signed_form 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d48194df6c241a277cc79382344715c75aac7d9c
|
|
4
|
+
data.tar.gz: 279e08bc94e45b2ce9f5e25364104bd5433ecb34
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 75e21c1f42bfa9b1e8df77e4afbabb6d8ffc8a5295ddbc53d90347bfae0ed391e73f0a97b529e7b0e835957b737acf4f2deb9f692063c277408c66602a09d11a
|
|
7
|
+
data.tar.gz: 448f4016cf450248230406b3f89947f953398b81dcf56cdf06c9433eda9f9ad806e091aa93d7895ac6e62982dce271055b35101a0349b3952c62292bf1cd5498
|
|
@@ -24,7 +24,12 @@ module SignedForm
|
|
|
24
24
|
allowed_attributes = Marshal.load Base64.strict_decode64(data)
|
|
25
25
|
options = allowed_attributes.delete(:__options__)
|
|
26
26
|
|
|
27
|
-
|
|
27
|
+
if options
|
|
28
|
+
raise Errors::InvalidURL if options[:method].to_s.casecmp(request.request_method) != 0
|
|
29
|
+
|
|
30
|
+
url = url_for(options[:url])
|
|
31
|
+
raise Errors::InvalidURL if url != request.fullpath && url != request.url
|
|
32
|
+
end
|
|
28
33
|
|
|
29
34
|
allowed_attributes.each do |k, v|
|
|
30
35
|
params[k] = params.require(k).permit(*v)
|
data/lib/signed_form/version.rb
CHANGED
|
@@ -12,7 +12,7 @@ describe SignedForm::ActionController::PermitSignedParams do
|
|
|
12
12
|
before do
|
|
13
13
|
SignedForm::HMAC.secret_key = "abc123"
|
|
14
14
|
|
|
15
|
-
Controller.any_instance.stub(request: double('request', method: 'POST', fullpath: '/users'))
|
|
15
|
+
Controller.any_instance.stub(request: double('request', method: 'POST', request_method: 'POST', fullpath: '/users', url: '/users'))
|
|
16
16
|
Controller.any_instance.stub(params: { "user" => { name: "Erich Menge", occupation: 'developer' } })
|
|
17
17
|
end
|
|
18
18
|
|
|
@@ -63,4 +63,18 @@ describe SignedForm::ActionController::PermitSignedParams do
|
|
|
63
63
|
|
|
64
64
|
expect { controller.permit_signed_form_data }.to raise_error(SignedForm::Errors::InvalidURL)
|
|
65
65
|
end
|
|
66
|
+
|
|
67
|
+
it "should reject if method doesn't match" do
|
|
68
|
+
params = controller.params
|
|
69
|
+
|
|
70
|
+
data = Base64.strict_encode64(Marshal.dump("user" => [:name], :__options__ => { method: 'put', url: '/users' }))
|
|
71
|
+
signature = SignedForm::HMAC.create_hmac(data)
|
|
72
|
+
|
|
73
|
+
params['form_signature'] = "#{data}--#{signature}"
|
|
74
|
+
|
|
75
|
+
params.stub(:require).with('user').and_return(params)
|
|
76
|
+
params.stub(:permit).with(:name).and_return(params)
|
|
77
|
+
|
|
78
|
+
expect { controller.permit_signed_form_data }.to raise_error(SignedForm::Errors::InvalidURL)
|
|
79
|
+
end
|
|
66
80
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: signed_form
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Erich Menge
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2013-04-
|
|
11
|
+
date: 2013-04-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -136,4 +136,3 @@ test_files:
|
|
|
136
136
|
- spec/hmac_spec.rb
|
|
137
137
|
- spec/permit_signed_params_spec.rb
|
|
138
138
|
- spec/spec_helper.rb
|
|
139
|
-
has_rdoc:
|