param_accessible 0.0.1 → 0.0.2

data/.gitignore

@@ -1,6 +1,7 @@
 *.gem
 *.rbc
 .bundle
+.rvmrc
 .config
 .yardoc
 .rspec

data/README.md

@@ -1,3 +1,9 @@
+# Important Note
+
+Soon after I created this project, @dhh (creator of Rails) made his own parameter protection gem public: https://github.com/rails/strong_parameters
+
+DHH's strong_parameters gem will be integrated into rails4, so I suggest you use it instead.
+
 # ParamAccessible
 
 [![Build Status](https://secure.travis-ci.org/topdan/param_accessible.png)](https://secure.travis-ci.org/topdan/param_accessible.png)
@@ -24,33 +30,61 @@ Or install it yourself as:
 
 ## Usage
 
+This gem does not add any functionality by default. To activate it create a before_filter in any ActionController::Base subclass. We only use the filter for create and update actions because those are the normally only the only harmful ones:
+
+    before_filter :ensure_params_are_accessible, :only => [:create, :update]
+
+Now let's expose the parameters that are common across our application:
+
+    param_accessible :page, :sort
+
+You may want to allow all base-level parameters since most Rails controllers only send nested parameters to models (i.e. params[:user]):
+
+    # allow all base parameters (// is a regex that matches all strings)
+    param_accessible //
+    
+    # allow any base parameter starting with "my_"
+    param_accessible /^my_/
+
+We also want to make sure only admins can change a user's "is_admin" and "is_active" attributes:
+
+    param_accessible :user => [:is_admin, :is_active], :if => :is_admin?
+
+Rinse and repeat for all your controllers and you're Rails Application will be much safer.
+
+## Example
+
+Placing the before_filter in our ApplicationController makes all our create and update actions secure by default. We also expose application-wide parameters and provide a friendly error message when an invalid parameter is provided.
+
     class ApplicationController < ActionController::Base
       
       # make all your controllers secure by default
       before_filter :ensure_params_are_accessible, :only => [:create, :update]
       
-      # expose the common rails parameters
-      param_accessible :controller, :action, :format, :id
+      # expose the your common application parameters
+      param_accessible :page, :sort
       
-      # this error is thrown when the user tries to access an inaccessible param
+      # this error is thrown when the user submits an inaccessible param
       rescue_from ParamAccessible::Error, :with => :handle_param_not_accessible
       
       protected
       
       def handle_param_not_accessible e
-        flash[:error] = "You gave me some invalid parameters: #{e.inaccessible_params.join(', )}"
+        flash[:error] = "You gave me some invalid parameters: #{e.inaccessible_params.join(', ')}"
         redirect_to :back
       end
       
     end
-    
-    class UserController < ApplicationController
+
+Inheriting from the class above, we now need to specify our accessible parameters for the create and update actions.
+
+    class UsersController < ApplicationController
       
       # these attributes are available for everyone
-      param_accessible :user => {:name, :email, :password, :password_confirmation}
+      param_accessible :user => [:name, :email, :password, :password_confirmation]
       
       # these attributes are only available if the controller instance method is_admin? is true
-      param_accessible :user => {:is_admin, :is_locked_out}, :if => :is_admin?
+      param_accessible :user => [:is_admin, :is_locked_out], :if => :is_admin?
       
       def update
         @user = User.find(params[:id])
@@ -63,7 +97,9 @@ Or install it yourself as:
         end
       end
     end
-    
+
+Showcase a helper module for handling errors and some more options.
+
     class DemoController < ApplicationController
       
       # rescue_from ParamAccessible::Error and respond with a 406 Not Acceptable status 
@@ -76,14 +112,25 @@ Or install it yourself as:
       param_accessible :nut, :except => :index
       
     end
-    
+
+Using Rails' skip_before_filter to make a controller insecure again
+
     class InsecureController < ApplicationController
       
