param_sanitizer 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in ParamSanitizer.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Shopify
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,43 @@
+## Description
+
+Simple Middleware for cleaning up possibly bad requests on selected endpoints
+
+## Authors
+
+* Chris Saunders (http://christophersaunders.ca)
+* Yagnik Khanna (http://github.com/yagnik)
+
+## Installation 
+Add this line to your application's Gemfile:
+
+gem 'rack-encoding-validation'
+
+And then execute:
+
+$ bundle
+
+Or install it yourself as:
+
+$ gem install rack-encoding-validation
+
+## Usage in Rails
+
+In `config/application.rb`, add
+
+```ruby
+routes_and_strategies = {
+  '/login' => [:SpaceToDash]
+}
+config.middleware.use 'ParamSanitizer::RequestSanitizer', routes_and_strategies
+```
+
+The array can accept a class, a proc, a symbol (inside the ParamSanitizer::Strategies namespace) 
+or any object that responds to call
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+  t.test_files = FileList['test/**/*test.rb']
+  t.verbose = true
+end

data/lib/param_sanitizer.rb

@@ -0,0 +1,6 @@
+require "param_sanitizer/version"
+require "param_sanitizer/strategies"
+require "param_sanitizer/request_sanitizer"
+
+module ParamSanitizer
+end

data/lib/param_sanitizer/request_sanitizer.rb

@@ -0,0 +1,49 @@
+require 'uri'
+
+module ParamSanitizer
+  class RequestSanitizer
+    attr_reader :strategized_routes
+    
+    def initialize(app, *args)
+      @app = app
+      @strategized_routes = args.last.is_a?(Hash) ? args.last : {}
+      emit_warning if @strategized_routes.empty?
+    end
+    
+    def call(env)
+      request = Rack::Request.new(env)
+      request = execute_strategies(request) if has_strategy?(request.path)
+      env["QUERY_STRING"] = encode_to_query_string(request.params)
+      @app.call(env)
+    end
+    
+    def execute_strategies(request)
+      strategies = @strategized_routes[request.path]
+      strategies.each { |strategy|
+        instance = build(strategy)
+        instance.call(request) if instance.respond_to? :call
+      }
+      request
+    end
+    
+    def has_strategy?(route)
+      @strategized_routes.has_key?(route)
+    end
+    
+    def emit_warning
+      puts "ParamSanitizer::RequestSanitizer initialized without sanitization strategies. Middleware is now a no-op"
+    end
+    
+    def encode_to_query_string(params)
+      URI.encode(params.map{|k,v| "#{k}=#{v}"}.join('&'))
+    end
+
+    def build(strategy)
+      if strategy.respond_to?(:call) then strategy
+      elsif strategy.respond_to?(:new) then strategy.new
+      elsif strategy.is_a?(Symbol) then ParamSanitizer::Strategies.const_get("#{strategy}Strategy").new
+      else raise ArgumentError.new "#{strategy.to_s} does not support 'call'!"
+      end
+    end
+  end
+end

data/lib/param_sanitizer/strategies.rb

@@ -0,0 +1,5 @@
+require 'param_sanitizer/strategies/space_to_dash_strategy'
+require 'param_sanitizer/strategies/strip_scheme_strategy'
+require 'param_sanitizer/strategies/strip_path_strategy'
+require 'param_sanitizer/strategies/downcase_strategy'
+require 'param_sanitizer/strategies/noop_strategy'

data/lib/param_sanitizer/strategies/downcase_strategy.rb

@@ -0,0 +1,11 @@
+module ParamSanitizer
+  module Strategies
+    class DowncaseStrategy      
+      def call(request)
+        request.params.each do |key, value|
+          request.params[key] = value.downcase
+        end
+      end
+    end
+  end
+end

data/lib/param_sanitizer/strategies/noop_strategy.rb

@@ -0,0 +1,8 @@
+module ParamSanitizer
+  module Strategies
+    class NoOpStrategy
+      def call(request)
+      end
+    end
+  end
+end

data/lib/param_sanitizer/strategies/space_to_dash_strategy.rb

@@ -0,0 +1,11 @@
+module ParamSanitizer
+  module Strategies
+    class SpaceToDashStrategy      
+      def call(request)
+        request.params.each do |key, value|
+          request.params[key] = value.strip.gsub(' ', '-') if value
+        end
+      end
+    end
+  end
+end

data/lib/param_sanitizer/strategies/strip_path_strategy.rb

@@ -0,0 +1,11 @@
+module ParamSanitizer
+  module Strategies
+    class StripPathStrategy      
+      def call(request)
+        request.params.each do |key, value|
+          request.params[key] = nil if value =~ /\\|\//
+        end
+      end
+    end
+  end
+end

data/lib/param_sanitizer/strategies/strip_scheme_strategy.rb

@@ -0,0 +1,11 @@
+module ParamSanitizer
+  module Strategies
+    class StripSchemeStrategy      
+      def call(request)
+        request.params.each do |key, value|
+          request.params[key] = value.gsub(/\A(\w*)\:\/\//, '')
+        end
+      end
+    end
+  end
+end

data/lib/param_sanitizer/version.rb

@@ -0,0 +1,3 @@
+module ParamSanitizer
+  VERSION = "0.0.1"
+end

data/param_sanitizer.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'param_sanitizer/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "param_sanitizer"
+  spec.version       = ParamSanitizer::VERSION
+  spec.authors       = ["Shopify"]
+  spec.email         = ["gems@shopify.com"]
+  spec.description   = %q{Simple middleware for cleaning up possibly bad requests on selected endpoints}
+  spec.summary       = %q{Simple middleware for cleaning up possibly bad requests on selected endpoints}
+  spec.homepage      = "https://github.com/shopify/param_sanitizer"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "rack"
+  spec.add_development_dependency "mocha"
+  spec.add_development_dependency "rack-test"
+end

data/test/integration/execute_strategy_test.rb

@@ -0,0 +1,21 @@
+require 'integration/test_helper'
+
+class ParamSanitizer::ExecuteStrategyTest < ParamSanitizer::IntegrationTest  
+  test "single strategy executes succesfuly" do
+    assert_param("/single?sd=asd asd", 'sd', 'asd-asd')
+  end
+  
+  test "multiple strategies execute succesfuly" do
+    assert_param("/double?sd=asd asd/../../windows.ini", 'sd', '')
+  end
+  
+  test "when a strategy sets a key to nil, subsequent strategies don't fail" do
+    assert_param("/breaking?sd=asd asd/../../windows.ini", 'sd', '')
+  end
+  
+  def assert_param(uri, key, value)
+    last_response = get uri_encoder(uri)
+    params = extract(last_response.body)
+    assert_equal value, params[key]
+  end  
+end

data/test/integration/test_helper.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+require 'rack/test'
+require 'rack/utils'
+require 'uri'
+
+class ParamSanitizer::IntegrationTest < ParamSanitizer::TestCase
+  include Rack::Test::Methods
+  
+  DEFAULT_ROUTES = {
+    '/single' => [ParamSanitizer::Strategies::SpaceToDashStrategy],
+    '/double' => [ParamSanitizer::Strategies::SpaceToDashStrategy, ParamSanitizer::Strategies::StripPathStrategy],
+    '/breaking' => [ParamSanitizer::Strategies::StripPathStrategy, ParamSanitizer::Strategies::SpaceToDashStrategy]
+  }
+  
+  def app
+    ParamSanitizer::RequestSanitizer.new(dummy_app, DEFAULT_ROUTES)
+  end
+  
+  def dummy_app
+    lambda { |env| [200, {}, [env["QUERY_STRING"]]] }
+  end
+  
+  def extract(msg)
+    Rack::Utils.parse_nested_query(msg)
+  end
+  
+  def uri_encoder(input)
+    URI.encode(input)
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,10 @@
+require 'param_sanitizer'
+require 'minitest/autorun'
+require 'rack/mock'
+require 'mocha/setup'
+
+class ParamSanitizer::TestCase < MiniTest::Unit::TestCase
+  def self.test(test_description, &block)
+    define_method "test_#{test_description.gsub(/\s/, '_')}", &block
+  end
+end

data/test/unit/request_sanitizer_test.rb

@@ -0,0 +1,89 @@
+require 'unit/test_helper'
+
+module ParamSanitizer
+  
+  class RequestSanitizerDouble < RequestSanitizer
+    def emit_warning
+    end
+  end
+  
+  class Tester < ParamSanitizer::UnitTest
+    def initialize
+      @val = 0
+    end
+    def call(request)
+      @val += 1
+      assert_equal 1, @val
+    end
+  end
+
+  class RequestSanitizerTest < ParamSanitizer::UnitTest
+    def setup
+      @app = stub(:call => [200, {}, []])
+      @strategies = {
+        '/login' => [stub(:call), stub(:call)]
+      }
+    end
+    
+    test "strategized_routes have value set is last argument is a hash" do
+      assert_equal @strategies, middleware.strategized_routes
+    end
+    
+    test "set strategized_routes to empty hash if hash isn't passed in" do
+      middleware = RequestSanitizerDouble.new(@app)
+      assert_equal({}, middleware.strategized_routes)
+    end
+    
+    test "it should emit_warning if nothing was passed into the initializer" do
+      RequestSanitizerDouble.any_instance.expects(:emit_warning)
+      RequestSanitizerDouble.new(@app)
+    end
+    
+    test "has_strategy? should return true if routes match" do
+      assert middleware.has_strategy?('/login'), 'The strategies include the path /login and should be passing'
+    end
+    
+    test "execute_strategies should execute a single strategy" do
+      @strategies["/login"] = [mock('single-strategy-mock', :call)]
+      Rack::MockRequest.new(middleware).get('/login')
+    end
+    
+    test "execute_strategies should execute in order" do
+      called = 0
+      handler1 = lambda { |request| request['doodle'] = 'called'; called += 1 }
+      handler2 = lambda { |request| assert_equal('called', request['doodle']); called += 1 }
+      @strategies['/login'] = [handler1, handler2]
+      Rack::MockRequest.new(middleware).get('/login')
+      assert_equal 2, called
+    end
+
+    test "execute_strategies should execute a proc" do
+      called = 0
+      @strategies["/login"] = [lambda{|request| called += 1}]
+      Rack::MockRequest.new(middleware).get('/login')
+      assert_equal 1, called
+    end
+
+    test "execute_strategies should execute a class" do
+      @strategies["/login"] = [Tester]
+      Rack::MockRequest.new(middleware).get('/login')
+    end
+
+    test "execute_strategies should execute a symbol" do
+      @strategies["/login"] = [:SpaceToDash]
+      ParamSanitizer::Strategies::SpaceToDashStrategy.any_instance.expects(:call)
+      Rack::MockRequest.new(middleware).get('/login')
+    end
+
+    test "execute strategies should raise ArgumentError if incorrect type is passed in" do
+      @strategies["/login"] = ["SpaceToDash"]
+      assert_raises ArgumentError do
+        Rack::MockRequest.new(middleware).get('/login')
+      end
+    end
+
+    def middleware
+      RequestSanitizerDouble.new(@app, @strategies)
+    end
+  end
+end

data/test/unit/strategies/downcase_strategy_test.rb

@@ -0,0 +1,20 @@
+require 'unit/test_helper'
+
+module ParamSanitizer
+  module Strategies
+    class DowncaseStrategyTest < ParamSanitizer::UnitTest
+      
+      def setup
+        @sanitizer = DowncaseStrategy.new
+      end
+      
+      test "it should not convert a request that is lowercase" do
+        assert_sanitized_request(@sanitizer, 'foo_bar_baz', 'foo_bar_baz')        
+      end
+      
+      test "it should convert a request with upper case in a specific query parameter to lower case" do
+        assert_sanitized_request(@sanitizer, 'foo-bar-baz', 'fOO-bar-baz')
+      end
+    end
+  end
+end

data/test/unit/strategies/space_to_dash_strategy_test.rb

@@ -0,0 +1,28 @@
+require 'unit/test_helper'
+
+module ParamSanitizer
+  module Strategies
+    class SpaceToDashStrategyTest < ParamSanitizer::UnitTest
+      
+      def setup
+        @sanitizer = SpaceToDashStrategy.new
+      end
+      
+      test "it should not convert a request that doesn't have spaces" do
+        assert_sanitized_request(@sanitizer, 'foo_bar_baz', 'foo_bar_baz')        
+      end
+      
+      test "it should convert a request with spaces in a specific query parameter to dashes" do
+        assert_sanitized_request(@sanitizer, 'foo-bar-baz', 'foo bar baz')
+      end
+      
+      test "it should convert a request with URI-encoded spaces in a specific query parameter to dashes" do
+        assert_sanitized_request(@sanitizer, 'foo-bar-baz', 'foo%20bar%20baz')
+      end
+      
+      test "it should not add dashes to the start or end of a string" do
+        assert_sanitized_request(@sanitizer, 'foo-bar-baz', ' foo bar baz ')
+      end
+    end
+  end
+end

data/test/unit/strategies/strip_path_strategy_test.rb

@@ -0,0 +1,27 @@
+require 'unit/test_helper'
+
+module ParamSanitizer
+  module Strategies
+    class StripPathStrategyTest < ParamSanitizer::UnitTest
+      def setup
+        @sanitizer = StripPathStrategy.new
+      end
+      
+      test "it should not convert a request that doesn't contain a path" do
+        assert_sanitized_request(@sanitizer, 'foo_bar_baz', 'foo_bar_baz')
+      end
+      
+      test "it should set the param to nil if the request contains a path" do
+        assert_sanitized_request(@sanitizer, nil, '../../../../../../mysql.conf')
+      end
+      
+      test "it should set the param to nil if the request contains a windows-style file path" do
+        assert_sanitized_request(@sanitizer, nil, '..\..\..\..\..\windows.ini')
+      end
+      
+      test "it should set the param to nil if the request contains HTML-like text" do
+        assert_sanitized_request(@sanitizer, nil, '%28%29%26%25<ScRiPt>prompt(23424324)</ScRiPt>')
+      end
+    end
+  end
+end

data/test/unit/strategies/strip_scheme_strategy_test.rb

@@ -0,0 +1,32 @@
+require 'unit/test_helper'
+
+module ParamSanitizer
+  module Strategies
+    class StripSchemeStrategyTest < ParamSanitizer::UnitTest
+      
+      def setup
+        @sanitizer = StripSchemeStrategy.new
+      end
+      
+      test "it should not convert a request that doesn't have scheme" do
+        assert_sanitized_request(@sanitizer, 'foo_bar_baz', 'foo_bar_baz')
+      end
+      
+      test "it should remove a request with http scheme in the parameter" do
+        assert_sanitized_request(@sanitizer, 'foo bar', 'http://foo bar')
+      end
+      
+      test "it should remove a request with ftp scheme in the parameter" do
+        assert_sanitized_request(@sanitizer, 'foo_bar_baz', 'ftp://foo_bar_baz')
+      end
+      
+      test "it shouldn't care what kind of scheme is in the parameter" do
+        assert_sanitized_request(@sanitizer, 'foo_bar_baz', 'taters://foo_bar_baz')
+      end
+      
+      test "it should sanitize the scheme, even if the scheme is absent" do
+        assert_sanitized_request(@sanitizer, 'foo_bar_baz', '://foo_bar_baz')
+      end
+    end
+  end
+end

data/test/unit/test_helper.rb

@@ -0,0 +1,17 @@
+require 'test_helper'
+
+class ParamSanitizer::UnitTest < ParamSanitizer::TestCase
+  
+  def app(sanitizer, expectation)
+    lambda { |env|
+      request = Rack::Request.new(env)
+      sanitizer.call(request)
+      assert_equal expectation, request.params['query']
+      [200, {'Content-Type' => 'text/plain'}, ['Hello World']] 
+    }
+  end
+  
+  def assert_sanitized_request(sanitizer, expected, query)
+    Rack::MockRequest.new(app(sanitizer, expected)).get('/', 'QUERY_STRING' => "query=#{query}")
+  end
+end

metadata

@@ -0,0 +1,181 @@
+--- !ruby/object:Gem::Specification
+name: param_sanitizer
+version: !ruby/object:Gem::Version
+  prerelease: 
+  version: 0.0.1
+platform: ruby
+authors:
+- Shopify
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-09-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  name: bundler
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    none: false
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  name: rake
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  name: minitest
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  name: rack
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  name: mocha
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+- !ruby/object:Gem::Dependency
+  prerelease: false
+  name: rack-test
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+description: Simple middleware for cleaning up possibly bad requests on selected endpoints
+email:
+- gems@shopify.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/param_sanitizer.rb
+- lib/param_sanitizer/request_sanitizer.rb
+- lib/param_sanitizer/strategies.rb
+- lib/param_sanitizer/strategies/downcase_strategy.rb
+- lib/param_sanitizer/strategies/noop_strategy.rb
+- lib/param_sanitizer/strategies/space_to_dash_strategy.rb
+- lib/param_sanitizer/strategies/strip_path_strategy.rb
+- lib/param_sanitizer/strategies/strip_scheme_strategy.rb
+- lib/param_sanitizer/version.rb
+- param_sanitizer.gemspec
+- test/integration/execute_strategy_test.rb
+- test/integration/test_helper.rb
+- test/test_helper.rb
+- test/unit/request_sanitizer_test.rb
+- test/unit/strategies/downcase_strategy_test.rb
+- test/unit/strategies/space_to_dash_strategy_test.rb
+- test/unit/strategies/strip_path_strategy_test.rb
+- test/unit/strategies/strip_scheme_strategy_test.rb
+- test/unit/test_helper.rb
+homepage: https://github.com/shopify/param_sanitizer
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      segments:
+      - 0
+      hash: -2112654682978729289
+      version: '0'
+  none: false
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      segments:
+      - 0
+      hash: -2112654682978729289
+      version: '0'
+  none: false
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Simple middleware for cleaning up possibly bad requests on selected endpoints
+test_files:
+- test/integration/execute_strategy_test.rb
+- test/integration/test_helper.rb
+- test/test_helper.rb
+- test/unit/request_sanitizer_test.rb
+- test/unit/strategies/downcase_strategy_test.rb
+- test/unit/strategies/space_to_dash_strategy_test.rb
+- test/unit/strategies/strip_path_strategy_test.rb
+- test/unit/strategies/strip_scheme_strategy_test.rb
+- test/unit/test_helper.rb