RubyGems - strict_parameters - Versions diffs - 0.1.4 - Mend

strict_parameters 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

data/MIT-LICENSE +20 -0
data/README.rdoc +44 -0
data/Rakefile +38 -0
data/lib/action_controller/parameters.rb +167 -0
data/lib/active_model/forbidden_attributes_protection.rb +16 -0
data/lib/generators/rails/USAGE +12 -0
data/lib/generators/rails/strong_parameters_controller_generator.rb +10 -0
data/lib/generators/rails/templates/controller.rb +94 -0
data/lib/strict_parameters.rb +3 -0
data/lib/strong_parameters/railtie.rb +22 -0
data/lib/strong_parameters/version.rb +3 -0
data/test/action_controller_required_params_test.rb +30 -0
data/test/action_controller_strict_params_test.rb +26 -0
data/test/action_controller_tainted_params_test.rb +25 -0
data/test/active_model_mass_assignment_taint_protection_test.rb +30 -0
data/test/controller_generator_test.rb +31 -0
data/test/nested_parameters_test.rb +95 -0
data/test/parameters_require_test.rb +10 -0
data/test/parameters_strict_test.rb +74 -0
data/test/parameters_taint_test.rb +61 -0
data/test/test_helper.rb +27 -0
metadata +140 -0

data/MIT-LICENSE ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright 2012 David Heinemeier Hansson
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc ADDED Viewed

@@ -0,0 +1,44 @@
+= Strong Parameters
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+    class PeopleController < ActionController::Base
+      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+      # without an explicit permit step.
+      def create
+        Person.create(params[:person])
+      end
+      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by
+      # ActionController::Base and turned into that 400 Bad Request reply.
+      def update
+        redirect_to current_account.people.find(params[:id]).tap do |person|
+          person.update_attributes!(person_params)
+        end
+      end
+      private
+        # Using a private method to encapsulate the permissible parameters is just a good pattern
+        # since you'll be able to reuse the same permit list between create and update. Also, you
+        # can specialize this method with per-user checking of permissible attributes.
+        def person_params
+          params.require(:person).permit(:name, :age)
+        end
+    end
+You can also use permit on nested parameters, like:
+    params.permit(:name, friends: [ :name, { family: [ :name ] }])
+Thanks to Nick Kallen for the permit idea!
+== Todos
+* Automatically permit parameters coming from a signed form [Yehuda]
+== Compatibility
+Due to a testing issue, this plugin is only fully compatible with rails/3-2-stable rev 275ee0dc7b and forward as well as rails/master rev b49a7ddce1 and forward.

data/Rakefile ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'StrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+Bundler::GemHelper.install_tasks
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+task :default => :test

data/lib/action_controller/parameters.rb ADDED Viewed

@@ -0,0 +1,167 @@
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+  class ParameterForbidden < IndexError
+    attr_reader :param
+    def initialize(param)
+      @param = param
+      super("key forbidden: #{param}")
+    end
+  end
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    cattr_accessor :strict_config
+    attr_accessor :permitted
+    alias :permitted? :permitted
+    def initialize(attributes = nil)
+      super(attributes)
+      @permitted = false
+      @strict = false
+    end
+    def permit!
+      @permitted = true
+      self
+    end
+    def require(key)
+      self[key].presence || raise(ActionController::ParameterMissing.new(key))
+    end
+    alias :required :require
+    def strict!
+      @strict = true
+      self
+    end
+    def permit(*filters)
+      check_parameters(*filters) if @strict || @@strict_config
+      permit_parameters(*filters)
+    end
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError
+      raise ActionController::ParameterMissing.new(key)
+    end
+    def slice(*keys)
+      self.class.new(super)
+    end
+    def dup
+      super.tap do |duplicate|
+        duplicate.instance_variable_set :@permitted, @permitted
+      end
+    end
+    protected
+      def check_parameters(*filters)
+        param_keys = filters.map { |filter| filter.is_a?(Hash) ? filter.keys : filter }
+        param_keys = param_keys.flatten.map(&:to_s)
+        diff = self.keys - param_keys
+        # exit on first mismatch
+        raise(ActionController::ParameterForbidden.new(diff)) unless diff.empty?
+        filters.each do |filter|
+          if filter.is_a?(Hash)
+            filter.each do |key,value|
+              params = self.class.new(self[key])
+              params.check_parameters(*Array.wrap(filter[key]))
+            end
+          end
+        end
+      end
+      def permit_parameters(*filters)
+        params = self.class.new
+        filters.each do |filter|
+          case filter
+          when Symbol, String then
+            params[filter] = self[filter] if has_key?(filter)
+          when Hash then
+            self.slice(*filter.keys).each do |key, value|
+              return unless value
+              key = key.to_sym
+              params[key] = each_element(value) do |value|
+                # filters are a Hash, so we expect value to be a Hash too
+                next if filter.is_a?(Hash) && !value.is_a?(Hash)
+                value = self.class.new(value) if !value.respond_to?(:permit)
+                value.permit_parameters(*Array.wrap(filter[key]))
+              end
+            end
+          end
+        end
+        params.permit!
+      end
+    private
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+      def each_element(object)
+        if object.is_a?(Array)
+          object.map { |el| yield el }.compact
+        else
+          yield object
+        end
+      end
+  end
+  module StrongParameters
+    extend ActiveSupport::Concern
+    included do
+      rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+        render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
+      end
+      rescue_from(ActionController::ParameterForbidden) do |parameter_forbidden_exception|
+        render :text => "Parameters forbidden: #{parameter_forbidden_exception.param.join(' ')}", :status => :unprocessable_entity
+      end
+    end
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+end
+ActionController::Base.send :include, ActionController::StrongParameters

data/lib/active_model/forbidden_attributes_protection.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ActiveModel
+  class ForbiddenAttributes < StandardError
+  end
+  module ForbiddenAttributesProtection
+    def sanitize_for_mass_assignment(new_attributes, options = {})
+      if !new_attributes.respond_to?(:permitted?) || (new_attributes.respond_to?(:permitted?) && new_attributes.permitted?)
+        super
+      else
+        raise ActiveModel::ForbiddenAttributes
+      end
+    end
+  end
+end
+ActiveModel.autoload :ForbiddenAttributesProtection

data/lib/generators/rails/USAGE ADDED Viewed

@@ -0,0 +1,12 @@
+Description:
+    Stubs out a scaffolded controller and its views. Different from rails
+    scaffold_controller, it uses strong_parameters to whitelist permissible
+    attributes in a private method.
+    Pass the model name, either CamelCased or under_scored. The controller
+    name is retrieved as a pluralized version of the model name.
+    To create a controller within a module, specify the model name as a
+    path like 'parent_module/controller_name'.
+    This generates a controller class in app/controllers and invokes helper,
+    template engine and test framework generators.

data/lib/generators/rails/strong_parameters_controller_generator.rb ADDED Viewed

@@ -0,0 +1,10 @@
+require 'rails/generators/rails/scaffold_controller/scaffold_controller_generator'
+module Rails
+  module Generators
+    class StrongParametersControllerGenerator < ScaffoldControllerGenerator
+      argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
+      source_root File.expand_path("../templates", __FILE__)
+    end
+  end
+end

data/lib/generators/rails/templates/controller.rb ADDED Viewed

@@ -0,0 +1,94 @@
+<% module_namespacing do -%>
+class <%= controller_class_name %>Controller < ApplicationController
+  # GET <%= route_url %>
+  # GET <%= route_url %>.json
+  def index
+    @<%= plural_table_name %> = <%= orm_class.all(class_name) %>
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: <%= "@#{plural_table_name}" %> }
+    end
+  end
+  # GET <%= route_url %>/1
+  # GET <%= route_url %>/1.json
+  def show
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+  # GET <%= route_url %>/new
+  # GET <%= route_url %>/new.json
+  def new
+    @<%= singular_table_name %> = <%= orm_class.build(class_name) %>
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+  # GET <%= route_url %>/1/edit
+  def edit
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+  end
+  # POST <%= route_url %>
+  # POST <%= route_url %>.json
+  def create
+    @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
+    respond_to do |format|
+      if @<%= orm_instance.save %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully created.'" %> }
+        format.json { render json: <%= "@#{singular_table_name}" %>, status: :created, location: <%= "@#{singular_table_name}" %> }
+      else
+        format.html { render action: "new" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+  # PATCH/PUT <%= route_url %>/1
+  # PATCH/PUT <%= route_url %>/1.json
+  def update
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    respond_to do |format|
+      if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
+        format.json { head :no_content }
+      else
+        format.html { render action: "edit" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+  # DELETE <%= route_url %>/1
+  # DELETE <%= route_url %>/1.json
+  def destroy
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    @<%= orm_instance.destroy %>
+    respond_to do |format|
+      format.html { redirect_to <%= index_helper %>_url }
+      format.json { head :no_content }
+    end
+  end
+  private
+    # Use this method to whitelist the permissible parameters. Example:
+    # params.require(:person).permit(:name, :age)
+    # Also, you can specialize this method with per-user checking of permissible attributes.
+    def <%= "#{singular_table_name}_params" %>
+      params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
+    end
+end
+<% end -%>

data/lib/strict_parameters.rb ADDED Viewed

@@ -0,0 +1,3 @@
+require 'action_controller/parameters'
+require 'active_model/forbidden_attributes_protection'
+require 'strong_parameters/railtie'

data/lib/strong_parameters/railtie.rb ADDED Viewed

@@ -0,0 +1,22 @@
+require 'rails/railtie'
+module StrongParameters
+  class Railtie < ::Rails::Railtie
+    config.strong_parameters = ActiveSupport::OrderedOptions.new
+    if config.respond_to?(:app_generators)
+      config.app_generators.scaffold_controller = :strong_parameters_controller
+    else
+      config.generators.scaffold_controller = :strong_parameters_controller
+    end
+    initializer "strong_parameters.strict", :group => :all do |app|
+      app.config.strong_parameters.strict ||= false
+    end
+    initializer "strong_parameters.set_config" do |app|
+      ActionController::Parameters.strict_config = app.config.strong_parameters.strict
+    end
+  end
+end

data/lib/strong_parameters/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module StrongParameters
+  VERSION = "0.1.4"
+end

data/test/action_controller_required_params_test.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require 'test_helper'
+class BooksController < ActionController::Base
+  def create
+    params.require(:book).require(:name)
+    head :ok
+  end
+end
+class ActionControllerRequiredParamsTest < ActionController::TestCase
+  tests BooksController
+  test "missing required parameters will raise exception" do
+    post :create, { magazine: { name: "Mjallo!" } }
+    assert_response :bad_request
+    post :create, { book: { title: "Mjallo!" } }
+    assert_response :bad_request
+  end
+  test "required parameters that are present will not raise" do
+    post :create, { book: { name: "Mjallo!" } }
+    assert_response :ok
+  end
+  test "missing parameters will be mentioned in the return" do
+    post :create, { magazine: { name: "Mjallo!" } }
+    assert_equal "Required parameter missing: book", response.body
+  end
+end

data/test/action_controller_strict_params_test.rb ADDED Viewed

@@ -0,0 +1,26 @@
+class ArticlesController < ActionController::Base
+  def create
+    params[:author].strict!.permit(:name)
+    head :ok
+  end
+end
+class ActionControllerStrongParamsTest < ActionController::TestCase
+  tests ArticlesController
+  test "missing strict parameters will raise exception" do
+    post :create, { author: { pet: "Toby" } }
+    assert_response :unprocessable_entity
+  end
+  test "strict parameters that are present will not raise" do
+    post :create, { author: { name: "David" } }
+    assert_response :ok
+  end
+  test "extra parameters will be mentioned in the return" do
+    post :create, { author: { password: "rails" } }
+    assert_equal "Parameters forbidden: password", response.body
+  end
+end

data/test/action_controller_tainted_params_test.rb ADDED Viewed

@@ -0,0 +1,25 @@
+require 'test_helper'
+class PeopleController < ActionController::Base
+  def create
+    render text: params[:person].permitted? ? "untainted" : "tainted"
+  end
+  def create_with_permit
+    render text: params[:person].permit(:name).permitted? ? "untainted" : "tainted"
+  end
+end
+class ActionControllerTaintedParamsTest < ActionController::TestCase
+  tests PeopleController
+  test "parameters are tainted" do
+    post :create, { person: { name: "Mjallo!" } }
+    assert_equal "tainted", response.body
+  end
+  test "parameters can be permitted and are then not tainted" do
+    post :create_with_permit, { person: { name: "Mjallo!" } }
+    assert_equal "untainted", response.body
+  end
+end

data/test/active_model_mass_assignment_taint_protection_test.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require 'test_helper'
+class Person
+  include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::ForbiddenAttributesProtection
+  public :sanitize_for_mass_assignment
+end
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating" do
+    assert_raises(ActiveModel::ForbiddenAttributes) do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b"))
+    end
+  end
+  test "permitted attributes can be used for mass updating" do
+    assert_nothing_raised do
+      assert_equal({ "a" => "b" },
+        Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b").permit(:a)))
+    end
+  end
+  test "regular attributes should still be allowed" do
+    assert_nothing_raised do
+      assert_equal({ a: "b" },
+        Person.new.sanitize_for_mass_assignment(a: "b"))
+    end
+  end
+end

data/test/controller_generator_test.rb ADDED Viewed

@@ -0,0 +1,31 @@
+require 'rails/generators/test_case'
+require 'generators/rails/strong_parameters_controller_generator'
+class StrongParametersControllerGeneratorTest < Rails::Generators::TestCase
+  tests Rails::Generators::StrongParametersControllerGenerator
+  arguments %w(User name:string age:integer --orm=none)
+  destination File.expand_path("../tmp", File.dirname(__FILE__))
+  setup :prepare_destination
+  def test_controller_content
+    run_generator
+    assert_file "app/controllers/users_controller.rb" do |content|
+      assert_instance_method :create, content do |m|
+        assert_match(/@user = User\.new\(user_params\)/, m)
+        assert_match(/@user\.save/, m)
+        assert_match(/@user\.errors/, m)
+      end
+      assert_instance_method :update, content do |m|
+        assert_match(/@user = User\.find\(params\[:id\]\)/, m)
+        assert_match(/@user\.update_attributes\(user_params\)/, m)
+        assert_match(/@user\.errors/, m)
+      end
+      assert_match(/def user_params/, content)
+      assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content)
+    end
+  end
+end

data/test/nested_parameters_test.rb ADDED Viewed

@@ -0,0 +1,95 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class NestedParametersTest < ActiveSupport::TestCase
+  test "permitted nested parameters" do
+    params = ActionController::Parameters.new({
+      book: {
+        title: "Romeo and Juliet",
+        authors: [{
+          name: "William Shakespeare",
+          born: "1564-04-26"
+        }, {
+          name: "Christopher Marlowe"
+        }],
+        details: {
+          pages: 200,
+          genre: "Tragedy"
+        }
+      },
+      magazine: "Mjallo!"
+    })
+    permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages } ]
+    assert permitted.permitted?
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+    assert_equal 200, permitted[:book][:details][:pages]
+    assert_nil permitted[:book][:details][:genre]
+    assert_nil permitted[:book][:authors][1][:born]
+    assert_nil permitted[:magazine]
+  end
+  test "nested arrays with strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+    permitted = params.permit :book => :genres
+    assert_equal ["Tragedy"], permitted[:book][:genres]
+  end
+  test "permit may specify symbols or strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :author => "William Shakespeare"
+      },
+      :magazine => "Shakespeare Today"
+    })
+    permitted = params.permit({:book => ["title", :author]}, "magazine")
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:author]
+    assert_equal "Shakespeare Today", permitted[:magazine]
+  end
+  test "nested array with strings that should be hashes" do
+    params = ActionController::Parameters.new({
+      book: {
+        genres: ["Tragedy"]
+      }
+    })
+    permitted = params.permit book: { genres: :type }
+    assert_empty permitted[:book][:genres]
+  end
+  test "nested array with strings that should be hashes and additional values" do
+    params = ActionController::Parameters.new({
+      book: {
+        title: "Romeo and Juliet",
+        genres: ["Tragedy"]
+      }
+    })
+    permitted = params.permit book: [ :title, { genres: :type } ]
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_empty permitted[:book][:genres]
+  end
+  test "nested string that should be a hash" do
+    params = ActionController::Parameters.new({
+      book: {
+        genre: "Tragedy"
+      }
+    })
+    permitted = params.permit book: { genre: :type }
+    assert_nil permitted[:book][:genre]
+  end
+end

data/test/parameters_require_test.rb ADDED Viewed

@@ -0,0 +1,10 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class ParametersRequireTest < ActiveSupport::TestCase
+  test "required parameters must be present not merely not nil" do
+    assert_raises(ActionController::ParameterMissing) do
+      ActionController::Parameters.new(person: {}).require(:person)
+    end
+  end
+end

data/test/parameters_strict_test.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class ParametersStrictTest < ActiveSupport::TestCase
+  setup do
+    @params = ActionController::Parameters.new({ person: {
+      age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+    }})
+  end
+  test 'raises ParameterForbidden when we have extra parameters' do
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params[:person].strict!.permit(:age)
+    end
+  end
+  test 'doesnt raise ParameterForbidden when the parameter are exact' do
+    assert_nothing_raised do
+      @params[:person].strict!.permit(:age, :name)
+    end
+  end
+  test 'doesnt raise ParameterForbidden when the parameter are exact using nesting' do
+    assert_nothing_raised do
+      @params[:person].strict!.permit(:age, name: [:first, :last])
+    end
+  end
+  test 'raises ParameterForbidden when we have extra nested parameters' do
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params[:person].strict!.permit(:age, name: [:first, :third])
+    end
+  end
+  test 'raises ParameterForbidden when we have extra deep nested parameters' do
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params.strict!.permit(person: [ :age, name: [:first, :third]])
+    end
+  end
+  test 'doesnt raise ParameterForbidden when the parameter are exact using deep nesting' do
+    assert_nothing_raised do
+      @params.strict!.permit(person: [ :age, name: [:first, :last]])
+    end
+  end
+  test 'the strict params are permitted' do
+    assert @params[:person].strict!.permit(:age, :name).permitted?
+  end
+  test 'works with embedded hashes' do
+    nested_hash_params = ActionController::Parameters.new(
+      email: "test@example.com", profile: {person_description: { age: 35, sex: 'f'}}
+    )
+    e = assert_raises(ActionController::ParameterForbidden) do
+      nested_hash_params.strict!.permit( :email, profile: { person_description: []})
+    end
+  end
+  test 'raises when enabled from class config' do
+    ActionController::Parameters.strict_config = true
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params[:person].permit(:age)
+    end
+  end
+  test 'its disabled by default' do
+    assert_nothing_raised do
+      @params[:person].permit(:age)
+    end
+  end
+end

data/test/parameters_taint_test.rb ADDED Viewed

@@ -0,0 +1,61 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class ParametersTaintTest < ActiveSupport::TestCase
+  setup do
+    @params = ActionController::Parameters.new({ person: {
+      age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+    }})
+  end
+  test "fetch raises ParameterMissing exception" do
+    e = assert_raises(ActionController::ParameterMissing) do
+      @params.fetch :foo
+    end
+    assert_equal :foo, e.param
+  end
+  test "fetch doesnt raise ParameterMissing exception if there is a default" do
+    assert_nothing_raised do
+      assert_equal "monkey", @params.fetch(:foo, "monkey")
+      assert_equal "monkey", @params.fetch(:foo) { "monkey" }
+    end
+  end
+  test "permitted is sticky on accessors" do
+    assert !@params.slice(:person).permitted?
+    assert !@params[:person][:name].permitted?
+    @params.each { |key, value| assert(value.permitted?) if key == :person }
+    assert !@params.fetch(:person).permitted?
+    assert !@params.values_at(:person).first.permitted?
+  end
+  test "permitted is sticky on mutators" do
+    assert !@params.delete_if { |k| k == :person }.permitted?
+    assert !@params.keep_if { |k,v| k == :person }.permitted?
+  end
+  test "permitted is sticky beyond merges" do
+    assert !@params.merge(a: "b").permitted?
+  end
+  test "modifying the parameters" do
+    @params[:person][:hometown] = "Chicago"
+    @params[:person][:family] = { brother: "Jonas" }
+    assert_equal "Chicago", @params[:person][:hometown]
+    assert_equal "Jonas", @params[:person][:family][:brother]
+  end
+  test "permitting parameters that are not there should not include the keys" do
+    assert !@params.permit(:person, :funky).has_key?(:funky)
+  end
+  test "permit state is kept on a dup" do
+    @params.permit!
+    assert_equal @params.permitted?, @params.dup.permitted?
+  end
+end

data/test/test_helper.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+require 'test/unit'
+require 'strong_parameters'
+module ActionController
+  SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
+  SharedTestRoutes.draw do
+    match ':controller(/:action)'
+  end
+  class Base
+    include ActionController::Testing
+    include SharedTestRoutes.url_helpers
+  end
+  class ActionController::TestCase
+    setup do
+      @routes = SharedTestRoutes
+    end
+  end
+end
+# Load support files
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }

metadata ADDED Viewed

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: strict_parameters
+version: !ruby/object:Gem::Version
+  version: 0.1.4
+  prerelease:
+platform: ruby
+authors:
+- David Heinemeier Hansson
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2012-08-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- david@heinemeierhansson.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/action_controller/parameters.rb
+- lib/active_model/forbidden_attributes_protection.rb
+- lib/generators/rails/strong_parameters_controller_generator.rb
+- lib/generators/rails/templates/controller.rb
+- lib/generators/rails/USAGE
+- lib/strict_parameters.rb
+- lib/strong_parameters/railtie.rb
+- lib/strong_parameters/version.rb
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+- test/action_controller_required_params_test.rb
+- test/action_controller_strict_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/controller_generator_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_strict_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb
+homepage:
+licenses: []
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 1.8.23
+signing_key:
+specification_version: 3
+summary: Permitted and required parameters for Action Pack
+test_files:
+- test/action_controller_required_params_test.rb
+- test/action_controller_strict_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/controller_generator_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_strict_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb