sanitize_attributes 0.0.2

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in sanitize_attributes.gemspec
+gemspec

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,78 @@
+= SanitizeAttributes
+
+This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you've defined. You can define a default filter for all sanitizations.
+
+Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)
+
+This plugin was created to implement anti-XSS validation. My gem of choice is Sanitize: http://github.com/rgrove/sanitize/tree/master
+
+For Rails 3, add this line to your Gemfile:
+
+  gem 'sanitize_attributes', :git => "git@github.com:devp/sanitize_attributes.git"
+
+For Rails 2.3, it should work when installed as a plugin:
+
+  ./script/plugin install git@github.com:devp/sanitize_attributes.git
+
+== Example
+
+ # config/initializers/sanitize_attributes.rb
+ SanitizeAttributes.default_sanitization_method = lambda do |text|
+   text.gsub(/[^\w\s]/, "") # very simple, very limited
+ end
+ 
+ # app/models/bookmark.rb
+ class Bookmark
+   sanitize_attributes :sitename
+ end
+ 
+ # app/models/article.rb
+ class Article   
+   sanitize_attributes :title, :author
+   
+   sanitize_attributes :body do |body_text|
+     # This needs to be safe, renderable HTML, so let's use a real sanization tool
+     # I recommend: http://github.com/rgrove/sanitize/tree/master 
+     Sanitize.clean(body_text)
+   end
+ end 
+
+ Article.default_sanitization_method_for_class = lambda do |text|
+   text.gsub(/[^\w\s\'".,?!]/, "") # more reasonable, for titles and such
+ end
+ 
+ # in action...
+ b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/")
+ b.sitename # => "bostonrb"
+ a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
+ a.title # => "Hello!"
+ a.body  # => "Please remove the script tags!"
+ 
+
+== Future Work
+
+Things to work on in the future:
+
+* allowing strings/symbols for sanitization methods, not just blocks
+
+   Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
+   Nacho.default_sanitization_method_for_class = "Sanitize.clean"
+
+* add validation helpers, if you want to flag problematic text rather than cleaning it.
+
+  class Foo
+    validate_sanitized :value
+  end
+  Foo.new(:value => "abc").valid? #=> false if a sanitized copy of #value is different than the original
+
+* better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.
+
+=== Etc
+
+Thanks to contributors:
+
+* Josh Nichols
+* Michael Reinsch
+* Paul McMahon
+
+(c) 2009 Dev Purkayastha, released under the MIT license

data/Rakefile

@@ -0,0 +1,35 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+require 'bundler/gem_tasks'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the sanitize_attributes plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the sanitize_attributes plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'SanitizeAttributes'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new(:rcov) do |rcov|
+    rcov.libs << 'test'
+    rcov.pattern = 'test/*.rb'
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end

data/init.rb

@@ -0,0 +1,2 @@
+require 'sanitize_attributes'
+SanitizeAttributes.hook!

data/lib/sanitize_attributes.rb

@@ -0,0 +1,28 @@
+require 'sanitize_attributes/macros'
+require 'sanitize_attributes/class_methods'
+require 'sanitize_attributes/instance_methods'
+
+module SanitizeAttributes
+  include Macros
+  
+  class << self
+    attr_accessor :default_sanitization_method    
+    
+    def hook!
+      if ActiveSupport.respond_to?(:on_load)
+        ActiveSupport.on_load(:active_record) { extend SanitizeAttributes }
+      else # Rails 2 fallback
+        ActiveRecord::Base.class_eval { extend SanitizeAttributes }
+      end
+    end
+  end
+  
+  # Thrown when sanitize! is called without a defined sanitization method at the class or global level
+  class NoSanitizationMethodDefined < StandardError ; end  
+
+  if defined?(Rails) && defined?(Rails::Railtie)
+    class Railtie < Rails::Railtie
+      initializer("sanitize_attirbutes") { SanitizeAttributes.hook! }
+    end
+  end
+end

data/lib/sanitize_attributes/class_methods.rb

@@ -0,0 +1,15 @@
+module SanitizeAttributes
+  module ClassMethods
+    
+    attr_accessor :default_sanitization_method_for_class
+    
+    def sanitizable_attributes #:nodoc:
+      self.sanitizable_attribute_hash.keys
+    end
+
+    def sanitization_method_for_attribute(attribute) #:nodoc:
+      index = self.sanitizable_attribute_hash[attribute]
+      self.sanitization_block_array[index] if index
+    end
+  end
+end