       # skip the filter ApplicationController set up to avoid the accessible parameter checks
       skip_before_filter :ensure_params_are_accessible
       
     end
-    
+
+## Nested attributes
+
+Arrays of attributes like the ones used with Rails' nested forms feature can be specified using
+the following syntax:
+
+    class DemoController < ApplicationController
+      param_accessible :"foo[]" => [:bar, :baz]
+    end
+
 ## Contributing
 
 1. Fork it

data/lib/param_accessible/controller_ext.rb

@@ -30,7 +30,8 @@ module ParamAccessible
         if superclass.respond_to?(:param_accessible_rules)
           @param_accessible_rules = Rules.new superclass.param_accessible_rules
         else
-          @param_accessible_rules = Rules.new
+          common_rails_parameters_rule = Rule.new :controller, :action, :id, :format, :authenticity_token, :commit, :utf8
+          @param_accessible_rules = Rules.new [common_rails_parameters_rule]
         end
       end
       

data/lib/param_accessible/rule.rb

@@ -40,27 +40,67 @@ module ParamAccessible
       return if @only_options != nil && !@only_options.include?(controller.action_name)
       return if @except_options != nil && @except_options.include?(controller.action_name)
       
-      accessible_hash_for controller, @attributes, dest
+      accessible_hash_for controller.params, @attributes, dest
     end
     
     protected
     
-    def accessible_hash_for controller, attributes, dest
+    def accessible_hash_for params, attributes, dest
       attributes.each do |key, value|
-        if value.is_a?(Hash)
+        if key.to_s =~ /\[\]$/
+          accessible_array_for key, params, value, dest
+        elsif value.is_a?(Hash)
           attrs = dest[key]
           if attrs.nil?
             attrs = {}
             dest[key] = attrs
           end
           
-          accessible_hash_for controller, value, attrs
-        else
+          nested_params = params[key] if params.is_a?(Hash)
+          accessible_hash_for nested_params, value, attrs
+          
+        elsif key.is_a?(String)
           dest[key] = value
+          
+        elsif key.is_a?(Regexp) && params
+          accessible_params_for_regex key, params, dest
         end
       end
     end
     
+    def accessible_params_for_regex regex, params, dest
+      params.keys.each do |key|
+        if key.to_s =~ regex
+          dest[key] = nil
+        end
+      end
+      
+      dest
+    end
+
+    def accessible_array_for key, params, value, dest
+      key = key.to_s.chomp('[]')
+
+      if params and params[key].is_a? Hash
+        params[key].each do |index, nested_params|
+          dest[key] ||= {}
+          attrs = dest[key][index] = {}
+          accessible_hash_for nested_params, value, attrs if value
+        end
+      elsif params and params[key].is_a? Array
+        params[key].each do |nested_params|
+          if nested_params.is_a? Hash
+            dest[key] ||= []
+            attrs = {}
+            accessible_hash_for nested_params, value, attrs if value
+            dest[key].push(attrs)
+          else
+            dest[key] = nil
+          end
+        end
+      end
+    end
+
     # When specifying params to protect, we allow a combination of arrays and hashes much like how
     # ActiveRecord::Base#find's :include options works.  This method normalizes that into just nested hashes,
     # stringifying the keys and setting all values to nil.  This format is easier/faster to work with when
@@ -85,7 +125,11 @@ module ParamAccessible
     end
 
     def normalize_key(k)
-      k.to_s
+      if k.is_a?(Regexp)
+        k
+      else
+        k.to_s
+      end
     end
 
   end

data/lib/param_accessible/rules.rb

@@ -33,10 +33,9 @@ module ParamAccessible
           detect_inaccessible_hash value, nested, errors, prefix_for(prefix, key)
           
         elsif value.is_a?(Array)
-          nested = accessible[key] || {}
-          value.each do |v|
+          value.each_with_index do |v, i|
             if v.is_a?(Hash)
-              detect_inaccessible_hash v, nested, errors, prefix_for(prefix, key)
+              detect_inaccessible_hash v, accessible[key][i], errors, prefix_for(prefix_for(prefix, key), "")
             end
           end
         end

data/lib/param_accessible/version.rb

@@ -1,3 +1,3 @@
 module ParamAccessible
-  VERSION = "0.0.1"
+  VERSION = "0.0.2"
 end

data/spec/app_root/app/controllers/application_controller.rb

@@ -2,8 +2,6 @@ class ApplicationController < ActionController::Base
   before_filter :ensure_params_are_accessible, :only => [:create, :update]
   before_filter :render_nothing
   
