ryanlowe-audit_mass_assignment 0.1.3

data/CHANGELOG

@@ -0,0 +1,22 @@
+
+== 0.1.3
+
+May 26
+= add AuditUser to test attr_accessible nil
+
+== 0.1.2
+== 0.1.1
+
+May 26
+= add AuditComment model for testing
+= add AuditPost model for testing
+= move audit code to a class
+
+May 25
+= add GitHub gemspec file
+
+== 0.1.0
+
+May 14
+- bugfix for 2.x: attr_accessible is now a Set instead of an Array
+- add CHANGELOG

data/MIT-LICENSE

@@ -0,0 +1,23 @@
+Copyright (c) 2007-2008 Ryan Lowe
+
+http://ryanlowe.ca
+http://disruptiveagility.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,53 @@
+Moved to GitHub from Google Code on May 1, 2008
+Was hosted at http://code.google.com/p/audit-mass-assignment/
+
+= audit_mass_assignment plugin for Ruby on Rails
+
+The audit_mass_assignment Ruby on Rails plugin contains a rake task that
+checks the models in your project for the attr_accessible whitelist approach
+for protecting against "mass assignment" exploits.  It does not check for
+use of attr_protected!
+
+If a Rails model does not use attr_accessible, it fails this audit.  The
+audit does not check which parameters are accessible or protected, only
+that at least one is marked as accessible.
+
+Run the audit whenever you feel like it!  Other audit plugins for Rails
+could be created to automatically check for bad patterns or insecure
+code.  This one was easy to implement.
+
+== Installation
+
+It looks like Rails 2.1 will support "script/plugin install" with Git
+repositories.  Until then you can put this plugin in vendor/plugins with:
+
+git clone git://github.com/ryanlowe/audit_mass_assignment.git
+
+and delete the .git directory inside it before committing it to source control.
+
+When Rails 2.1 supports Git you should be able to do:
+
+script/plugin install git://github.com/ryanlowe/audit_mass_assignment.git
+
+== Usage
+
+  $ rake audit:mass_assignment
+
+== NOTES
+
+  If you want to protect ALL attributes in your model use:
+  
+    attr_accessible nil
+
+  Why are "mass assignment" exploits a danger to Rails applications? See these links:
+  
+  1. rorsecurity.info: Do not create records directly from form parameters
+     http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/
+  
+  2. Railscasts: Hackers Love Mass Assignment
+     http://railscasts.com/episodes/26
+  
+  3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters
+     http://manuals.rubyonrails.com/read/chapter/47
+   
+   

data/audit_mass_assignment.gemspec

@@ -0,0 +1,18 @@
+Gem::Specification.new do |s|
+  s.name = "audit_mass_assignment"
+  s.version = "0.1.3"
+  s.date = "2008-05-26"
+  s.summary = "Checks Ruby on Rails models for use of the attr_accessible white list"
+  s.email = "rails@ryanlowe.ca"
+  s.homepage = "http://github.com/ryanlowe/audit_mass_assignment"
+  s.description = "Checks Ruby on Rails models for use of the attr_accessible white list"
+  s.has_rdoc = false
+  s.authors = ["Ryan Lowe"]
+  s.files = ["README", "CHANGELOG", "MIT-LICENSE", "audit_mass_assignment.gemspec",
+    "lib/audit_mass_assignment.rb",
+    "tasks/audit_mass_assignment_tasks.rake"]
+  s.test_files = []
+  s.rdoc_options = ["--main", "README"]
+  s.extra_rdoc_files = ["README","CHANGELOG"]
+  s.add_dependency("rails", ["> 2.0.0"])
+end

data/lib/audit_mass_assignment.rb

@@ -0,0 +1,22 @@
+class AuditMassAssignment
+  
+  def self.audit(model_class)
+    return false if model_class.nil?
+    !(model_class.attr_accessible.size == 0)
+  end
+  
+  def self.audit_all
+    results = ""
+    subclasses = Object.subclasses_of(ActiveRecord::Base)
+    subclasses.delete CGI::Session::ActiveRecordStore::Session
+    failures = []
+    for subclass in subclasses
+      pass = AuditMassAssignment.audit(subclass)
+      failures << subclass unless pass
+      status = pass ? "." : "F"
+      results += status
+    end
+    [ results, subclasses.size, failures.size ]
+  end
+  
+end

data/tasks/audit_mass_assignment_tasks.rake

@@ -0,0 +1,22 @@
+namespace :audit do
+  desc 'Finds ActiveRecord classes without attr_accessible'
+  task :mass_assignment => :environment do
+    puts "Audit mass assignment in models:"
+    Dir.glob(RAILS_ROOT + '/app/models/**/*.rb').each { |file| require file }
+    results, total, failures = AuditMassAssignment.audit_all
+    putc results
+    putc "\n"
+    putc "\n"
+    if failures.size > 0
+      count = 0
+      for failure in failures
+        count += 1
+        puts "  "+count.to_s+") "+failure.name
+      end
+      putc "\n"
+      puts "  Solution: use attr_accessible in these models"
+      putc "\n"
+    end
+    puts total.to_s+" models, "+failures.to_s+" failures"
+  end
+end

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification 
+name: ryanlowe-audit_mass_assignment
+version: !ruby/object:Gem::Version 
+  version: 0.1.3
+platform: ruby
+authors: 
+- Ryan Lowe
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-05-26 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rails
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">"
+      - !ruby/object:Gem::Version 
+        version: 2.0.0
+    version: 
+description: Checks Ruby on Rails models for use of the attr_accessible white list
+email: rails@ryanlowe.ca
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+- CHANGELOG
+files: 
+- README
+- CHANGELOG
+- MIT-LICENSE
+- audit_mass_assignment.gemspec
+- lib/audit_mass_assignment.rb
+- tasks/audit_mass_assignment_tasks.rake
+has_rdoc: false
+homepage: http://github.com/ryanlowe/audit_mass_assignment
+post_install_message: 
+rdoc_options: 
+- --main
+- README
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.0.1
+signing_key: 
+specification_version: 2
+summary: Checks Ruby on Rails models for use of the attr_accessible white list
+test_files: []
+