data/lib/sanitize_attributes/instance_methods.rb

@@ -0,0 +1,26 @@
+module SanitizeAttributes
+  module InstanceMethods
+        
+    # sanitize! is the method that is called when a model is saved.
+    # It can be called to manually sanitize attributes.
+    def sanitize!
+      self.class.sanitizable_attributes.each do |attr_name|
+        cleaned_text = process_text_via_sanitization_method(self.send(attr_name), attr_name)
+        self.send((attr_name.to_s + '='), cleaned_text)
+      end
+    end
+        
+    private
+      def process_text_via_sanitization_method(txt, attr_name = nil)
+        return nil if txt.nil?
+        sanitization_method =  self.class.sanitization_method_for_attribute(attr_name) || # attribute level
+             self.class.default_sanitization_method_for_class || # class level
+             SanitizeAttributes::default_sanitization_method     # global
+        if sanitization_method && sanitization_method.is_a?(Proc)
+          sanitization_method.call(txt)
+        else
+          raise SanitizeAttributes::NoSanitizationMethodDefined
+        end
+      end
+  end
+end

data/lib/sanitize_attributes/macros.rb

@@ -0,0 +1,41 @@
+module SanitizeAttributes
+  module Macros
+    # sanitize_attributes is used to define sanitizable attributes within a model definition.
+    def sanitize_attributes(*args, &block)
+      if (args.last && args.last.is_a?(Hash))
+        options = args.pop
+      end
+      options ||= {}
+      unless @sanitize_hook_already_defined
+        include InstanceMethods
+        extend ClassMethods
+
+        if options[:before_validation]
+          before_validation :sanitize!
+        else
+          before_save :sanitize!
+        end
+
+        cattr_accessor :sanitizable_attribute_hash
+        cattr_accessor :sanitization_block_array
+        self.sanitizable_attribute_hash ||= {}
+        self.sanitization_block_array ||= []
+
+        @sanitize_hook_already_defined = true
+      end
+
+      if block
+        self.sanitization_block_array << block
+        block = self.sanitization_block_array.index(block)
+      else
+        block = nil
+      end
+
+      args.each do |attr|
+        self.sanitizable_attribute_hash[attr] = block
+      end
+
+      true
+    end
+  end
+end

data/lib/sanitize_attributes/version.rb

@@ -0,0 +1,3 @@
+module SanitizeAttributes
+  VERSION = "0.0.2"
+end

data/sanitize_attributes.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "sanitize_attributes/version"
+
+Gem::Specification.new do |s|
+  s.name        = "sanitize_attributes"
+  s.version     = SanitizeAttributes::VERSION
+  s.authors     = ["Dev Purkayastha", "Paul McMahon"]
+  s.email       = ["dev@forgreatjustice.net"]
+  s.homepage    = "https://github.com/devp/sanitize_attributes"
+  s.summary     = %q{This is a simple plugin for ActiveRecord models to define sanitizable attributes.}
+  s.description = %q{This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you’ve defined. You can define a default filter for all sanitizations.}
+
+  s.rubyforge_project = "sanitize_attributes"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency 'rails', '>= 3.0.0'
+  s.add_development_dependency 'rake'
+  s.add_development_dependency 'sqlite3'
+  s.add_development_dependency 'thoughtbot-shoulda'
+  s.add_development_dependency 'mocha'
+end

data/test/sanitize_attributes_test.rb

@@ -0,0 +1,119 @@
+require "#{File.dirname(__FILE__)}/test_helper"
+
+ActiveRecord::Schema.define do
+  create_table :articles do |t|
+    t.column :title, :string
+    t.column :body, :string
+    t.column :review, :string
+  end
+end
+
+ActiveRecord::Schema.define do
+  create_table :albums do |t|
+    t.column :title, :string
+    t.column :artist, :string
+    t.column :rating, :string
+  end
+end
+
+class Article < ActiveRecord::Base
+  sanitize_attributes :title, :body
+end
+
+class Album < ActiveRecord::Base
+  sanitize_attributes :title, :artist
+end
+
+class SanitizeAttributesTest < Test::Unit::TestCase
+
+  context "Two classes with #sanitizable_attributes in their defnition" do
+    should "not share the same sanitizable_attributes" do
+      assert_not_equal Album.sanitizable_attributes, Article.sanitizable_attributes
+    end
+  end
+  
+  context "#sanitize_attributes" do
+    should "mark expected attributes as sanitizable" do
+      assert_equal Set.new([:title, :body]), Set.new(Article.sanitizable_attributes)
+    end
+    
+    should "not create duplicates entries" do
+      Article.sanitize_attributes :title
+      assert_equal Set.new([:title, :body]), Set.new(Article.sanitizable_attributes)
+    end
+  end
+  
+  context "given an undefined sanitization methods" do
+    setup do
+      SanitizeAttributes.default_sanitization_method = nil
+      Article.default_sanitization_method_for_class = nil
+    end
+    
+    should "raise NoSanitizationMethodDefined on #save!" do
+      assert_raise(SanitizeAttributes::NoSanitizationMethodDefined) do
+        Article.create!(:title => "This Article")
+      end
+    end
+  end
+    
+  context "given a defined default sanitization method" do
+    setup do
+      SanitizeAttributes.default_sanitization_method = lambda{|s| s.generic_sanitize}
+      Album.default_sanitization_method_for_class = nil
+      Article.default_sanitization_method_for_class = nil
+    end
+    
+    should "use the default method on #save!, changing only the sanitizable attribute" do
+      title = "This Article"
+      title.expects(:generic_sanitize).returns("sanitized")
+      article = Article.new(:title => title, :review => "do not change")
+      assert article.save!
+      assert_equal "sanitized", article.title
+      assert_equal "do not change", article.review
+    end
+    
+    should "not sanitize nil attributes" do
+      title = nil
+      body = "Lorem Ipsum"
+      title.expects(:generic_sanitize).never
+      body.expects(:generic_sanitize).once
+      article = Article.new(:title => title, :body => body)
+      assert article.save!
+    end
+    
+    context "and defined class-level sanitization methods" do
+      setup do
+        Album.default_sanitization_method_for_class = lambda{|s| Album.album_sanitizer}
+        Article.default_sanitization_method_for_class = lambda{|s| Article.article_sanitizer}
+      end
+      
+      should "use the appropriate method for each class" do
+        Album.expects(:album_sanitizer).times(2)
+        Album.create!(:title => "This Album", :artist => "Rock Star", :rating => "great")
+    
+        Article.expects(:article_sanitizer).times(2)
+        Article.create!(:title => "This Article", :body => "Lorem Ipsum", :review => "awesome")
+      end
+      
+      context "and further attribute-level sanitization" do
+        setup do
+          Album.sanitize_attributes :artist do
+            Album.artist_sanitizer
+          end
+        end
+        
+        teardown do
+          Album.sanitize_attributes :artist # unsetting the attribute-specific block
+        end
+        
+        should "use the appropriate method for each attribute" do
+          Album.expects(:album_sanitizer).once
+          Album.expects(:artist_sanitizer).once
+          Album.create!(:title => "This Album", :artist => "Rock Star", :rating => "great")
+        end        
+      end
+    end
+    
+  end
+    
+end

data/test/test_helper.rb

@@ -0,0 +1,13 @@
+require 'test/unit'
+require 'set'
+require 'rubygems'
+require 'active_record'
+ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":memory:")
+gem 'thoughtbot-shoulda'
+require 'shoulda'
+gem 'mocha'
+require 'mocha'
+
+$:.unshift "#{File.dirname(__FILE__)}/../lib"
+
+require "#{File.dirname(__FILE__)}/../init"

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: sanitize_attributes
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+  prerelease: 
+platform: ruby
+authors:
+- Dev Purkayastha
+- Paul McMahon
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-11-26 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: &2153166840 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153166840
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &2153166320 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153166320
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: &2153165800 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153165800
+- !ruby/object:Gem::Dependency
+  name: thoughtbot-shoulda
+  requirement: &2153165020 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153165020
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: &2153164540 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153164540
+description: This is a simple plugin for ActiveRecord models to define sanitizable
+  attributes. When an object is saved, those attributes will be run through whatever
+  filter you’ve defined. You can define a default filter for all sanitizations.
+email:
+- dev@forgreatjustice.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- MIT-LICENSE
+- README.rdoc
+- Rakefile
+- init.rb
+- lib/sanitize_attributes.rb
+- lib/sanitize_attributes/class_methods.rb
+- lib/sanitize_attributes/instance_methods.rb
+- lib/sanitize_attributes/macros.rb
+- lib/sanitize_attributes/version.rb
+- sanitize_attributes.gemspec
+- test/sanitize_attributes_test.rb
+- test/test_helper.rb
+homepage: https://github.com/devp/sanitize_attributes
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: sanitize_attributes
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: This is a simple plugin for ActiveRecord models to define sanitizable attributes.
+test_files:
+- test/sanitize_attributes_test.rb
+- test/test_helper.rb