+        true
+      end
+    end
+
+    def decode_formatted_parameters(strategy)
+      case strategy
+      when Proc
+        strategy.call(request.raw_post)
+      when :xml
+        data = request.deep_munge(Hash.from_xml(request.body.read) || {})
+        request.body.rewind if request.body.respond_to?(:rewind)
+        data.with_indifferent_access
+      when :json
+        data = request.deep_munge ActiveSupport::JSON.decode(request.body.read)
+        request.body.rewind if request.body.respond_to?(:rewind)
+        data = {:_json => data} unless data.is_a?(Hash)
+        data.with_indifferent_access
+      else
+        false
+      end
+    end
+
+    def log_parsed(data)
+      Rails.logger.info "Parsed #{request.content_mime_type}: #{data.inspect}"
+    end
+
+    def apply_filter_parameters(data)
+      parameter_filter = ActionDispatch::Http::ParameterFilter.new(Rails.configuration.filter_parameters)
+      parameter_filter.filter(data)
+    end
+  end
+end

data/lib/optin_parsing/railtie.rb

@@ -0,0 +1,18 @@
+require "optin_parsing"
+require "rails"
+
+module OptinParsing
+  # = OptinParsing Railtie
+  class Railtie < Rails::Railtie
+
+    initializer "optinparsing.inject_modules" do |app|
+      ActiveSupport.on_load(:action_controller) do
+        ActionController::Base.send :include, OptinParsing::ControllerAdditions
+      end
+    end
+
+    initializer "optinparsing.remove_default_parsers" do |app|
+      config.app_middleware.delete '::ActionDispatch::ParamsParser'
+    end
+  end
+end

data/lib/optin_parsing/version.rb

@@ -0,0 +1,3 @@
+module OptinParsing
+  VERSION = "0.2.0"
+end

data/optin_parsing.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'optin_parsing/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "optin_parsing"
+  gem.version       = OptinParsing::VERSION
+  gem.authors       = ["Frederick Cheung"]
+  gem.email         = ["frederick.cheung@gmail.com"]
+  gem.description   = %q{Mitigate the dangers of automatic json/xml parsing by only enabling them for the controllers & actions that require it}
+  gem.summary       = %q{Mitigate the dangers of automatic json/xml parsing by only enabling them for the controllers & actions that require it}
+  gem.homepage      = "https://github.com/fcheung/optin_parsing"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_development_dependency "rspec", "~>2.10"
+  gem.add_development_dependency "rspec-rails", "~>2.10"
+  gem.add_development_dependency "rspec-instafail"
+
+end

