scrub_params 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +22 -0
  3. data/Gemfile +4 -0
  4. data/LICENSE.txt +22 -0
  5. data/README.md +59 -0
  6. data/Rakefile +8 -0
  7. data/lib/scrub_params/log_subscriber.rb +14 -0
  8. data/lib/scrub_params/version.rb +3 -0
  9. data/lib/scrub_params.rb +57 -0
  10. data/scrub_params.gemspec +28 -0
  11. data/test/scrub_params_test.rb +25 -0
  12. data/test/test_helper.rb +4 -0
  13. metadata +141 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 35978ee0837fbe0f7e929ad8e46be76ac8697d75
4
+ data.tar.gz: e2b14a8966c868c509aea60827906d34d8fa2e4d
5
+ SHA512:
6
+ metadata.gz: ae5d80fff8ac67b82929bffd90ce1471184400b8b9bc37d7ae0ab8d13bc2d2598e0d43fe5d81f3061475781726cba465ee26f4a8d9014d37df200be807a89244
7
+ data.tar.gz: 10fdfb8269ffd57d6bdf1d63c159d3c6671d4dd19dcf397ba4a81b7f18a639d46516dbbfb82beb9a55824ce71e2aa9bd008a40c5d49b0332f8e78c8a707698a8
data/.gitignore ADDED
@@ -0,0 +1,22 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ .yardoc
6
+ Gemfile.lock
7
+ InstalledFiles
8
+ _yardoc
9
+ coverage
10
+ doc/
11
+ lib/bundler/man
12
+ pkg
13
+ rdoc
14
+ spec/reports
15
+ test/tmp
16
+ test/version_tmp
17
+ tmp
18
+ *.bundle
19
+ *.so
20
+ *.o
21
+ *.a
22
+ mkmf.log
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in scrub_params.gemspec
4
+ gemspec
data/LICENSE.txt ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2014 Andrew Kane
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,59 @@
1
+ # Scrub Params
2
+
3
+ :lock: Secure Rails parameters by default
4
+
5
+ > Insecure by default is insecure
6
+
7
+ HTML has no business in most parameters. Take the **whitelist approach** and remove it by default.
8
+
9
+ ## Get Started
10
+
11
+ Add this line to your application’s Gemfile:
12
+
13
+ ```ruby
14
+ gem 'scrub_params'
15
+ ```
16
+
17
+ You now have another line of defense against [cross-site scripting (XSS)](http://en.wikipedia.org/wiki/Cross-site_scripting).
18
+
19
+ ### Test It
20
+
21
+ Submit HTML in one of your forms.
22
+
23
+ ```html
24
+ Hello <script>alert('World')</script>
25
+ ```
26
+
27
+ This becomes:
28
+
29
+ ```
30
+ Hello alert('World')
31
+ ```
32
+
33
+ And you should see this in your logs:
34
+
35
+ ```
36
+ Scrubbed parameters: name
37
+ ```
38
+
39
+ ### Whitelist Actions
40
+
41
+ To prevent certain actions from being scrubbed, use:
42
+
43
+ ```ruby
44
+ skip_before_filter :scrub_params, only: [:create, :update]
45
+ ```
46
+
47
+ ## TODO
48
+
49
+ - whitelist parameters
50
+ - whitelist tags
51
+
52
+ ## Contributing
53
+
54
+ Everyone is encouraged to help improve this project. Here are a few ways you can help:
55
+
56
+ - [Report bugs](https://github.com/ankane/scrub_params/issues)
57
+ - Fix bugs and [submit pull requests](https://github.com/ankane/scrub_params/pulls)
58
+ - Write, clarify, or fix documentation
59
+ - Suggest or add new features
data/Rakefile ADDED
@@ -0,0 +1,8 @@
1
+ require "bundler/gem_tasks"
2
+ require "rake/testtask"
3
+
4
+ task :default => :test
5
+ Rake::TestTask.new do |t|
6
+ t.libs << "test"
7
+ t.pattern = "test/**/*_test.rb"
8
+ end
data/lib/scrub_params/log_subscriber.rb ADDED
@@ -0,0 +1,14 @@
1
+ module ScrubParams
2
+ class LogSubscriber < ActiveSupport::LogSubscriber
3
+ def scrubbed_parameters(event)
4
+ scrubbed_keys = event.payload[:keys]
5
+ debug("Scrubbed parameters: #{scrubbed_keys.join(", ")}")
6
+ end
7
+
8
+ def logger
9
+ ActionController::Base.logger
10
+ end
11
+ end
12
+ end
13
+
14
+ ScrubParams::LogSubscriber.attach_to :action_controller
data/lib/scrub_params/version.rb ADDED
@@ -0,0 +1,3 @@
1
+ module ScrubParams
2
+ VERSION = "0.0.1"
3
+ end
data/lib/scrub_params.rb ADDED
@@ -0,0 +1,57 @@
1
+ require "scrub_params/version"
2
+ require "action_controller"
3
+ require "sanitize"
4
+ require "scrub_params/log_subscriber"
5
+
6
+ module ActionController
7
+ class Parameters < ActiveSupport::HashWithIndifferentAccess
8
+ attr_accessor :scrubbed_keys
9
+
10
+ def scrub!
11
+ self.scrubbed_keys = []
12
+ each_pair do |k, v|
13
+ self[k] = scrub_value(k, v)
14
+ end
15
+ if scrubbed_keys.any?
16
+ ActiveSupport::Notifications.instrument("scrubbed_parameters.action_controller", keys: scrubbed_keys)
17
+ end
18
+ self
19
+ end
20
+
21
+ protected
22
+
23
+ def scrub_value(key, value)
24
+ case value
25
+ when Hash
26
+ h = {}
27
+ value.each do |k, v|
28
+ h[k] = scrub_value(k, v)
29
+ end
30
+ h
31
+ when Array
32
+ value.map{|v| scrub_value(key, v) }
33
+ when String
34
+ scrubbed_value = Sanitize.clean(value)
35
+ if scrubbed_value != value
36
+ self.scrubbed_keys << key unless scrubbed_keys.include?(key)
37
+ end
38
+ scrubbed_value
39
+ else
40
+ value
41
+ end
42
+ end
43
+
44
+ end
45
+ end
46
+
47
+ module ActionController
48
+ class Base
49
+ protected
50
+
51
+ before_filter :scrub_params
52
+
53
+ def scrub_params
54
+ params.scrub!
55
+ end
56
+ end
57
+ end
data/scrub_params.gemspec ADDED
@@ -0,0 +1,28 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'scrub_params/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "scrub_params"
8
+ spec.version = ScrubParams::VERSION
9
+ spec.authors = ["Andrew Kane"]
10
+ spec.email = ["andrew@chartkick.com"]
11
+ spec.summary = %q{Secure Rails parameters by default}
12
+ spec.description = %q{Secure Rails parameters by default}
13
+ spec.homepage = "https://github.com/ankane/scrub_params"
14
+ spec.license = "MIT"
15
+
16
+ spec.files = `git ls-files -z`.split("\x0")
17
+ spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
18
+ spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
19
+ spec.require_paths = ["lib"]
20
+
21
+ spec.add_dependency "activesupport"
22
+ spec.add_dependency "actionpack"
23
+ spec.add_dependency "sanitize"
24
+
25
+ spec.add_development_dependency "bundler", "~> 1.6"
26
+ spec.add_development_dependency "rake"
27
+ spec.add_development_dependency "minitest"
28
+ end
data/test/scrub_params_test.rb ADDED
@@ -0,0 +1,25 @@
1
+ require_relative "test_helper"
2
+
3
+ class TestScrubParams < Minitest::Test
4
+
5
+ def test_scrub
6
+ params =
7
+ ActionController::Parameters.new({
8
+ "name" => "Hello <script>alert('World')</script>",
9
+ "tags" => ["<b>awesome</b>", "<a href='javascript:void();'>hack</a>"],
10
+ "car" => {
11
+ "make" => "<blink>Tesla</blink>"
12
+ }
13
+ })
14
+ params.scrub!
15
+ expected = {
16
+ "name" => "Hello alert('World')",
17
+ "tags" => ["awesome", "hack"],
18
+ "car" => {
19
+ "make" => "Tesla"
20
+ }
21
+ }
22
+ assert_equal expected, params
23
+ end
24
+
25
+ end
data/test/test_helper.rb ADDED
@@ -0,0 +1,4 @@
1
+ require "bundler/setup"
2
+ Bundler.require(:default)
3
+ require "minitest/autorun"
4
+ require "minitest/pride"
metadata ADDED
@@ -0,0 +1,141 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: scrub_params
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Andrew Kane
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2014-04-14 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: activesupport
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: actionpack
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: sanitize
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ">="
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :runtime
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: bundler
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '1.6'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '1.6'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rake
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: minitest
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ">="
95
+ - !ruby/object:Gem::Version
96
+ version: '0'
97
+ description: Secure Rails parameters by default
98
+ email:
99
+ - andrew@chartkick.com
100
+ executables: []
101
+ extensions: []
102
+ extra_rdoc_files: []
103
+ files:
104
+ - ".gitignore"
105
+ - Gemfile
106
+ - LICENSE.txt
107
+ - README.md
108
+ - Rakefile
109
+ - lib/scrub_params.rb
110
+ - lib/scrub_params/log_subscriber.rb
111
+ - lib/scrub_params/version.rb
112
+ - scrub_params.gemspec
113
+ - test/scrub_params_test.rb
114
+ - test/test_helper.rb
115
+ homepage: https://github.com/ankane/scrub_params
116
+ licenses:
117
+ - MIT
118
+ metadata: {}
119
+ post_install_message:
120
+ rdoc_options: []
121
+ require_paths:
122
+ - lib
123
+ required_ruby_version: !ruby/object:Gem::Requirement
124
+ requirements:
125
+ - - ">="
126
+ - !ruby/object:Gem::Version
127
+ version: '0'
128
+ required_rubygems_version: !ruby/object:Gem::Requirement
129
+ requirements:
130
+ - - ">="
131
+ - !ruby/object:Gem::Version
132
+ version: '0'
133
+ requirements: []
134
+ rubyforge_project:
135
+ rubygems_version: 2.2.2
136
+ signing_key:
137
+ specification_version: 4
138
+ summary: Secure Rails parameters by default
139
+ test_files:
140
+ - test/scrub_params_test.rb
141
+ - test/test_helper.rb