scrub_params 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +22 -0
  3. data/Gemfile +4 -0
  4. data/LICENSE.txt +22 -0
  5. data/README.md +59 -0
  6. data/Rakefile +8 -0
  7. data/lib/scrub_params/log_subscriber.rb +14 -0
  8. data/lib/scrub_params/version.rb +3 -0
  9. data/lib/scrub_params.rb +57 -0
  10. data/scrub_params.gemspec +28 -0
  11. data/test/scrub_params_test.rb +25 -0
  12. data/test/test_helper.rb +4 -0
  13. metadata +141 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 35978ee0837fbe0f7e929ad8e46be76ac8697d75
4
+ data.tar.gz: e2b14a8966c868c509aea60827906d34d8fa2e4d
5
+ SHA512:
6
+ metadata.gz: ae5d80fff8ac67b82929bffd90ce1471184400b8b9bc37d7ae0ab8d13bc2d2598e0d43fe5d81f3061475781726cba465ee26f4a8d9014d37df200be807a89244
7
+ data.tar.gz: 10fdfb8269ffd57d6bdf1d63c159d3c6671d4dd19dcf397ba4a81b7f18a639d46516dbbfb82beb9a55824ce71e2aa9bd008a40c5d49b0332f8e78c8a707698a8
data/.gitignore ADDED
@@ -0,0 +1,22 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ .yardoc
6
+ Gemfile.lock
7
+ InstalledFiles
8
+ _yardoc
9
+ coverage
10
+ doc/
11
+ lib/bundler/man
12
+ pkg
13
+ rdoc
14
+ spec/reports
15
+ test/tmp
16
+ test/version_tmp
17
+ tmp
18
+ *.bundle
19
+ *.so
20
+ *.o
21
+ *.a
22
+ mkmf.log
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in scrub_params.gemspec
4
+ gemspec
data/LICENSE.txt ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2014 Andrew Kane
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,59 @@
1
+ # Scrub Params
2
+
3
+ :lock: Secure Rails parameters by default
4
+
5
+ > Insecure by default is insecure
6
+
7
+ HTML has no business in most parameters. Take the **whitelist approach** and remove it by default.
8
+
9
+ ## Get Started
10
+
11
+ Add this line to your application’s Gemfile:
12
+
13
+ ```ruby
14
+ gem 'scrub_params'
15
+ ```
16
+
17
+ You now have another line of defense against [cross-site scripting (XSS)](http://en.wikipedia.org/wiki/Cross-site_scripting).
18
+
19
+ ### Test It
20
+
21
+ Submit HTML in one of your forms.
22
+
23
+ ```html
24
+ Hello <script>alert('World')</script>
25
+ ```
26
+
27
+ This becomes:
28
+
29
+ ```
30
+ Hello alert('World')
31
+ ```
32
+
33
+ And you should see this in your logs:
34
+
35
+ ```
36
+ Scrubbed parameters: name
37
+ ```
38
+
39
+ ### Whitelist Actions
40
+
41
+ To prevent certain actions from being scrubbed, use:
42
+
43
+ ```ruby
44
+ skip_before_filter :scrub_params, only: [:create, :update]
45
+ ```
46
+
47
+ ## TODO
48
+
49
+ - whitelist parameters
50
+ - whitelist tags
51
+
52
+ ## Contributing
53
+
54
+ Everyone is encouraged to help improve this project. Here are a few ways you can help:
55
+
56
+ - [Report bugs](https://github.com/ankane/scrub_params/issues)
57
+ - Fix bugs and [submit pull requests](https://github.com/ankane/scrub_params/pulls)
58
+ - Write, clarify, or fix documentation
59
+ - Suggest or add new features
data/Rakefile ADDED
@@ -0,0 +1,8 @@
1
+ require "bundler/gem_tasks"
2
+ require "rake/testtask"
3
+
4
+ task :default => :test
5
+ Rake::TestTask.new do |t|
6
+ t.libs << "test"
7
+ t.pattern = "test/**/*_test.rb"
8
+ end
data/lib/scrub_params/log_subscriber.rb ADDED
@@ -0,0 +1,14 @@
1
+ module ScrubParams
2
+ class LogSubscriber < ActiveSupport::LogSubscriber
3
+ def scrubbed_parameters(event)
4
+ scrubbed_keys = event.payload[:keys]
5
+ debug("Scrubbed parameters: #{scrubbed_keys.join(", ")}")
6
+ end
7
+
8
+ def logger
9
+ ActionController::Base.logger
10
+ end
11
+ end
12
+ end
13
+
14
+ ScrubParams::LogSubscriber.attach_to :action_controller
data/lib/scrub_params/version.rb ADDED
@@ -0,0 +1,3 @@
1
+ module ScrubParams
2
+ VERSION = "0.0.1"
3
+ end
data/lib/scrub_params.rb ADDED
@@ -0,0 +1,57 @@
1
+ require "scrub_params/version"
2
+ require "action_controller"
3
+ require "sanitize"
4
+ require "scrub_params/log_subscriber"
5
+
6
+ module ActionController
7
+ class Parameters < ActiveSupport::HashWithIndifferentAccess
8
+ attr_accessor :scrubbed_keys
9
+
10
+ def scrub!
