securails 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. data/.gitignore +5 -0
  2. data/Gemfile +4 -0
  3. data/README.md +37 -0
  4. data/Rakefile +1 -0
  5. data/lib/securails.rb +2 -0
  6. data/lib/securails/railtie.rb +13 -0
  7. data/lib/securails/version.rb +3 -0
  8. data/securails.gemspec +27 -0
  9. metadata +67 -0
data/.gitignore ADDED
@@ -0,0 +1,5 @@
1
+ *.gem
2
+ .bundle
3
+ .idea
4
+ Gemfile.lock
5
+ pkg/*
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source "http://rubygems.org"
2
+
3
+ # Specify your gem's dependencies in securails.gemspec
4
+ gemspec
data/README.md ADDED
@@ -0,0 +1,37 @@
1
+ # Securails
2
+
3
+ By default, all ActiveRecord attributes are writable. This leads to security problems:
4
+
5
+ * http://asciicasts.com/episodes/26-hackers-love-mass-assignment
6
+ * http://lesseverything.com/blog/archives/2008/03/11/use-attr_protected-or-we-will-hack-you/
7
+ * https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57
8
+
9
+ This gem makes all attributes protected by default. To use individual attributes for mass assignment,
10
+ please make them explicitely assignable using `attr_accessible`. More info [here](http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity/ClassMethods.html#method-i-attr_accessible).
11
+
12
+
13
+ # Installation
14
+
15
+ 1. Add the gem to your Gemfile.
16
+
17
+ ```ruby
18
+ gem 'securails'
19
+ ```
20
+
21
+ 2. Update your gem bundle.
22
+
23
+ ```bash
24
+ $ bundle install
25
+ ```
26
+
27
+ # Usage
28
+
29
+ Your app is safe by just including the gem. Now you have make those attributes that are safe to be changed by users accessible.
30
+
31
+ ```ruby
32
+ class Company < ActiveRecord::Base
33
+
34
+ # Allow access to the 'name' attribute.
35
+ attr_accessible :name
36
+ end
37
+ ```
data/Rakefile ADDED
@@ -0,0 +1 @@
1
+ require "bundler/gem_tasks"
data/lib/securails.rb ADDED
@@ -0,0 +1,2 @@
1
+ require 'securails/railtie'
2
+ require 'securails/version'
data/lib/securails/railtie.rb ADDED
@@ -0,0 +1,13 @@
1
+ require "rails/railtie"
2
+
3
+ module Securails
4
+
5
+ class Railtie < Rails::Railtie
6
+
7
+ # Initialize Straides after the Rails initializers have run.
8
+ config.after_initialize do
9
+ ActiveRecord::Base.send :attr_accessible, nil
10
+ end
11
+ end
12
+
13
+ end
data/lib/securails/version.rb ADDED
@@ -0,0 +1,3 @@
1
+ module Securails
2
+ VERSION = "0.0.1"
3
+ end
data/securails.gemspec ADDED
@@ -0,0 +1,27 @@
1
+ # -*- encoding: utf-8 -*-
2
+ $:.push File.expand_path("../lib", __FILE__)
3
+ require "securails/version"
4
+
5
+ Gem::Specification.new do |s|
6
+ s.name = "securails"
7
+ s.version = Securails::VERSION
8
+ s.authors = ["Kevin Goslar"]
9
+ s.email = ["kevin.goslar@originate.com"]
10
+ s.homepage = ""
11
+ s.summary = %q{Secures a rails application by making all ActiveRecord model attributes protected by default.}
12
+ s.description = %q{Rails has a security flaw: All attributes are writable by default.
13
+ This allows for spectacular hacks, like this one: https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57.
14
+ This gem makes all attributes protected by default. }
15
+
16
+ s.rubyforge_project = "securails"
17
+
18
+ s.files = `git ls-files`.split("\n")
19
+ s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
20
+ s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
21
+ s.require_paths = ["lib"]
22
+
23
+ # specify any dependencies here; for example:
24
+ s.add_dependency "rails"
25
+ # s.add_development_dependency "rspec"
26
+ # s.add_runtime_dependency "rest-client"
27
+ end
metadata ADDED
@@ -0,0 +1,67 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: securails
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ prerelease:
6
+ platform: ruby
7
+ authors:
8
+ - Kevin Goslar
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2012-03-06 00:00:00.000000000Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: rails
16
+ requirement: &70268580882840 !ruby/object:Gem::Requirement
17
+ none: false
18
+ requirements:
19
+ - - ! '>='
20
+ - !ruby/object:Gem::Version
21
+ version: '0'
22
+ type: :runtime
23
+ prerelease: false
24
+ version_requirements: *70268580882840
25
+ description: ! "Rails has a security flaw: All attributes are writable by default.
26
+ \n This allows for spectacular hacks, like this one: https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57.
27
+ \n This gem makes all attributes protected by default. "
28
+ email:
29
+ - kevin.goslar@originate.com
30
+ executables: []
31
+ extensions: []
32
+ extra_rdoc_files: []
33
+ files:
34
+ - .gitignore
35
+ - Gemfile
36
+ - README.md
37
+ - Rakefile
38
+ - lib/securails.rb
39
+ - lib/securails/railtie.rb
40
+ - lib/securails/version.rb
41
+ - securails.gemspec
42
+ homepage: ''
43
+ licenses: []
44
+ post_install_message:
45
+ rdoc_options: []
46
+ require_paths:
47
+ - lib
48
+ required_ruby_version: !ruby/object:Gem::Requirement
49
+ none: false
50
+ requirements:
51
+ - - ! '>='
52
+ - !ruby/object:Gem::Version
53
+ version: '0'
54
+ required_rubygems_version: !ruby/object:Gem::Requirement
55
+ none: false
56
+ requirements:
57
+ - - ! '>='
58
+ - !ruby/object:Gem::Version
59
+ version: '0'
60
+ requirements: []
61
+ rubyforge_project: securails
62
+ rubygems_version: 1.8.10
63
+ signing_key:
64
+ specification_version: 3
65
+ summary: Secures a rails application by making all ActiveRecord model attributes protected
66
+ by default.
67
+ test_files: []