-  param_accessible :action, :controller, :format
-  
   def index
   end
   

data/spec/app_root/app/controllers/nested_controller.rb

@@ -0,0 +1,4 @@
+class NestedController < ApplicationController
+  param_accessible :a => [{:"b[]" => [:d, :e, :q]}, :c]
+  param_accessible :"o[]", :p
+end

data/spec/app_root/app/controllers/regex_controller.rb

@@ -0,0 +1,6 @@
+class RegexController < ApplicationController
+  
+  param_accessible /^foo/
+  param_accessible :user => [/^bar/]
+  
+end

data/spec/lib/nested_spec.rb

@@ -0,0 +1,88 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe NestedController do
+  include RSpec::Rails::ControllerExampleGroup
+
+  it "should allow arrays given as rails style pseudo hashes" do
+    post :create, :a => { :b => {"0" => {"d"=>"foo", "e"=>"bar"}, "1" => {"d"=>"foo", "e"=>"bar"}}}
+    response.code.should == "200"
+  end
+
+  it "should allow arrays given as arrays hashes" do
+    post :create, :a => { :b => [{"d"=>"foo", "e"=>"bar"}, {"d"=>"foo", "e"=>"bar"}]}
+    response.code.should == "200"
+  end
+
+  it "should allow arrays given as arrays hashes" do
+    post :create, :o => ["foo", "bar"]
+    response.code.should == "200"
+  end
+
+  it "should allow arrays given as rails style hash arrays when only arrays of strings are allowed" do
+    post :create, :o => { "0" => "foo", "1" => "bar" }
+    response.code.should == "200"
+  end
+
+  it "should not allow options which are not in the list" do
+    begin
+      post :create, :a => { :b => {"0" => {"x"=>"foo" }}}
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(a[b][0][x])
+    end
+  end
+
+  it "should not allow strings for an array" do
+    begin
+      post :create, :a => { :b => "foo" }
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(a[b])
+    end
+  end
+
+  it "should not allow arrays with invalid values" do
+    begin
+      post :create, :a => { :b => [{"x"=>"foo"}]}
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(a[b][][x])
+    end
+  end
+
+  it "should not allow arrays with invalid values at other index" do
+    begin
+      post :create, :a => { :b => [{"d" => "foo"}, {"x"=>"foo"}]}
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(a[b][][x])
+    end
+  end
+
+  it "should not allow hashes when only arrays of strings are allowed" do
+    begin
+      post :create, :o => [{ :foo => "bar" }]
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(o[][foo])
+    end
+  end
+
+  it "should not allow string when only arrays are allowed" do
+    begin
+      post :create, :o => "foo"
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(o)
+    end
+  end
+
+  it "should not allow arrays given as rails style hash arrays containing hashes when only arrays of strings are allowed" do
+    begin
+      post :create, :o => { "0" => { "x" => "foo" } }
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(o[0][x])
+    end
+  end
+end

data/spec/lib/regex_spec.rb

@@ -0,0 +1,34 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe RegexController do
+  include RSpec::Rails::ControllerExampleGroup
+  
+  it "should allow base parameters matching a regex" do
+    post :create, :foo => 'hi', :foobar => 'hey'
+    response.code.should == '200'
+  end
+  
+  it "should not allow base parameters not matching a regex" do
+    begin
+      post :create, :nuts => "hi"
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(nuts)
+    end
+  end
+  
+  it "should allow nested parameters matching the regex" do
+    post :create, :user => {:bar => 'hi', :bar_me => 'hey'}
+    response.code.should == '200'
+  end
+  
+  it "should not allow nested parameters not matching a regex" do
+    begin
+      post :create, :user => {:nuts => "hi"}
+      raise "should fail"
+    rescue ParamAccessible::Error => e
+      e.inaccessible_params.should == %w(user[nuts])
+    end
+  end
+  
+end

data/spec/lib/simple_spec.rb

@@ -8,6 +8,11 @@ describe SimpleController do
     response.code.should == "200"
   end
   
+  it "should not complain about common rails parameters" do
+    post :update, :format => "json", :id => "foo"
+    response.code.should == "200"
+  end
+  
   it "should not complain if a subset of those attributes are given" do
     post :create, :foo => 'hi'
     response.code.should == "200"
@@ -40,12 +45,7 @@ describe SimpleController do
       e.inaccessible_params.should == %w(bar[unknown])
     end
   end
-  
-  it "should handle nested arrays" do
-    post :create, :bar => [:baz => 'hi']
-    response.code.should == '200'
-  end
-  
+
   it "should be fine when the ONLY value is a value but not an options hash" do
     SimpleController.param_accessible :bar => []
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: param_accessible
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-03-15 00:00:00.000000000 Z
+date: 2012-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &177970 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,15 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *177970
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: actionpack
-  requirement: &177640 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +37,15 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *177640
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &177410 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +53,15 @@ dependencies:
         version: 3.0.0
   type: :development
   prerelease: false
-  version_requirements: *177410
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: rspec-rails
-  requirement: &177110 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +69,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *177110
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &176790 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,7 +85,12 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *176790
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Help secure your controllers from malicious parameters
 email:
 - dan@topdan.com
@@ -92,8 +117,10 @@ files:
 - spec/app_root/app/controllers/if_false_controller.rb
 - spec/app_root/app/controllers/if_true_controller.rb
 - spec/app_root/app/controllers/merge_controller.rb
+- spec/app_root/app/controllers/nested_controller.rb
 - spec/app_root/app/controllers/not_acceptable_controller.rb
 - spec/app_root/app/controllers/only_controller.rb
+- spec/app_root/app/controllers/regex_controller.rb
 - spec/app_root/app/controllers/simple_controller.rb
 - spec/app_root/app/controllers/unless_false_controller.rb
 - spec/app_root/app/controllers/unless_true_controller.rb
@@ -104,8 +131,10 @@ files:
 - spec/lib/if_false_spec.rb
 - spec/lib/if_true_spec.rb
 - spec/lib/merge_spec.rb
+- spec/lib/nested_spec.rb
 - spec/lib/not_acceptable_helper_spec.rb
 - spec/lib/only_spec.rb
+- spec/lib/regex_spec.rb
 - spec/lib/simple_spec.rb
 - spec/lib/unless_false_spec.rb
 - spec/lib/unless_true_spec.rb
@@ -122,15 +151,21 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -3120574609072739979
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -3120574609072739979
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Help secure your controllers from malicious parameters
@@ -140,8 +175,10 @@ test_files:
 - spec/app_root/app/controllers/if_false_controller.rb
 - spec/app_root/app/controllers/if_true_controller.rb
 - spec/app_root/app/controllers/merge_controller.rb
+- spec/app_root/app/controllers/nested_controller.rb
 - spec/app_root/app/controllers/not_acceptable_controller.rb
 - spec/app_root/app/controllers/only_controller.rb
+- spec/app_root/app/controllers/regex_controller.rb
 - spec/app_root/app/controllers/simple_controller.rb
 - spec/app_root/app/controllers/unless_false_controller.rb
 - spec/app_root/app/controllers/unless_true_controller.rb
@@ -152,8 +189,10 @@ test_files:
 - spec/lib/if_false_spec.rb
 - spec/lib/if_true_spec.rb
 - spec/lib/merge_spec.rb
+- spec/lib/nested_spec.rb
 - spec/lib/not_acceptable_helper_spec.rb
 - spec/lib/only_spec.rb
+- spec/lib/regex_spec.rb
 - spec/lib/simple_spec.rb
 - spec/lib/unless_false_spec.rb
 - spec/lib/unless_true_spec.rb