11
+ self.scrubbed_keys = []
12
+ each_pair do |k, v|
13
+ self[k] = scrub_value(k, v)
14
+ end
15
+ if scrubbed_keys.any?
16
+ ActiveSupport::Notifications.instrument("scrubbed_parameters.action_controller", keys: scrubbed_keys)
17
+ end
18
+ self
19
+ end
20
+
21
+ protected
22
+
23
+ def scrub_value(key, value)
24
+ case value
25
+ when Hash
26
+ h = {}
27
+ value.each do |k, v|
28
+ h[k] = scrub_value(k, v)
29
+ end
30
+ h
31
+ when Array
32
+ value.map{|v| scrub_value(key, v) }
33
+ when String
34
+ scrubbed_value = Sanitize.clean(value)
35
+ if scrubbed_value != value
36
+ self.scrubbed_keys << key unless scrubbed_keys.include?(key)
37
+ end
38
+ scrubbed_value
39
+ else
40
+ value
41
+ end
42
+ end
43
+
44
+ end
45
+ end
46
+
47
+ module ActionController
48
+ class Base
49
+ protected
50
+
51
+ before_filter :scrub_params
52
+
53
+ def scrub_params
54
+ params.scrub!
55
+ end
56
+ end
57
+ end
data/scrub_params.gemspec ADDED
@@ -0,0 +1,28 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'scrub_params/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "scrub_params"
8
+ spec.version = ScrubParams::VERSION
9
+ spec.authors = ["Andrew Kane"]
10
+ spec.email = ["andrew@chartkick.com"]
11
+ spec.summary = %q{Secure Rails parameters by default}
12
+ spec.description = %q{Secure Rails parameters by default}
13
+ spec.homepage = "https://github.com/ankane/scrub_params"
14
+ spec.license = "MIT"
15
+
16
+ spec.files = `git ls-files -z`.split("\x0")
17
+ spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
18
+ spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
19
+ spec.require_paths = ["lib"]
20
+
21
+ spec.add_dependency "activesupport"
22
+ spec.add_dependency "actionpack"
23
+ spec.add_dependency "sanitize"
24
+
25
+ spec.add_development_dependency "bundler", "~> 1.6"
26
+ spec.add_development_dependency "rake"
27
+ spec.add_development_dependency "minitest"
28
+ end
data/test/scrub_params_test.rb ADDED
@@ -0,0 +1,25 @@
1
+ require_relative "test_helper"
2
+
3
+ class TestScrubParams < Minitest::Test
4
+
5
+ def test_scrub
6
+ params =
7
+ ActionController::Parameters.new({
8
+ "name" => "Hello <script>alert('World')</script>",
9
+ "tags" => ["<b>awesome</b>", "<a href='javascript:void();'>hack</a>"],
10
+ "car" => {
11
+ "make" => "<blink>Tesla</blink>"
12
+ }
13
+ })
14
+ params.scrub!
15
+ expected = {
16
+ "name" => "Hello alert('World')",
17
+ "tags" => ["awesome", "hack"],
18
+ "car" => {
19
+ "make" => "Tesla"
20
+ }
21
+ }
22
+ assert_equal expected, params
23
+ end
24
+
25
+ end
data/test/test_helper.rb ADDED
@@ -0,0 +1,4 @@
1
+ require "bundler/setup"
2
+ Bundler.require(:default)
3
+ require "minitest/autorun"
4
+ require "minitest/pride"
metadata ADDED
@@ -0,0 +1,141 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: scrub_params
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Andrew Kane
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2014-04-14 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: activesupport
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: actionpack
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: sanitize
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ">="
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :runtime
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: bundler
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '1.6'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '1.6'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rake
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: minitest
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ">="
95
+ - !ruby/object:Gem::Version
96
+ version: '0'
97
+ description: Secure Rails parameters by default
98
+ email:
99
+ - andrew@chartkick.com
100
+ executables: []
101
+ extensions: []
102
+ extra_rdoc_files: []
103
+ files:
104
+ - ".gitignore"
105
+ - Gemfile
106
+ - LICENSE.txt
107
+ - README.md
108
+ - Rakefile
109
+ - lib/scrub_params.rb
110
+ - lib/scrub_params/log_subscriber.rb
111
+ - lib/scrub_params/version.rb
112
+ - scrub_params.gemspec
113
+ - test/scrub_params_test.rb
114
+ - test/test_helper.rb
115
+ homepage: https://github.com/ankane/scrub_params
116
+ licenses:
117
+ - MIT
118
+ metadata: {}
119
+ post_install_message:
120
+ rdoc_options: []
121
+ require_paths:
122
+ - lib
123
+ required_ruby_version: !ruby/object:Gem::Requirement
124
+ requirements:
125
+ - - ">="
126
+ - !ruby/object:Gem::Version
127
+ version: '0'
128
+ required_rubygems_version: !ruby/object:Gem::Requirement
129
+ requirements:
130
+ - - ">="
131
+ - !ruby/object:Gem::Version
132
+ version: '0'
133
+ requirements: []
134
+ rubyforge_project:
135
+ rubygems_version: 2.2.2
136
+ signing_key:
137
+ specification_version: 4
138
+ summary: Secure Rails parameters by default
139
+ test_files:
140
+ - test/scrub_params_test.rb
141
+ - test/test_helper.rb