ryanlowe-audit_mass_assignment 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +22 -0
- data/MIT-LICENSE +23 -0
- data/README +53 -0
- data/audit_mass_assignment.gemspec +18 -0
- data/lib/audit_mass_assignment.rb +22 -0
- data/tasks/audit_mass_assignment_tasks.rake +22 -0
- metadata +68 -0
data/CHANGELOG
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
|
2
|
+
== 0.1.3
|
3
|
+
|
4
|
+
May 26
|
5
|
+
= add AuditUser to test attr_accessible nil
|
6
|
+
|
7
|
+
== 0.1.2
|
8
|
+
== 0.1.1
|
9
|
+
|
10
|
+
May 26
|
11
|
+
= add AuditComment model for testing
|
12
|
+
= add AuditPost model for testing
|
13
|
+
= move audit code to a class
|
14
|
+
|
15
|
+
May 25
|
16
|
+
= add GitHub gemspec file
|
17
|
+
|
18
|
+
== 0.1.0
|
19
|
+
|
20
|
+
May 14
|
21
|
+
- bugfix for 2.x: attr_accessible is now a Set instead of an Array
|
22
|
+
- add CHANGELOG
|
data/MIT-LICENSE
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
Copyright (c) 2007-2008 Ryan Lowe
|
2
|
+
|
3
|
+
http://ryanlowe.ca
|
4
|
+
http://disruptiveagility.com
|
5
|
+
|
6
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
7
|
+
a copy of this software and associated documentation files (the
|
8
|
+
"Software"), to deal in the Software without restriction, including
|
9
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
10
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
11
|
+
permit persons to whom the Software is furnished to do so, subject to
|
12
|
+
the following conditions:
|
13
|
+
|
14
|
+
The above copyright notice and this permission notice shall be
|
15
|
+
included in all copies or substantial portions of the Software.
|
16
|
+
|
17
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
18
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
19
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
20
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
21
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
22
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
23
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README
ADDED
@@ -0,0 +1,53 @@
|
|
1
|
+
Moved to GitHub from Google Code on May 1, 2008
|
2
|
+
Was hosted at http://code.google.com/p/audit-mass-assignment/
|
3
|
+
|
4
|
+
= audit_mass_assignment plugin for Ruby on Rails
|
5
|
+
|
6
|
+
The audit_mass_assignment Ruby on Rails plugin contains a rake task that
|
7
|
+
checks the models in your project for the attr_accessible whitelist approach
|
8
|
+
for protecting against "mass assignment" exploits. It does not check for
|
9
|
+
use of attr_protected!
|
10
|
+
|
11
|
+
If a Rails model does not use attr_accessible, it fails this audit. The
|
12
|
+
audit does not check which parameters are accessible or protected, only
|
13
|
+
that at least one is marked as accessible.
|
14
|
+
|
15
|
+
Run the audit whenever you feel like it! Other audit plugins for Rails
|
16
|
+
could be created to automatically check for bad patterns or insecure
|
17
|
+
code. This one was easy to implement.
|
18
|
+
|
19
|
+
== Installation
|
20
|
+
|
21
|
+
It looks like Rails 2.1 will support "script/plugin install" with Git
|
22
|
+
repositories. Until then you can put this plugin in vendor/plugins with:
|
23
|
+
|
24
|
+
git clone git://github.com/ryanlowe/audit_mass_assignment.git
|
25
|
+
|
26
|
+
and delete the .git directory inside it before committing it to source control.
|
27
|
+
|
28
|
+
When Rails 2.1 supports Git you should be able to do:
|
29
|
+
|
30
|
+
script/plugin install git://github.com/ryanlowe/audit_mass_assignment.git
|
31
|
+
|
32
|
+
== Usage
|
33
|
+
|
34
|
+
$ rake audit:mass_assignment
|
35
|
+
|
36
|
+
== NOTES
|
37
|
+
|
38
|
+
If you want to protect ALL attributes in your model use:
|
39
|
+
|
40
|
+
attr_accessible nil
|
41
|
+
|
42
|
+
Why are "mass assignment" exploits a danger to Rails applications? See these links:
|
43
|
+
|
44
|
+
1. rorsecurity.info: Do not create records directly from form parameters
|
45
|
+
http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/
|
46
|
+
|
47
|
+
2. Railscasts: Hackers Love Mass Assignment
|
48
|
+
http://railscasts.com/episodes/26
|
49
|
+
|
50
|
+
3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters
|
51
|
+
http://manuals.rubyonrails.com/read/chapter/47
|
52
|
+
|
53
|
+
|
@@ -0,0 +1,18 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = "audit_mass_assignment"
|
3
|
+
s.version = "0.1.3"
|
4
|
+
s.date = "2008-05-26"
|
5
|
+
s.summary = "Checks Ruby on Rails models for use of the attr_accessible white list"
|
6
|
+
s.email = "rails@ryanlowe.ca"
|
7
|
+
s.homepage = "http://github.com/ryanlowe/audit_mass_assignment"
|
8
|
+
s.description = "Checks Ruby on Rails models for use of the attr_accessible white list"
|
9
|
+
s.has_rdoc = false
|
10
|
+
s.authors = ["Ryan Lowe"]
|
11
|
+
s.files = ["README", "CHANGELOG", "MIT-LICENSE", "audit_mass_assignment.gemspec",
|
12
|
+
"lib/audit_mass_assignment.rb",
|
13
|
+
"tasks/audit_mass_assignment_tasks.rake"]
|
14
|
+
s.test_files = []
|
15
|
+
s.rdoc_options = ["--main", "README"]
|
16
|
+
s.extra_rdoc_files = ["README","CHANGELOG"]
|
17
|
+
s.add_dependency("rails", ["> 2.0.0"])
|
18
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
class AuditMassAssignment
|
2
|
+
|
3
|
+
def self.audit(model_class)
|
4
|
+
return false if model_class.nil?
|
5
|
+
!(model_class.attr_accessible.size == 0)
|
6
|
+
end
|
7
|
+
|
8
|
+
def self.audit_all
|
9
|
+
results = ""
|
10
|
+
subclasses = Object.subclasses_of(ActiveRecord::Base)
|
11
|
+
subclasses.delete CGI::Session::ActiveRecordStore::Session
|
12
|
+
failures = []
|
13
|
+
for subclass in subclasses
|
14
|
+
pass = AuditMassAssignment.audit(subclass)
|
15
|
+
failures << subclass unless pass
|
16
|
+
status = pass ? "." : "F"
|
17
|
+
results += status
|
18
|
+
end
|
19
|
+
[ results, subclasses.size, failures.size ]
|
20
|
+
end
|
21
|
+
|
22
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
namespace :audit do
|
2
|
+
desc 'Finds ActiveRecord classes without attr_accessible'
|
3
|
+
task :mass_assignment => :environment do
|
4
|
+
puts "Audit mass assignment in models:"
|
5
|
+
Dir.glob(RAILS_ROOT + '/app/models/**/*.rb').each { |file| require file }
|
6
|
+
results, total, failures = AuditMassAssignment.audit_all
|
7
|
+
putc results
|
8
|
+
putc "\n"
|
9
|
+
putc "\n"
|
10
|
+
if failures.size > 0
|
11
|
+
count = 0
|
12
|
+
for failure in failures
|
13
|
+
count += 1
|
14
|
+
puts " "+count.to_s+") "+failure.name
|
15
|
+
end
|
16
|
+
putc "\n"
|
17
|
+
puts " Solution: use attr_accessible in these models"
|
18
|
+
putc "\n"
|
19
|
+
end
|
20
|
+
puts total.to_s+" models, "+failures.to_s+" failures"
|
21
|
+
end
|
22
|
+
end
|
metadata
ADDED
@@ -0,0 +1,68 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: ryanlowe-audit_mass_assignment
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.3
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Ryan Lowe
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
|
12
|
+
date: 2008-05-26 00:00:00 -07:00
|
13
|
+
default_executable:
|
14
|
+
dependencies:
|
15
|
+
- !ruby/object:Gem::Dependency
|
16
|
+
name: rails
|
17
|
+
version_requirement:
|
18
|
+
version_requirements: !ruby/object:Gem::Requirement
|
19
|
+
requirements:
|
20
|
+
- - ">"
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: 2.0.0
|
23
|
+
version:
|
24
|
+
description: Checks Ruby on Rails models for use of the attr_accessible white list
|
25
|
+
email: rails@ryanlowe.ca
|
26
|
+
executables: []
|
27
|
+
|
28
|
+
extensions: []
|
29
|
+
|
30
|
+
extra_rdoc_files:
|
31
|
+
- README
|
32
|
+
- CHANGELOG
|
33
|
+
files:
|
34
|
+
- README
|
35
|
+
- CHANGELOG
|
36
|
+
- MIT-LICENSE
|
37
|
+
- audit_mass_assignment.gemspec
|
38
|
+
- lib/audit_mass_assignment.rb
|
39
|
+
- tasks/audit_mass_assignment_tasks.rake
|
40
|
+
has_rdoc: false
|
41
|
+
homepage: http://github.com/ryanlowe/audit_mass_assignment
|
42
|
+
post_install_message:
|
43
|
+
rdoc_options:
|
44
|
+
- --main
|
45
|
+
- README
|
46
|
+
require_paths:
|
47
|
+
- lib
|
48
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
49
|
+
requirements:
|
50
|
+
- - ">="
|
51
|
+
- !ruby/object:Gem::Version
|
52
|
+
version: "0"
|
53
|
+
version:
|
54
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
55
|
+
requirements:
|
56
|
+
- - ">="
|
57
|
+
- !ruby/object:Gem::Version
|
58
|
+
version: "0"
|
59
|
+
version:
|
60
|
+
requirements: []
|
61
|
+
|
62
|
+
rubyforge_project:
|
63
|
+
rubygems_version: 1.0.1
|
64
|
+
signing_key:
|
65
|
+
specification_version: 2
|
66
|
+
summary: Checks Ruby on Rails models for use of the attr_accessible white list
|
67
|
+
test_files: []
|
68
|
+
|