params_patrol 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9e285483550dc61d2224a801aac09e09e0411385
+  data.tar.gz: 9bf6dfd7f0793f5def7830fc0f02356609945c8e
+SHA512:
+  metadata.gz: 291b813c7bfe13105baffc0703c7dbf68abc069e28e99de384f83e8e8d531b4de30386f192d7fca846aaa4b348f851583fa4c96f73b90bb3c359f01ea93be080
+  data.tar.gz: 24a4a63489cf47edef6e146a9136c21a77b35ba1ef39de76838d0ded51c49be6f8a5dc6db5f8525ba845ca54003db4f053d8c3cc21f6f211fd4e50b255218780

data/.gitignore

@@ -0,0 +1,15 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.idea

data/.ruby-gemset

@@ -0,0 +1 @@
+params-patrol

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.1.5

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in params_patrol.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Will Bendix
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,33 @@
+# Params Patrol
+
+![Call for backup!](http://www.security-guard.ca/wp-content/uploads/2015/01/security-guard-patrol-service.jpg)
+
+Keeps an eye out for suspicious parameters... and then calls for backup
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'params_patrol'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install params_patrol
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it ( https://github.com/IndieGoGo/params_patrol/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+task :default => :test

data/lib/action_controller/handle_unpermitted_parameters.rb

@@ -0,0 +1,39 @@
+module ActionController
+  class DecoratesParameters
+    attr_reader :params
+
+    methods_to_delegate = (ActionController::Parameters.new.methods - Object.new.methods - [:permit, :[]]) + [:to_s, :is_a?, :kind_of?]
+    delegate *methods_to_delegate, :to => :params
+
+    def initialize(params)
+      @params = params
+    end
+
+    def [](key)
+      result = params[key]
+      result.is_a?(Hash) ? DecoratesParameters.new(result) : result
+    end
+
+    def require(key)
+      result = params[key].presence || raise(ActionController::ParameterMissing.new(key))
+      result.is_a?(Hash) ? DecoratesParameters.new(result) : result
+    end
+
+    def permit(*filters)
+      params.permit(*filters)
+    rescue => e
+      ParamsPatrol.handle(error: e, parameters: params, cgi_data: ENV.to_hash)
+      self
+    end
+  end
+
+  module HandleUnpermittedParameters
+    def params
+      @_params ||= DecoratesParameters.new(Parameters.new(request.parameters))
+    end
+
+    def params=(val)
+      @_params = val.is_a?(Hash) ? DecoratesParameters.new(Parameters.new(val)) : val
+    end
+  end
+end

data/lib/active_model/suppress_forbidden_attributes.rb

@@ -0,0 +1,16 @@
+module ActiveModel
+  module SuppressForbiddenAttributes
+    def sanitize_for_mass_assignment(*options)
+      new_attributes = options.first
+      if new_attributes.respond_to?(:permitted?) && !new_attributes.permitted?
+        ParamsPatrol.handle(error: ActiveModel::ForbiddenAttributes.new,
+                            parameters: options.try(:first),
+                            cgi_data: ENV.to_hash)
+        # help surface these kinds of issues in the test env
+        # raise(ActiveModel::ForbiddenAttributes) if Rails.env.test?
+      end
+
+      ActiveModel::MassAssignmentSecurity.instance_method(:sanitize_for_mass_assignment).bind(self).call(*options)
+    end
+  end
+end

data/lib/params_patrol.rb

@@ -0,0 +1,20 @@
+require "active_model/suppress_forbidden_attributes"
+require "action_controller/handle_unpermitted_parameters"
+require "params_patrol/version"
+
+module ParamsPatrol
+  def self.handler
+    @handler
+  end
+
+  def self.handler=(handler)
+    @handler = handler
+  end
+
+  def self.handle(*options)
+    if @handler.nil?
+      @handler = lambda { |x| Logger.new(STDOUT).info(x) }
+    end
+    @handler.call(options)
+  end
+end

data/lib/params_patrol/version.rb

@@ -0,0 +1,3 @@
+module ParamsPatrol
+  VERSION = "0.1.0"
+end

data/params_patrol.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'params_patrol/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "params_patrol"
+  spec.version       = ParamsPatrol::VERSION
+  spec.authors       = ["Will Bendix", "Blaine Gilbreth"]
+  spec.email         = %w(wcbendix@gmail.com bgilb@seas.upenn.edu)
+  spec.summary       = %q{Keeps an eye out for suspicious parameters... and then calls for backup}
+  spec.description   = %q{Use whatever monitor service you would like to track strong parameter errors.}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport", "~> 3.0"
+  spec.add_dependency "actionpack", "~> 3.0"
+  spec.add_dependency "activemodel", "~> 3.0"
+  spec.add_dependency "railties", "~> 3.0"
+  spec.add_dependency "strong_parameters"
+
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "mocha"
+end

data/test/action_controller_handle_unpermitted_parameters_test.rb

@@ -0,0 +1,32 @@
+require 'test_helper'
+
+class UsersController < ActionController::Base
+  include ActionController::HandleUnpermittedParameters
+
+  def create
+    params.permit(:user)
+    head :ok
+  end
+end
+
+class ActionControllerHandleUnpermittedParamsTest < ActionController::TestCase
+  tests UsersController
+
+  def setup
+    @log = StringIO.new
+    ParamsPatrol.handler= lambda { |x| Logger.new(@log).info(x) }
+  end
+
+  test 'missing required parameters will not raise an exception' do
+    post :create, { fishing: true }
+    assert_response :ok
+  end
+
+  test 'missing required parameters will log' do
+    post :create, { fishing: true }
+    @log.rewind
+    assert_block do
+      /ActionController::UnpermittedParameters/.match(@log.read)
+    end
+  end
+end

data/test/active_model_suppress_forbidden_attributes_test.rb

@@ -0,0 +1,29 @@
+require 'test_helper'
+
+class Person
+  include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::SuppressForbiddenAttributes
+
+  public :sanitize_for_mass_assignment
+end
+
+class ActiveModelSuppressForbiddenAttributesTest < ActiveSupport::TestCase
+  def setup
+    @log = StringIO.new
+    ParamsPatrol.handler= lambda { |x| Logger.new(@log).info(x) }
+  end
+
+  test 'forbidden attributes are logged' do
+    Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: 'b'))
+    @log.rewind
+    assert_block do
+      /ActiveModel::ForbiddenAttributes/.match(@log.read)
+    end
+  end
+
+  test 'no error is thrown' do
+    assert_nothing_thrown do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: 'b'))
+    end
+  end
+end

data/test/decorates_parameters_logging_test.rb

@@ -0,0 +1,51 @@
+require 'test_helper'
+
+class DecoratesParamsActuallyLogsOnUnpermittedParamsTest < ActiveSupport::TestCase
+  def setup
+    ActionController::Parameters.action_on_unpermitted_parameters = :raise
+  end
+
+  def teardown
+    ActionController::Parameters.action_on_unpermitted_parameters = false
+  end
+
+  test 'does not raise on unexpected params and returns the params object' do
+    params = ActionController::DecoratesParameters.new(ActionController::Parameters.new({
+                                                                                          :book => { :pages => 65 },
+                                                                                          :fishing => 'Turnips'
+                                                                                        }))
+
+    ParamsPatrol.expects(:handle)
+    result = params.permit(:book => [:pages])
+    assert_equal(params, result)
+  end
+
+  test 'does not raise on unexpected params after a require and returns the params object' do
+    params = ActionController::DecoratesParameters.new(ActionController::Parameters.new({
+                                                                                          :book => { :pages => 65, :fishing => 'Turnips' },
+                                                                                        }))
+
+    ParamsPatrol.expects(:handle)
+    result = params.require(:book).permit(:pages)
+    assert_equal(params[:book].to_s, result.to_s)
+  end
+
+  test 'does not raise on unexpected params after fetching a sub hash by key and returns the sub hash object' do
+    params = ActionController::DecoratesParameters.new(ActionController::Parameters.new({
+                                                                                          :book => { :pages => 65, :fishing => 'Turnips' },
+                                                                                        }))
+
+    ParamsPatrol.expects(:handle)
+    result = params[:book].permit(:pages)
+    assert_equal(params[:book].to_s, result.to_s)
+  end
+
+  test 'does not raise on unexpected nested params' do
+    params = ActionController::DecoratesParameters.new(ActionController::Parameters.new({
+                                                                                          :book => { :pages => 65, :title => 'Green Cats and where to find then.' }
+                                                                                        }))
+
+    ParamsPatrol.expects(:handle)
+    params.permit(:book => [:pages])
+  end
+end

data/test/decorates_parameters_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class DecoratesParametersTest < ActiveSupport::TestCase
+
+  def params
+    ActionController::DecoratesParameters.new(
+      ActionController::Parameters.new(
+        {
+          :book => { :pages => 65 },
+          :fishing => 'Turnips'
+        }
+      )
+    )
+  end
+
+  test 'is_a? masquerades as a Hash or HashWithIndifferentAccess' do
+    assert(params.is_a?(HashWithIndifferentAccess), 'not is_a? HashWithIndifferentAccess')
+    assert(params.is_a?(Hash), 'not is_a? Hash')
+  end
+
+  test 'kind_of? masquerades as a Hash or HashWithIndifferentAccess' do
+    assert(params.kind_of?(HashWithIndifferentAccess), 'not kind_of? HashWithIndifferentAccess')
+    assert(params.kind_of?(Hash), 'not kind_of? Hash')
+  end
+
+  test 'require returns a string or another Decorates parameters object' do
+    assert_equal(params.require(:book).class, ActionController::DecoratesParameters)
+    assert_equal(params.require(:fishing).class, String)
+  end
+end

data/test/params_patrol_test.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+
+class ParamsPatrolTest <  Test::Unit::TestCase
+  def test_handler=
+    logger = lambda { |x| Logger.new(StringIO.new).info(x) }
+    ParamsPatrol.handler = logger
+    assert_equal(logger, ParamsPatrol.handler)
+  end
+
+  def test_handle
+    logger = lambda { |x| Logger.new(StringIO.new).info(x) }
+    ParamsPatrol.handler = logger
+    logger.expects(:call)
+    ParamsPatrol.handle('unpermitted params!')
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,34 @@
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+
+require 'test/unit'
+require 'rails'
+
+class FakeApplication < Rails::Application; end
+
+Rails.application = FakeApplication
+Rails.configuration.action_controller = ActiveSupport::OrderedOptions.new
+
+require 'strong_parameters'
+require 'params_patrol'
+
+module ActionController
+  SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
+  SharedTestRoutes.draw do
+    match ':controller(/:action)'
+  end
+
+  class Base
+    include ActionController::Testing
+    include SharedTestRoutes.url_helpers
+  end
+
+  class ActionController::TestCase
+    setup do
+      @routes = SharedTestRoutes
+    end
+  end
+end
+
+ActionController::Parameters.action_on_unpermitted_parameters = :raise
+

metadata

@@ -0,0 +1,183 @@
+--- !ruby/object:Gem::Specification
+name: params_patrol
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Will Bendix
+- Blaine Gilbreth
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-04-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: strong_parameters
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Use whatever monitor service you would like to track strong parameter
+  errors.
+email:
+- wcbendix@gmail.com
+- bgilb@seas.upenn.edu
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".ruby-gemset"
+- ".ruby-version"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/action_controller/handle_unpermitted_parameters.rb
+- lib/active_model/suppress_forbidden_attributes.rb
+- lib/params_patrol.rb
+- lib/params_patrol/version.rb
+- params_patrol.gemspec
+- test/action_controller_handle_unpermitted_parameters_test.rb
+- test/active_model_suppress_forbidden_attributes_test.rb
+- test/decorates_parameters_logging_test.rb
+- test/decorates_parameters_test.rb
+- test/params_patrol_test.rb
+- test/test_helper.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Keeps an eye out for suspicious parameters... and then calls for backup
+test_files:
+- test/action_controller_handle_unpermitted_parameters_test.rb
+- test/active_model_suppress_forbidden_attributes_test.rb
+- test/decorates_parameters_logging_test.rb
+- test/decorates_parameters_test.rb
+- test/params_patrol_test.rb
+- test/test_helper.rb