securails 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. data/.gitignore +5 -0
  2. data/Gemfile +4 -0
  3. data/README.md +37 -0
  4. data/Rakefile +1 -0
  5. data/lib/securails.rb +2 -0
  6. data/lib/securails/railtie.rb +13 -0
  7. data/lib/securails/version.rb +3 -0
  8. data/securails.gemspec +27 -0
  9. metadata +67 -0
data/.gitignore ADDED
@@ -0,0 +1,5 @@
1
+ *.gem
2
+ .bundle
3
+ .idea
4
+ Gemfile.lock
5
+ pkg/*
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source "http://rubygems.org"
2
+
3
+ # Specify your gem's dependencies in securails.gemspec
4
+ gemspec
data/README.md ADDED
@@ -0,0 +1,37 @@
1
+ # Securails
2
+
3
+ By default, all ActiveRecord attributes are writable. This leads to security problems:
4
+
5
+ * http://asciicasts.com/episodes/26-hackers-love-mass-assignment
6
+ * http://lesseverything.com/blog/archives/2008/03/11/use-attr_protected-or-we-will-hack-you/
7
+ * https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57
8
+
9
+ This gem makes all attributes protected by default. To use individual attributes for mass assignment,
10
+ please make them explicitely assignable using `attr_accessible`. More info [here](http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity/ClassMethods.html#method-i-attr_accessible).
11
+
12
+
13
+ # Installation
14
+
15
+ 1. Add the gem to your Gemfile.
16
+
17
+ ```ruby
18
+ gem 'securails'
19
+ ```
20
+
21
+ 2. Update your gem bundle.
22
+
23
+ ```bash
24
+ $ bundle install
25
+ ```
26
+
27
+ # Usage
28
+
29
+ Your app is safe by just including the gem. Now you have make those attributes that are safe to be changed by users accessible.
30
+
31
+ ```ruby
32
+ class Company < ActiveRecord::Base
33
+
34
+ # Allow access to the 'name' attribute.
35
+ attr_accessible :name
36
+ end
37
+ ```
data/Rakefile ADDED
@@ -0,0 +1 @@
1
+ require "bundler/gem_tasks"
data/lib/securails.rb ADDED
@@ -0,0 +1,2 @@
1
+ require 'securails/railtie'
2
+ require 'securails/version'
data/lib/securails/railtie.rb ADDED
@@ -0,0 +1,13 @@
1
+ require "rails/railtie"
2
+
3
+ module Securails
4
+
5
+ class Railtie < Rails::Railtie
6
+
7
+ # Initialize Straides after the Rails initializers have run.
8
+ config.after_initialize do
9
+ ActiveRecord::Base.send :attr_accessible, nil
10
+ end
11
+ end
12
+
13
+ end
data/lib/securails/version.rb ADDED
@@ -0,0 +1,3 @@
1
+ module Securails
2
+ VERSION = "0.0.1"
3
+ end
data/securails.gemspec ADDED
@@ -0,0 +1,27 @@
1
+ # -*- encoding: utf-8 -*-
2
+ $:.push File.expand_path("../lib", __FILE__)
3
+ require "securails/version"
4
+
5
+ Gem::Specification.new do |s|
6
+ s.name = "securails"
7
+ s.version = Securails::VERSION
8
+ s.authors = ["Kevin Goslar"]
9
+ s.email = ["kevin.goslar@originate.com"]
10
+ s.homepage = ""
11
+ s.summary = %q{Secures a rails application by making all ActiveRecord model attributes protected by default.}
12
+ s.description = %q{Rails has a security flaw: All attributes are writable by default.
13
+ This allows for spectacular hacks, like this one: https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57.
14
+ This gem makes all attributes protected by default. }
15
+
16
+ s.rubyforge_project = "securails"
17
+
18
+ s.files = `git ls-files`.split("\n")
19
+ s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
20
+ s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
21
+ s.require_paths = ["lib"]
22
+
23
+ # specify any dependencies here; for example:
24
+ s.add_dependency "rails"
25
+ # s.add_development_dependency "rspec"
26
+ # s.add_runtime_dependency "rest-client"
27
+ end
metadata ADDED
@@ -0,0 +1,67 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: securails
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ prerelease:
6
+ platform: ruby
7
+ authors:
8
+ - Kevin Goslar
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2012-03-06 00:00:00.000000000Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: rails
16
+ requirement: &70268580882840 !ruby/object:Gem::Requirement
17
+ none: false
18
+ requirements:
19
+ - - ! '>='
20
+ - !ruby/object:Gem::Version
21
+ version: '0'
22
+ type: :runtime
23
+ prerelease: false
24
+ version_requirements: *70268580882840
25
+ description: ! "Rails has a security flaw: All attributes are writable by default.
26
+ \n This allows for spectacular hacks, like this one: https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57.
27
+ \n This gem makes all attributes protected by default. "
28
+ email:
29
+ - kevin.goslar@originate.com
30
+ executables: []
31
+ extensions: []
32
+ extra_rdoc_files: []
33
+ files:
34
+ - .gitignore
35
+ - Gemfile
36
+ - README.md
37
+ - Rakefile
38
+ - lib/securails.rb
39
+ - lib/securails/railtie.rb
40
+ - lib/securails/version.rb
41
+ - securails.gemspec
42
+ homepage: ''
43
+ licenses: []
44
+ post_install_message:
45
+ rdoc_options: []
46
+ require_paths:
47
+ - lib
48
+ required_ruby_version: !ruby/object:Gem::Requirement
49
+ none: false
50
+ requirements:
51
+ - - ! '>='
52
+ - !ruby/object:Gem::Version
53
+ version: '0'
54
+ required_rubygems_version: !ruby/object:Gem::Requirement
55
+ none: false
56
+ requirements:
57
+ - - ! '>='
58
+ - !ruby/object:Gem::Version
59
+ version: '0'
60
+ requirements: []
61
+ rubyforge_project: securails
62
+ rubygems_version: 1.8.10
63
+ signing_key:
64
+ specification_version: 3
65
+ summary: Secures a rails application by making all ActiveRecord model attributes protected
66
+ by default.
67
+ test_files: []