parameter_cleaner 0.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Based on https://github.com/madebymany/parameter_cleaner
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,35 @@
+ParameterCleaner
+================
+
+Strips angle brackets from user input on the way into the application,
+providing an extra level of security against XSS attacks even when
+someone forgets an `h()` in a template.
+
+__This is not a replacement for proper escaping!__
+
+Exclusions
+----------
+
+Password fields (anything matching `/password/`) are not stripped. For one
+thing, users should be allowed to make strong passwords; for another, you’re
+never going to display them in the application. Right?
+
+For fields where you want to allow angle brackets, you can disable it on a
+parameter-by-parameter basis:
+
+    class SomeController < ApplicationController
+      do_not_clean_param [:thing, :html_description]
+    end
+
+The array corresponds to the hash keys used to get to the parameter; there is
+no distinction between string parameters and array parameters.
+
+    Form parameter  |  do_not_clean_param
+    ----------------+--------------------
+    foo             |  [:foo] or :foo
+    foo[bar]        |  [:foo, :bar]
+    foo[bar][]      |  [:foo, :bar]
+
+You can specify multiple parameters in one line:
+
+    do_not_clean_param :foo, :bar, [:nested, :baz]

data/Rakefile

@@ -0,0 +1,23 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the parameter_cleaner plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the parameter_cleaner plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ParameterCleaner'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/init.rb

@@ -0,0 +1 @@
+require "parameter_cleaner"

data/lib/parameter_cleaner.rb

@@ -0,0 +1,44 @@
+require "action_controller"
+
+class ActionController::Base
+  before_filter :pc_remove_angle_brackets_from_params
+
+  class <<self
+    def do_not_clean_param(*names)
+      names.each do |name|
+        pc_uncleaned_params.push([*name].map{ |s| s.to_s })
+      end
+    end
+
+    def pc_uncleaned_params
+      @pc_uncleaned_params ||= []
+    end
+  end
+
+private
+  def pc_remove_angle_brackets_from_params
+    pc_remove_angle_brackets_from_hash(params)
+    pc_remove_angle_brackets_from_hash(cookies)
+  end
+    
+  def pc_remove_angle_brackets_from_hash(hash, hierarchy=[])
+    hash.each do |key, value|
+      h = hierarchy + [key]
+      case value
+      when Hash, HashWithIndifferentAccess
+        pc_remove_angle_brackets_from_hash(value, h)
+      when Array
+        value.map!{ |v| pc_remove_angle_brackets_from_value(v, h) }
+      else
+        hash[key] = pc_remove_angle_brackets_from_value(value, h) if value.respond_to?('include?'.to_sym)&&['<', '>'].any?{|c| value.include?(c)}
+      end
+    end
+  end
+
+  def pc_remove_angle_brackets_from_value(value, hierarchy)
+    return value if hierarchy.any?{ |k| k =~ /password/ } ||
+                    self.class.pc_uncleaned_params.include?(hierarchy) ||
+                    !value.respond_to?(:gsub)
+    value.gsub(/[<>]/, "")
+  end
+end

data/parameter_cleaner.gemspec

@@ -0,0 +1,15 @@
+Gem::Specification.new do |s|
+  s.name = %q{parameter_cleaner}
+  s.version = "0.0.1"
+
+  s.authors = ["Wayne Deng"]
+  s.date = %q{2013-11-12}
+  s.platform    = Gem::Platform::RUBY
+  s.summary     = "Clean all the angle brackets from user input params and cookies!"
+  s.description = "Clean all the angle brackets from user input params and cookies! Based on https://github.com/madebymany/parameter_cleaner. Thanks to threedaymonk!"
+  s.email = %q{wayne.deng.cn@gmail.com}
+  s.files = ["init.rb", "MIT-LICENSE", "Rakefile", "README.md", "test/parameter_cleaner_test.rb", "test/test_helper.rb", "lib/parameter_cleaner.rb", "parameter_cleaner.gemspec"]
+  s.require_paths = ["lib"]
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "ParameterCleaner", "--main", "README"]
+  
+end

data/test/parameter_cleaner_test.rb

@@ -0,0 +1,74 @@
+require File.join(File.dirname(__FILE__), 'test_helper')
+require "parameter_cleaner"
+
+class ParameterCleaningTest < ActionController::TestCase
+  class TestController < ActionController::Base
+    do_not_clean_param :uncleaned
+    do_not_clean_param [:nested, :uncleaned]
+    layout nil
+
+    def index
+      render :nothing => true
+    end
+  end
+
+  def params
+    @request.params
+  end
+
+  tests TestController
+
+  setup do
+    ActionController::Routing::Routes.draw do |map|
+      map.test_action "/test-action", :controller => "parameter_cleaning_test/test", :action => "index"
+    end
+  end
+
+  should "remove XSS attack vectors" do
+    get :index, :field => "blah '';!--\"<XSS>=&{()} blah"
+    assert_equal "blah '';!--\"XSS=&{()} blah", params[:field]
+  end
+
+
+  should "remove <> from fields" do
+    get :index, :field => "blah <foo> blah"
+    assert_equal "blah foo blah", params[:field]
+  end
+
+  should "remove <> from nested fields" do
+    get :index, :nested => { :field => "blah <bar> blah" }
+    assert_equal "blah bar blah", params[:nested][:field]
+  end
+
+  should "remove <> from array fields" do
+    get :index, :array => ["blah <> blah"]
+    assert_equal ["blah  blah"], params[:array]
+  end
+
+  should "not remove <> from password fields" do
+    get :index, :nested => {:password => "<><>", :password_confirmation => "<><>"}
+    assert_equal "<><>", params[:nested][:password]
+    assert_equal "<><>", params[:nested][:password_confirmation]
+  end
+
+  should "not remove <> from whitelisted field" do
+    get :index, :uncleaned => "<><>"
+    assert_equal "<><>", params[:uncleaned]
+  end
+
+  should "not remove <> from whitelisted nested field" do
+    get :index, :nested => {:uncleaned => "<><>"}
+    assert_equal "<><>", params[:nested][:uncleaned]
+  end
+
+  should "not remove <> from whitelisted array field" do
+    get :index, :uncleaned => ["<><>"]
+    assert_equal ["<><>"], params[:uncleaned]
+  end
+
+  should "not try to clean uploaded files" do
+    io = StringIO.new("<><>")
+    get :index, :upload => io
+    assert_equal "<><>", params[:upload].read
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,5 @@
+$:.unshift(File.expand_path("../../lib", __FILE__))
+require 'rubygems'
+require "active_support"
+require "active_support/test_case"
+require "shoulda"

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification 
+name: parameter_cleaner
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Wayne Deng
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2013-11-12 00:00:00 +08:00
+default_executable: 
+dependencies: []
+
+description: Clean all the angle brackets from user input params and cookies! Based on https://github.com/madebymany/parameter_cleaner. Thanks to threedaymonk!
+email: wayne.deng.cn@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- init.rb
+- MIT-LICENSE
+- Rakefile
+- README.md
+- test/parameter_cleaner_test.rb
+- test/test_helper.rb
+- lib/parameter_cleaner.rb
+- parameter_cleaner.gemspec
+has_rdoc: true
+homepage: 
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --line-numbers
+- --inline-source
+- --title
+- ParameterCleaner
+- --main
+- README
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.5.2
+signing_key: 
+specification_version: 3
+summary: Clean all the angle brackets from user input params and cookies!
+test_files: []
+