data/spec/optin_parsing_spec.rb

@@ -0,0 +1,144 @@
+require 'spec_helper'
+
+describe 'optin_parsing controller with controller additions included', :type => :controller do
+  include Rails.application.routes.url_helpers
+  module Actions
+    def index
+      @parsed_params = params.except(:controller, :action)
+      head :ok
+    end
+
+    def new
+      @parsed_params = params.except(:controller, :action)
+      head :ok
+    end
+
+    def _routes
+      @routes
+    end
+  end
+
+
+  def json
+    '{"test": "value"}'
+  end
+
+  def xml
+    '<?xml version="1.0" encoding="UTF-8"?><test>value</test>'
+  end
+
+  context 'when the module is included' do
+    def self.preconfigured_controller(&block)
+      controller(ActionController::Base) do
+        include OptinParsing::ControllerAdditions
+        include Actions
+        instance_eval(&block)
+      end
+    end
+
+    context 'parsing is not enabled' do
+      preconfigured_controller {}
+
+      it { should_not parse_parameters.of_type(Mime::JSON).for_action(:index).with_body(json) }
+      it { should_not parse_parameters.of_type(Mime::XML).for_action(:index).with_body(xml) }
+    end
+
+    context 'parsing of xml is enabled' do
+      context 'unconditionally' do
+        preconfigured_controller do
+          parses :xml
+        end
+
+        it { should_not parse_parameters.of_type(Mime::JSON).for_action(:index).with_body(json) }
+        it { should parse_parameters.of_type(Mime::XML).for_action(:index).with_body(xml) }
+      end
+    end
+
+    context 'parsing of a custom type is enabled' do
+      preconfigured_controller do
+        parses Mime::YAML do |body|
+          YAML.load(body)
+        end
+      end
+      it { should parse_parameters.of_type(Mime::YAML).for_action(:index).with_body({'test' => 'value'}.to_yaml) }
+    end
+
+    context 'parsing of json is enabled' do
+      context 'unconditionally' do
+        preconfigured_controller do
+          parses :json
+        end
+
+        it 'logs parsed parameters honouring filter_parameters config' do
+          request.env['RAW_POST_DATA'] = json
+          request.env['CONTENT_TYPE']  = Mime::JSON.to_s
+          Rails.configuration.filter_parameters = [:test]
+
+          controller.should_receive(:log_parsed).with({'test' => '[FILTERED]'})
+
+          put :index
+        end
+
+        it { should parse_parameters.of_type(Mime::JSON).for_action(:index).with_body(json) }
+        it { should_not parse_parameters.of_type(Mime::XML).for_action(:index).with_body(xml) }
+      end
+
+      context 'an only option is specified' do
+        preconfigured_controller do
+          parses :json, :only => :index
+        end
+
+        context 'the action is contained in the list' do
+          it { should parse_parameters.of_type(Mime::JSON).for_action(:index).with_body(json) }
+        end
+
+        context 'the action is not contained in the list' do
+          it { should_not parse_parameters.of_type(Mime::JSON).for_action(:new).with_body(json) }
+        end
+      end
+
+      context 'an except option is specified' do
+        preconfigured_controller do
+          parses :json, :except => :index
+        end
+
+        context 'the action is contained in the list' do
+          it { should_not parse_parameters.of_type(Mime::JSON).for_action(:index).with_body(json) }
+        end
+
+        context 'the action is not contained in the list' do
+          it { should parse_parameters.of_type(Mime::JSON).for_action(:new).with_body(json) }
+        end
+      end
+    end
+  end
+end
+
+
+RSpec::Matchers.define :parse_parameters do |y|
+
+  chain :of_type do |mime_type|
+    @mime_type = mime_type
+  end
+
+  chain :for_action do |action_name|
+    @action_name = action_name
+  end
+
+  chain :with_body do |body|
+    @body = body
+  end
+
+  match do
+    @expected = {'test' => 'value'}
+    request.env['RAW_POST_DATA'] = @body
+    request.env['CONTENT_TYPE'] = @mime_type.to_s
+    put @action_name.to_sym
+    @actual = assigns(:parsed_params)
+    @actual == @expected
+  end
+
+  failure_message_for_should do
+    "Expected parameters #{@expected} got #{@actual}"
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,21 @@
+require 'rubygems'
+require 'bundler/setup'
+require 'rails/all'
+require 'yaml'
+
+$: << File.dirname(__FILE__) + '/../lib'
+
+require 'optin_parsing'
+require 'action_controller'
+require 'rspec/rails'
+
+module DummyApplication
+  class Application < Rails::Application
+    config.secret_token = '*******************************'
+    config.logger = Logger.new(File.expand_path('../test.log', __FILE__))
+    Rails.logger = config.logger
+  end
+end
+RSpec.configure do |config|
+
+end

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: optin_parsing
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Frederick Cheung
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-04-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: rspec-instafail
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Mitigate the dangers of automatic json/xml parsing by only enabling them
+  for the controllers & actions that require it
+email:
+- frederick.cheung@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- CHANGELOG
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/optin_parsing.rb
+- lib/optin_parsing/controller_additions.rb
+- lib/optin_parsing/railtie.rb
+- lib/optin_parsing/version.rb
+- optin_parsing.gemspec
+- spec/optin_parsing_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/fcheung/optin_parsing
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Mitigate the dangers of automatic json/xml parsing by only enabling them
+  for the controllers & actions that require it
+test_files:
+- spec/optin_parsing_spec.rb
+- spec/spec_helper.rb
+has_rdoc: