RubyGems - strict_parameters - Versions diffs - 0.1.4 - Mend

strict_parameters 0.1.4

Files changed (22) hide show

data/MIT-LICENSE +20 -0
data/README.rdoc +44 -0
data/Rakefile +38 -0
data/lib/action_controller/parameters.rb +167 -0
data/lib/active_model/forbidden_attributes_protection.rb +16 -0
data/lib/generators/rails/USAGE +12 -0
data/lib/generators/rails/strong_parameters_controller_generator.rb +10 -0
data/lib/generators/rails/templates/controller.rb +94 -0
data/lib/strict_parameters.rb +3 -0
data/lib/strong_parameters/railtie.rb +22 -0
data/lib/strong_parameters/version.rb +3 -0
data/test/action_controller_required_params_test.rb +30 -0
data/test/action_controller_strict_params_test.rb +26 -0
data/test/action_controller_tainted_params_test.rb +25 -0
data/test/active_model_mass_assignment_taint_protection_test.rb +30 -0
data/test/controller_generator_test.rb +31 -0
data/test/nested_parameters_test.rb +95 -0
data/test/parameters_require_test.rb +10 -0
data/test/parameters_strict_test.rb +74 -0
data/test/parameters_taint_test.rb +61 -0
data/test/test_helper.rb +27 -0
metadata +140 -0

data/MIT-LICENSE ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright 2012 David Heinemeier Hansson
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc ADDED Viewed

@@ -0,0 +1,44 @@
+= Strong Parameters
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+    class PeopleController < ActionController::Base
+      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+      # without an explicit permit step.
+      def create
+        Person.create(params[:person])
+      end
+      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by
+      # ActionController::Base and turned into that 400 Bad Request reply.
+      def update
+        redirect_to current_account.people.find(params[:id]).tap do |person|
+          person.update_attributes!(person_params)
+        end
+      end
+      private
+        # Using a private method to encapsulate the permissible parameters is just a good pattern
+        # since you'll be able to reuse the same permit list between create and update. Also, you
+        # can specialize this method with per-user checking of permissible attributes.
+        def person_params
+          params.require(:person).permit(:name, :age)
+        end
+    end
+You can also use permit on nested parameters, like:
+    params.permit(:name, friends: [ :name, { family: [ :name ] }])
+Thanks to Nick Kallen for the permit idea!
+== Todos
+* Automatically permit parameters coming from a signed form [Yehuda]
+== Compatibility
+Due to a testing issue, this plugin is only fully compatible with rails/3-2-stable rev 275ee0dc7b and forward as well as rails/master rev b49a7ddce1 and forward.

data/Rakefile ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'StrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+Bundler::GemHelper.install_tasks
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+task :default => :test

data/lib/action_controller/parameters.rb ADDED Viewed

@@ -0,0 +1,167 @@
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+  class ParameterForbidden < IndexError
+    attr_reader :param
+    def initialize(param)
+      @param = param
+      super("key forbidden: #{param}")
+    end
+  end
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    cattr_accessor :strict_config
+    attr_accessor :permitted
+    alias :permitted? :permitted
+    def initialize(attributes = nil)
+      super(attributes)
+      @permitted = false
+      @strict = false
+    end
+    def permit!
+      @permitted = true
+      self
+    end
+    def require(key)
+      self[key].presence || raise(ActionController::ParameterMissing.new(key))
+    end
+    alias :required :require
+    def strict!
+      @strict = true
+      self
+    end
+    def permit(*filters)
+      check_parameters(*filters) if @strict || @@strict_config
+      permit_parameters(*filters)
+    end
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError
+      raise ActionController::ParameterMissing.new(key)
+    end
+    def slice(*keys)
+      self.class.new(super)
+    end
+    def dup
+      super.tap do |duplicate|
+        duplicate.instance_variable_set :@permitted, @permitted
+      end
+    end
+    protected
+      def check_parameters(*filters)
+        param_keys = filters.map { |filter| filter.is_a?(Hash) ? filter.keys : filter }
+        param_keys = param_keys.flatten.map(&:to_s)
+        diff = self.keys - param_keys
+        # exit on first mismatch
+        raise(ActionController::ParameterForbidden.new(diff)) unless diff.empty?
+        filters.each do |filter|
+          if filter.is_a?(Hash)
+            filter.each do |key,value|
+              params = self.class.new(self[key])
+              params.check_parameters(*Array.wrap(filter[key]))
+            end
+          end
+        end
+      end
+      def permit_parameters(*filters)
+        params = self.class.new
+        filters.each do |filter|
+          case filter
+          when Symbol, String then
+            params[filter] = self[filter] if has_key?(filter)
+          when Hash then
+            self.slice(*filter.keys).each do |key, value|
+              return unless value
+              key = key.to_sym
+              params[key] = each_element(value) do |value|
+                # filters are a Hash, so we expect value to be a Hash too
+                next if filter.is_a?(Hash) && !value.is_a?(Hash)
+                value = self.class.new(value) if !value.respond_to?(:permit)
+                value.permit_parameters(*Array.wrap(filter[key]))
+              end
+            end
+          end
+        end
+        params.permit!
+      end
+    private
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+      def each_element(object)
+        if object.is_a?(Array)
+          object.map { |el| yield el }.compact
+        else
+          yield object
+        end
+      end
+  end
+  module StrongParameters
+    extend ActiveSupport::Concern
+    included do
+      rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+        render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
+      end
+      rescue_from(ActionController::ParameterForbidden) do |parameter_forbidden_exception|
+        render :text => "Parameters forbidden: #{parameter_forbidden_exception.param.join(' ')}", :status => :unprocessable_entity
+      end
+    end
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+end
+ActionController::Base.send :include, ActionController::StrongParameters

data/lib/active_model/forbidden_attributes_protection.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ActiveModel
+  class ForbiddenAttributes < StandardError
+  end
+  module ForbiddenAttributesProtection
+    def sanitize_for_mass_assignment(new_attributes, options = {})
+      if !new_attributes.respond_to?(:permitted?) || (new_attributes.respond_to?(:permitted?) && new_attributes.permitted?)
+        super
+      else
+        raise ActiveModel::ForbiddenAttributes
+      end
+    end
+  end
+end
+ActiveModel.autoload :ForbiddenAttributesProtection

data/lib/generators/rails/USAGE ADDED Viewed

@@ -0,0 +1,12 @@
+Description:
+    Stubs out a scaffolded controller and its views. Different from rails
+    scaffold_controller, it uses strong_parameters to whitelist permissible
+    attributes in a private method.
+    Pass the model name, either CamelCased or under_scored. The controller
+    name is retrieved as a pluralized version of the model name.
+    To create a controller within a module, specify the model name as a
+    path like 'parent_module/controller_name'.
+    This generates a controller class in app/controllers and invokes helper,
+    template engine and test framework generators.

data/lib/generators/rails/strong_parameters_controller_generator.rb ADDED Viewed

@@ -0,0 +1,10 @@
+require 'rails/generators/rails/scaffold_controller/scaffold_controller_generator'
+module Rails
+  module Generators
+    class StrongParametersControllerGenerator < ScaffoldControllerGenerator
+      argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
+      source_root File.expand_path("../templates", __FILE__)
+    end
+  end
+end

data/lib/generators/rails/templates/controller.rb ADDED Viewed

@@ -0,0 +1,94 @@
+<% module_namespacing do -%>
+class <%= controller_class_name %>Controller < ApplicationController
+  # GET <%= route_url %>
+  # GET <%= route_url %>.json
+  def index
+    @<%= plural_table_name %> = <%= orm_class.all(class_name) %>
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: <%= "@#{plural_table_name}" %> }
+    end
+  end
+  # GET <%= route_url %>/1
+  # GET <%= route_url %>/1.json
+  def show
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+  # GET <%= route_url %>/new
+  # GET <%= route_url %>/new.json
+  def new
+    @<%= singular_table_name %> = <%= orm_class.build(class_name) %>
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+  # GET <%= route_url %>/1/edit
+  def edit
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+  end
+  # POST <%= route_url %>
+  # POST <%= route_url %>.json
+  def create
+    @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
+    respond_to do |format|
+      if @<%= orm_instance.save %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully created.'" %> }
+        format.json { render json: <%= "@#{singular_table_name}" %>, status: :created, location: <%= "@#{singular_table_name}" %> }
+      else
+        format.html { render action: "new" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+  # PATCH/PUT <%= route_url %>/1
+  # PATCH/PUT <%= route_url %>/1.json
+  def update
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    respond_to do |format|
+      if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
+        format.json { head :no_content }
+      else
+        format.html { render action: "edit" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+  # DELETE <%= route_url %>/1
+  # DELETE <%= route_url %>/1.json
+  def destroy
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    @<%= orm_instance.destroy %>
+    respond_to do |format|
+      format.html { redirect_to <%= index_helper %>_url }
+      format.json { head :no_content }
+    end
+  end
+  private
+    # Use this method to whitelist the permissible parameters. Example:
+    # params.require(:person).permit(:name, :age)
+    # Also, you can specialize this method with per-user checking of permissible attributes.
+    def <%= "#{singular_table_name}_params" %>
+      params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
+    end
+end
+<% end -%>

