scrub_params 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -2
- data/lib/scrub_params.rb +8 -50
- data/lib/scrub_params/controller.rb +14 -0
- data/lib/scrub_params/parameters.rb +44 -0
- data/lib/scrub_params/version.rb +1 -1
- metadata +3 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 59ce5d172db14eff6568862d843b8999c06743da
|
|
4
|
+
data.tar.gz: 0a0a73b82ae709556ff900d00e056e553332e534
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4b3825d8c6d0fe626436ee433778b0bc515e5507f8c3999ae766cccf8ec737774e3f2d7b30b0f84e35dc623d044603218b39f92c4452a1cd8eeeab720f65babb
|
|
7
|
+
data.tar.gz: 1bf0a240ed5e94eba192996b7d083731fec08ae8188945c9036be369240c45a3ff7adaf39901104638320fb9967153505cb7a0bc20cacc3cb446eacbfca11c74
|
data/README.md
CHANGED
|
@@ -2,10 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
:lock: Secure Rails parameters by default
|
|
4
4
|
|
|
5
|
-
> Insecure by default is insecure
|
|
6
|
-
|
|
7
5
|
HTML has no business in most parameters. Take the **whitelist approach** and remove it by default.
|
|
8
6
|
|
|
7
|
+
**Note:** Rails has done amazing work to prevent XSS, but storing `<script>badThings()</script>` in your database makes it much easier to make mistakes.
|
|
8
|
+
|
|
9
|
+
Works with Rails 3.2 and above.
|
|
10
|
+
|
|
9
11
|
## Get Started
|
|
10
12
|
|
|
11
13
|
Add this line to your application’s Gemfile:
|
data/lib/scrub_params.rb
CHANGED
|
@@ -1,57 +1,15 @@
|
|
|
1
1
|
require "scrub_params/version"
|
|
2
|
+
require "active_support/hash_with_indifferent_access"
|
|
2
3
|
require "action_controller"
|
|
3
4
|
require "sanitize"
|
|
5
|
+
require "scrub_params/parameters"
|
|
6
|
+
require "scrub_params/controller"
|
|
4
7
|
require "scrub_params/log_subscriber"
|
|
5
8
|
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
def scrub!
|
|
11
|
-
self.scrubbed_keys = []
|
|
12
|
-
each_pair do |k, v|
|
|
13
|
-
self[k] = scrub_value(k, v)
|
|
14
|
-
end
|
|
15
|
-
if scrubbed_keys.any?
|
|
16
|
-
ActiveSupport::Notifications.instrument("scrubbed_parameters.action_controller", keys: scrubbed_keys)
|
|
17
|
-
end
|
|
18
|
-
self
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
protected
|
|
22
|
-
|
|
23
|
-
def scrub_value(key, value)
|
|
24
|
-
case value
|
|
25
|
-
when Hash
|
|
26
|
-
h = {}
|
|
27
|
-
value.each do |k, v|
|
|
28
|
-
h[k] = scrub_value(k, v)
|
|
29
|
-
end
|
|
30
|
-
h
|
|
31
|
-
when Array
|
|
32
|
-
value.map{|v| scrub_value(key, v) }
|
|
33
|
-
when String
|
|
34
|
-
scrubbed_value = Sanitize.clean(value)
|
|
35
|
-
if scrubbed_value != value
|
|
36
|
-
self.scrubbed_keys << key unless scrubbed_keys.include?(key)
|
|
37
|
-
end
|
|
38
|
-
scrubbed_value
|
|
39
|
-
else
|
|
40
|
-
value
|
|
41
|
-
end
|
|
42
|
-
end
|
|
43
|
-
|
|
44
|
-
end
|
|
9
|
+
if defined?(ActionController::Parameters)
|
|
10
|
+
ActionController::Parameters.send :include, ScrubParams::Parameters
|
|
11
|
+
else
|
|
12
|
+
ActiveSupport::HashWithIndifferentAccess.send :include, ScrubParams::Parameters
|
|
45
13
|
end
|
|
46
14
|
|
|
47
|
-
|
|
48
|
-
class Base
|
|
49
|
-
protected
|
|
50
|
-
|
|
51
|
-
before_filter :scrub_params
|
|
52
|
-
|
|
53
|
-
def scrub_params
|
|
54
|
-
params.scrub!
|
|
55
|
-
end
|
|
56
|
-
end
|
|
57
|
-
end
|
|
15
|
+
ActionController::Base.send :include, ScrubParams::Controller
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
module ScrubParams
|
|
2
|
+
module Parameters
|
|
3
|
+
extend ActiveSupport::Concern
|
|
4
|
+
|
|
5
|
+
included do
|
|
6
|
+
attr_accessor :scrubbed_keys
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def scrub!
|
|
10
|
+
self.scrubbed_keys = []
|
|
11
|
+
each_pair do |k, v|
|
|
12
|
+
self[k] = scrub_value(k, v)
|
|
13
|
+
end
|
|
14
|
+
if scrubbed_keys.any?
|
|
15
|
+
ActiveSupport::Notifications.instrument("scrubbed_parameters.action_controller", keys: scrubbed_keys)
|
|
16
|
+
end
|
|
17
|
+
self
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
protected
|
|
21
|
+
|
|
22
|
+
def scrub_value(key, value)
|
|
23
|
+
case value
|
|
24
|
+
when Hash
|
|
25
|
+
h = {}
|
|
26
|
+
value.each do |k, v|
|
|
27
|
+
h[k] = scrub_value(k, v)
|
|
28
|
+
end
|
|
29
|
+
h
|
|
30
|
+
when Array
|
|
31
|
+
value.map{|v| scrub_value(key, v) }
|
|
32
|
+
when String
|
|
33
|
+
scrubbed_value = Sanitize.clean(value)
|
|
34
|
+
if scrubbed_value != value
|
|
35
|
+
self.scrubbed_keys << key unless scrubbed_keys.include?(key)
|
|
36
|
+
end
|
|
37
|
+
scrubbed_value
|
|
38
|
+
else
|
|
39
|
+
value
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
end
|
|
44
|
+
end
|
data/lib/scrub_params/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: scrub_params
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Kane
|
|
@@ -107,7 +107,9 @@ files:
|
|
|
107
107
|
- README.md
|
|
108
108
|
- Rakefile
|
|
109
109
|
- lib/scrub_params.rb
|
|
110
|
+
- lib/scrub_params/controller.rb
|
|
110
111
|
- lib/scrub_params/log_subscriber.rb
|
|
112
|
+
- lib/scrub_params/parameters.rb
|
|
111
113
|
- lib/scrub_params/version.rb
|
|
112
114
|
- scrub_params.gemspec
|
|
113
115
|
- test/scrub_params_test.rb
|