data/lib/strict_parameters.rb ADDED Viewed

@@ -0,0 +1,3 @@
+require 'action_controller/parameters'
+require 'active_model/forbidden_attributes_protection'
+require 'strong_parameters/railtie'

data/lib/strong_parameters/railtie.rb ADDED Viewed

@@ -0,0 +1,22 @@
+require 'rails/railtie'
+module StrongParameters
+  class Railtie < ::Rails::Railtie
+    config.strong_parameters = ActiveSupport::OrderedOptions.new
+    if config.respond_to?(:app_generators)
+      config.app_generators.scaffold_controller = :strong_parameters_controller
+    else
+      config.generators.scaffold_controller = :strong_parameters_controller
+    end
+    initializer "strong_parameters.strict", :group => :all do |app|
+      app.config.strong_parameters.strict ||= false
+    end
+    initializer "strong_parameters.set_config" do |app|
+      ActionController::Parameters.strict_config = app.config.strong_parameters.strict
+    end
+  end
+end

data/lib/strong_parameters/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module StrongParameters
+  VERSION = "0.1.4"
+end

data/test/action_controller_required_params_test.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require 'test_helper'
+class BooksController < ActionController::Base
+  def create
+    params.require(:book).require(:name)
+    head :ok
+  end
+end
+class ActionControllerRequiredParamsTest < ActionController::TestCase
+  tests BooksController
+  test "missing required parameters will raise exception" do
+    post :create, { magazine: { name: "Mjallo!" } }
+    assert_response :bad_request
+    post :create, { book: { title: "Mjallo!" } }
+    assert_response :bad_request
+  end
+  test "required parameters that are present will not raise" do
+    post :create, { book: { name: "Mjallo!" } }
+    assert_response :ok
+  end
+  test "missing parameters will be mentioned in the return" do
+    post :create, { magazine: { name: "Mjallo!" } }
+    assert_equal "Required parameter missing: book", response.body
+  end
+end

data/test/action_controller_strict_params_test.rb ADDED Viewed

@@ -0,0 +1,26 @@
+class ArticlesController < ActionController::Base
+  def create
+    params[:author].strict!.permit(:name)
+    head :ok
+  end
+end
+class ActionControllerStrongParamsTest < ActionController::TestCase
+  tests ArticlesController
+  test "missing strict parameters will raise exception" do
+    post :create, { author: { pet: "Toby" } }
+    assert_response :unprocessable_entity
+  end
+  test "strict parameters that are present will not raise" do
+    post :create, { author: { name: "David" } }
+    assert_response :ok
+  end
+  test "extra parameters will be mentioned in the return" do
+    post :create, { author: { password: "rails" } }
+    assert_equal "Parameters forbidden: password", response.body
+  end
+end

data/test/action_controller_tainted_params_test.rb ADDED Viewed

@@ -0,0 +1,25 @@
+require 'test_helper'
+class PeopleController < ActionController::Base
+  def create
+    render text: params[:person].permitted? ? "untainted" : "tainted"
+  end
+  def create_with_permit
+    render text: params[:person].permit(:name).permitted? ? "untainted" : "tainted"
+  end
+end
+class ActionControllerTaintedParamsTest < ActionController::TestCase
+  tests PeopleController
+  test "parameters are tainted" do
+    post :create, { person: { name: "Mjallo!" } }
+    assert_equal "tainted", response.body
+  end
+  test "parameters can be permitted and are then not tainted" do
+    post :create_with_permit, { person: { name: "Mjallo!" } }
+    assert_equal "untainted", response.body
+  end
+end

data/test/active_model_mass_assignment_taint_protection_test.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require 'test_helper'
+class Person
+  include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::ForbiddenAttributesProtection
+  public :sanitize_for_mass_assignment
+end
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating" do
+    assert_raises(ActiveModel::ForbiddenAttributes) do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b"))
+    end
+  end
+  test "permitted attributes can be used for mass updating" do
+    assert_nothing_raised do
+      assert_equal({ "a" => "b" },
+        Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b").permit(:a)))
+    end
+  end
+  test "regular attributes should still be allowed" do
+    assert_nothing_raised do
+      assert_equal({ a: "b" },
+        Person.new.sanitize_for_mass_assignment(a: "b"))
+    end
+  end
+end

data/test/controller_generator_test.rb ADDED Viewed

@@ -0,0 +1,31 @@
+require 'rails/generators/test_case'
+require 'generators/rails/strong_parameters_controller_generator'
+class StrongParametersControllerGeneratorTest < Rails::Generators::TestCase
+  tests Rails::Generators::StrongParametersControllerGenerator
+  arguments %w(User name:string age:integer --orm=none)
+  destination File.expand_path("../tmp", File.dirname(__FILE__))
+  setup :prepare_destination
+  def test_controller_content
+    run_generator
+    assert_file "app/controllers/users_controller.rb" do |content|
+      assert_instance_method :create, content do |m|
+        assert_match(/@user = User\.new\(user_params\)/, m)
+        assert_match(/@user\.save/, m)
+        assert_match(/@user\.errors/, m)
+      end
+      assert_instance_method :update, content do |m|
+        assert_match(/@user = User\.find\(params\[:id\]\)/, m)
+        assert_match(/@user\.update_attributes\(user_params\)/, m)
+        assert_match(/@user\.errors/, m)
+      end
+      assert_match(/def user_params/, content)
+      assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content)
+    end
+  end
+end

data/test/nested_parameters_test.rb ADDED Viewed

@@ -0,0 +1,95 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class NestedParametersTest < ActiveSupport::TestCase
+  test "permitted nested parameters" do
+    params = ActionController::Parameters.new({
+      book: {
+        title: "Romeo and Juliet",
+        authors: [{
+          name: "William Shakespeare",
+          born: "1564-04-26"
+        }, {
+          name: "Christopher Marlowe"
+        }],
+        details: {
+          pages: 200,
+          genre: "Tragedy"
+        }
+      },
+      magazine: "Mjallo!"
+    })
+    permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages } ]
+    assert permitted.permitted?
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+    assert_equal 200, permitted[:book][:details][:pages]
+    assert_nil permitted[:book][:details][:genre]
+    assert_nil permitted[:book][:authors][1][:born]
+    assert_nil permitted[:magazine]
+  end
+  test "nested arrays with strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+    permitted = params.permit :book => :genres
+    assert_equal ["Tragedy"], permitted[:book][:genres]
+  end
+  test "permit may specify symbols or strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :author => "William Shakespeare"
+      },
+      :magazine => "Shakespeare Today"
+    })
+    permitted = params.permit({:book => ["title", :author]}, "magazine")
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:author]
+    assert_equal "Shakespeare Today", permitted[:magazine]
+  end
+  test "nested array with strings that should be hashes" do
+    params = ActionController::Parameters.new({
+      book: {
+        genres: ["Tragedy"]
+      }
+    })
+    permitted = params.permit book: { genres: :type }
+    assert_empty permitted[:book][:genres]
+  end
+  test "nested array with strings that should be hashes and additional values" do
+    params = ActionController::Parameters.new({
+      book: {
+        title: "Romeo and Juliet",
+        genres: ["Tragedy"]
+      }
+    })
+    permitted = params.permit book: [ :title, { genres: :type } ]
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_empty permitted[:book][:genres]
+  end
+  test "nested string that should be a hash" do
+    params = ActionController::Parameters.new({
+      book: {
+        genre: "Tragedy"
+      }
+    })
+    permitted = params.permit book: { genre: :type }
+    assert_nil permitted[:book][:genre]
+  end
+end

data/test/parameters_require_test.rb ADDED Viewed

@@ -0,0 +1,10 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class ParametersRequireTest < ActiveSupport::TestCase
+  test "required parameters must be present not merely not nil" do
+    assert_raises(ActionController::ParameterMissing) do
+      ActionController::Parameters.new(person: {}).require(:person)
+    end
+  end
+end

data/test/parameters_strict_test.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class ParametersStrictTest < ActiveSupport::TestCase
+  setup do
+    @params = ActionController::Parameters.new({ person: {
+      age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+    }})
+  end
+  test 'raises ParameterForbidden when we have extra parameters' do
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params[:person].strict!.permit(:age)
+    end
+  end
+  test 'doesnt raise ParameterForbidden when the parameter are exact' do
+    assert_nothing_raised do
+      @params[:person].strict!.permit(:age, :name)
+    end
+  end
+  test 'doesnt raise ParameterForbidden when the parameter are exact using nesting' do
+    assert_nothing_raised do
+      @params[:person].strict!.permit(:age, name: [:first, :last])
+    end
+  end
+  test 'raises ParameterForbidden when we have extra nested parameters' do
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params[:person].strict!.permit(:age, name: [:first, :third])
+    end
+  end
+  test 'raises ParameterForbidden when we have extra deep nested parameters' do
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params.strict!.permit(person: [ :age, name: [:first, :third]])
+    end
+  end
+  test 'doesnt raise ParameterForbidden when the parameter are exact using deep nesting' do
+    assert_nothing_raised do
+      @params.strict!.permit(person: [ :age, name: [:first, :last]])
+    end
+  end
+  test 'the strict params are permitted' do
+    assert @params[:person].strict!.permit(:age, :name).permitted?
+  end
+  test 'works with embedded hashes' do
+    nested_hash_params = ActionController::Parameters.new(
+      email: "test@example.com", profile: {person_description: { age: 35, sex: 'f'}}
+    )
+    e = assert_raises(ActionController::ParameterForbidden) do
+      nested_hash_params.strict!.permit( :email, profile: { person_description: []})
+    end
+  end
+  test 'raises when enabled from class config' do
+    ActionController::Parameters.strict_config = true
+    e = assert_raises(ActionController::ParameterForbidden) do
+      @params[:person].permit(:age)
+    end
+  end
+  test 'its disabled by default' do
+    assert_nothing_raised do
+      @params[:person].permit(:age)
+    end
+  end
+end

data/test/parameters_taint_test.rb ADDED Viewed

@@ -0,0 +1,61 @@
+require 'test_helper'
+require 'action_controller/parameters'
+class ParametersTaintTest < ActiveSupport::TestCase
+  setup do
+    @params = ActionController::Parameters.new({ person: {
+      age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+    }})
+  end
+  test "fetch raises ParameterMissing exception" do
+    e = assert_raises(ActionController::ParameterMissing) do
+      @params.fetch :foo
+    end
+    assert_equal :foo, e.param
+  end
+  test "fetch doesnt raise ParameterMissing exception if there is a default" do
+    assert_nothing_raised do
+      assert_equal "monkey", @params.fetch(:foo, "monkey")
+      assert_equal "monkey", @params.fetch(:foo) { "monkey" }
+    end
+  end
+  test "permitted is sticky on accessors" do
+    assert !@params.slice(:person).permitted?
+    assert !@params[:person][:name].permitted?
+    @params.each { |key, value| assert(value.permitted?) if key == :person }
+    assert !@params.fetch(:person).permitted?
+    assert !@params.values_at(:person).first.permitted?
+  end
+  test "permitted is sticky on mutators" do
+    assert !@params.delete_if { |k| k == :person }.permitted?
+    assert !@params.keep_if { |k,v| k == :person }.permitted?
+  end
+  test "permitted is sticky beyond merges" do
+    assert !@params.merge(a: "b").permitted?
+  end
+  test "modifying the parameters" do
+    @params[:person][:hometown] = "Chicago"
+    @params[:person][:family] = { brother: "Jonas" }
+    assert_equal "Chicago", @params[:person][:hometown]
+    assert_equal "Jonas", @params[:person][:family][:brother]
+  end
+  test "permitting parameters that are not there should not include the keys" do
+    assert !@params.permit(:person, :funky).has_key?(:funky)
+  end
+  test "permit state is kept on a dup" do
+    @params.permit!
+    assert_equal @params.permitted?, @params.dup.permitted?
+  end
+end

data/test/test_helper.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+require 'test/unit'
+require 'strong_parameters'
+module ActionController
+  SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
+  SharedTestRoutes.draw do
+    match ':controller(/:action)'
+  end
+  class Base
+    include ActionController::Testing
+    include SharedTestRoutes.url_helpers
+  end
+  class ActionController::TestCase
+    setup do
+      @routes = SharedTestRoutes
+    end
+  end
+end
+# Load support files
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }

metadata ADDED Viewed

@@ -0,0 +1,140 @@
+--- !ruby/object:Gem::Specification
+name: strict_parameters
+version: !ruby/object:Gem::Version
+  version: 0.1.4
+  prerelease:
+platform: ruby
+authors:
+- David Heinemeier Hansson
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2012-08-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- david@heinemeierhansson.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/action_controller/parameters.rb
+- lib/active_model/forbidden_attributes_protection.rb
+- lib/generators/rails/strong_parameters_controller_generator.rb
+- lib/generators/rails/templates/controller.rb
+- lib/generators/rails/USAGE
+- lib/strict_parameters.rb
+- lib/strong_parameters/railtie.rb
+- lib/strong_parameters/version.rb
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+- test/action_controller_required_params_test.rb
+- test/action_controller_strict_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/controller_generator_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_strict_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb
+homepage:
+licenses: []
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 1.8.23
+signing_key:
+specification_version: 3
+summary: Permitted and required parameters for Action Pack
+test_files:
+- test/action_controller_required_params_test.rb
+- test/action_controller_strict_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/controller_generator_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_strict_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb