strict_parameters 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- data/MIT-LICENSE +20 -0
- data/README.rdoc +44 -0
- data/Rakefile +38 -0
- data/lib/action_controller/parameters.rb +167 -0
- data/lib/active_model/forbidden_attributes_protection.rb +16 -0
- data/lib/generators/rails/USAGE +12 -0
- data/lib/generators/rails/strong_parameters_controller_generator.rb +10 -0
- data/lib/generators/rails/templates/controller.rb +94 -0
- data/lib/strict_parameters.rb +3 -0
- data/lib/strong_parameters/railtie.rb +22 -0
- data/lib/strong_parameters/version.rb +3 -0
- data/test/action_controller_required_params_test.rb +30 -0
- data/test/action_controller_strict_params_test.rb +26 -0
- data/test/action_controller_tainted_params_test.rb +25 -0
- data/test/active_model_mass_assignment_taint_protection_test.rb +30 -0
- data/test/controller_generator_test.rb +31 -0
- data/test/nested_parameters_test.rb +95 -0
- data/test/parameters_require_test.rb +10 -0
- data/test/parameters_strict_test.rb +74 -0
- data/test/parameters_taint_test.rb +61 -0
- data/test/test_helper.rb +27 -0
- metadata +140 -0
data/MIT-LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright 2012 David Heinemeier Hansson
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
= Strong Parameters
|
2
|
+
|
3
|
+
With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
|
4
|
+
|
5
|
+
In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
|
6
|
+
|
7
|
+
class PeopleController < ActionController::Base
|
8
|
+
# This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
|
9
|
+
# without an explicit permit step.
|
10
|
+
def create
|
11
|
+
Person.create(params[:person])
|
12
|
+
end
|
13
|
+
|
14
|
+
# This will pass with flying colors as long as there's a person key in the parameters, otherwise
|
15
|
+
# it'll raise a ActionController::MissingParameter exception, which will get caught by
|
16
|
+
# ActionController::Base and turned into that 400 Bad Request reply.
|
17
|
+
def update
|
18
|
+
redirect_to current_account.people.find(params[:id]).tap do |person|
|
19
|
+
person.update_attributes!(person_params)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
# Using a private method to encapsulate the permissible parameters is just a good pattern
|
25
|
+
# since you'll be able to reuse the same permit list between create and update. Also, you
|
26
|
+
# can specialize this method with per-user checking of permissible attributes.
|
27
|
+
def person_params
|
28
|
+
params.require(:person).permit(:name, :age)
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
You can also use permit on nested parameters, like:
|
33
|
+
|
34
|
+
params.permit(:name, friends: [ :name, { family: [ :name ] }])
|
35
|
+
|
36
|
+
Thanks to Nick Kallen for the permit idea!
|
37
|
+
|
38
|
+
== Todos
|
39
|
+
|
40
|
+
* Automatically permit parameters coming from a signed form [Yehuda]
|
41
|
+
|
42
|
+
== Compatibility
|
43
|
+
|
44
|
+
Due to a testing issue, this plugin is only fully compatible with rails/3-2-stable rev 275ee0dc7b and forward as well as rails/master rev b49a7ddce1 and forward.
|
data/Rakefile
ADDED
@@ -0,0 +1,38 @@
|
|
1
|
+
#!/usr/bin/env rake
|
2
|
+
begin
|
3
|
+
require 'bundler/setup'
|
4
|
+
rescue LoadError
|
5
|
+
puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
|
6
|
+
end
|
7
|
+
begin
|
8
|
+
require 'rdoc/task'
|
9
|
+
rescue LoadError
|
10
|
+
require 'rdoc/rdoc'
|
11
|
+
require 'rake/rdoctask'
|
12
|
+
RDoc::Task = Rake::RDocTask
|
13
|
+
end
|
14
|
+
|
15
|
+
RDoc::Task.new(:rdoc) do |rdoc|
|
16
|
+
rdoc.rdoc_dir = 'rdoc'
|
17
|
+
rdoc.title = 'StrongParameters'
|
18
|
+
rdoc.options << '--line-numbers'
|
19
|
+
rdoc.rdoc_files.include('README.rdoc')
|
20
|
+
rdoc.rdoc_files.include('lib/**/*.rb')
|
21
|
+
end
|
22
|
+
|
23
|
+
|
24
|
+
|
25
|
+
|
26
|
+
Bundler::GemHelper.install_tasks
|
27
|
+
|
28
|
+
require 'rake/testtask'
|
29
|
+
|
30
|
+
Rake::TestTask.new(:test) do |t|
|
31
|
+
t.libs << 'lib'
|
32
|
+
t.libs << 'test'
|
33
|
+
t.pattern = 'test/**/*_test.rb'
|
34
|
+
t.verbose = false
|
35
|
+
end
|
36
|
+
|
37
|
+
|
38
|
+
task :default => :test
|
@@ -0,0 +1,167 @@
|
|
1
|
+
require 'active_support/concern'
|
2
|
+
require 'active_support/core_ext/hash/indifferent_access'
|
3
|
+
require 'action_controller'
|
4
|
+
|
5
|
+
module ActionController
|
6
|
+
class ParameterMissing < IndexError
|
7
|
+
attr_reader :param
|
8
|
+
|
9
|
+
def initialize(param)
|
10
|
+
@param = param
|
11
|
+
super("key not found: #{param}")
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
class ParameterForbidden < IndexError
|
16
|
+
attr_reader :param
|
17
|
+
|
18
|
+
def initialize(param)
|
19
|
+
@param = param
|
20
|
+
super("key forbidden: #{param}")
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
class Parameters < ActiveSupport::HashWithIndifferentAccess
|
25
|
+
cattr_accessor :strict_config
|
26
|
+
|
27
|
+
attr_accessor :permitted
|
28
|
+
alias :permitted? :permitted
|
29
|
+
|
30
|
+
def initialize(attributes = nil)
|
31
|
+
super(attributes)
|
32
|
+
@permitted = false
|
33
|
+
@strict = false
|
34
|
+
end
|
35
|
+
|
36
|
+
def permit!
|
37
|
+
@permitted = true
|
38
|
+
self
|
39
|
+
end
|
40
|
+
|
41
|
+
def require(key)
|
42
|
+
self[key].presence || raise(ActionController::ParameterMissing.new(key))
|
43
|
+
end
|
44
|
+
|
45
|
+
alias :required :require
|
46
|
+
|
47
|
+
def strict!
|
48
|
+
@strict = true
|
49
|
+
self
|
50
|
+
end
|
51
|
+
|
52
|
+
def permit(*filters)
|
53
|
+
check_parameters(*filters) if @strict || @@strict_config
|
54
|
+
permit_parameters(*filters)
|
55
|
+
end
|
56
|
+
|
57
|
+
def [](key)
|
58
|
+
convert_hashes_to_parameters(key, super)
|
59
|
+
end
|
60
|
+
|
61
|
+
def fetch(key, *args)
|
62
|
+
convert_hashes_to_parameters(key, super)
|
63
|
+
rescue KeyError
|
64
|
+
raise ActionController::ParameterMissing.new(key)
|
65
|
+
end
|
66
|
+
|
67
|
+
def slice(*keys)
|
68
|
+
self.class.new(super)
|
69
|
+
end
|
70
|
+
|
71
|
+
def dup
|
72
|
+
super.tap do |duplicate|
|
73
|
+
duplicate.instance_variable_set :@permitted, @permitted
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
protected
|
78
|
+
def check_parameters(*filters)
|
79
|
+
param_keys = filters.map { |filter| filter.is_a?(Hash) ? filter.keys : filter }
|
80
|
+
param_keys = param_keys.flatten.map(&:to_s)
|
81
|
+
diff = self.keys - param_keys
|
82
|
+
|
83
|
+
# exit on first mismatch
|
84
|
+
raise(ActionController::ParameterForbidden.new(diff)) unless diff.empty?
|
85
|
+
|
86
|
+
filters.each do |filter|
|
87
|
+
if filter.is_a?(Hash)
|
88
|
+
filter.each do |key,value|
|
89
|
+
params = self.class.new(self[key])
|
90
|
+
params.check_parameters(*Array.wrap(filter[key]))
|
91
|
+
end
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
end
|
96
|
+
|
97
|
+
def permit_parameters(*filters)
|
98
|
+
params = self.class.new
|
99
|
+
|
100
|
+
filters.each do |filter|
|
101
|
+
case filter
|
102
|
+
when Symbol, String then
|
103
|
+
params[filter] = self[filter] if has_key?(filter)
|
104
|
+
when Hash then
|
105
|
+
self.slice(*filter.keys).each do |key, value|
|
106
|
+
return unless value
|
107
|
+
|
108
|
+
key = key.to_sym
|
109
|
+
|
110
|
+
params[key] = each_element(value) do |value|
|
111
|
+
# filters are a Hash, so we expect value to be a Hash too
|
112
|
+
next if filter.is_a?(Hash) && !value.is_a?(Hash)
|
113
|
+
|
114
|
+
value = self.class.new(value) if !value.respond_to?(:permit)
|
115
|
+
|
116
|
+
value.permit_parameters(*Array.wrap(filter[key]))
|
117
|
+
end
|
118
|
+
end
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
122
|
+
params.permit!
|
123
|
+
end
|
124
|
+
|
125
|
+
private
|
126
|
+
def convert_hashes_to_parameters(key, value)
|
127
|
+
if value.is_a?(Parameters) || !value.is_a?(Hash)
|
128
|
+
value
|
129
|
+
else
|
130
|
+
# Convert to Parameters on first access
|
131
|
+
self[key] = self.class.new(value)
|
132
|
+
end
|
133
|
+
end
|
134
|
+
|
135
|
+
def each_element(object)
|
136
|
+
if object.is_a?(Array)
|
137
|
+
object.map { |el| yield el }.compact
|
138
|
+
else
|
139
|
+
yield object
|
140
|
+
end
|
141
|
+
end
|
142
|
+
end
|
143
|
+
|
144
|
+
module StrongParameters
|
145
|
+
extend ActiveSupport::Concern
|
146
|
+
|
147
|
+
included do
|
148
|
+
rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
|
149
|
+
render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
|
150
|
+
end
|
151
|
+
|
152
|
+
rescue_from(ActionController::ParameterForbidden) do |parameter_forbidden_exception|
|
153
|
+
render :text => "Parameters forbidden: #{parameter_forbidden_exception.param.join(' ')}", :status => :unprocessable_entity
|
154
|
+
end
|
155
|
+
end
|
156
|
+
|
157
|
+
def params
|
158
|
+
@_params ||= Parameters.new(request.parameters)
|
159
|
+
end
|
160
|
+
|
161
|
+
def params=(val)
|
162
|
+
@_params = val.is_a?(Hash) ? Parameters.new(val) : val
|
163
|
+
end
|
164
|
+
end
|
165
|
+
end
|
166
|
+
|
167
|
+
ActionController::Base.send :include, ActionController::StrongParameters
|
@@ -0,0 +1,16 @@
|
|
1
|
+
module ActiveModel
|
2
|
+
class ForbiddenAttributes < StandardError
|
3
|
+
end
|
4
|
+
|
5
|
+
module ForbiddenAttributesProtection
|
6
|
+
def sanitize_for_mass_assignment(new_attributes, options = {})
|
7
|
+
if !new_attributes.respond_to?(:permitted?) || (new_attributes.respond_to?(:permitted?) && new_attributes.permitted?)
|
8
|
+
super
|
9
|
+
else
|
10
|
+
raise ActiveModel::ForbiddenAttributes
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
ActiveModel.autoload :ForbiddenAttributesProtection
|
@@ -0,0 +1,12 @@
|
|
1
|
+
Description:
|
2
|
+
Stubs out a scaffolded controller and its views. Different from rails
|
3
|
+
scaffold_controller, it uses strong_parameters to whitelist permissible
|
4
|
+
attributes in a private method.
|
5
|
+
Pass the model name, either CamelCased or under_scored. The controller
|
6
|
+
name is retrieved as a pluralized version of the model name.
|
7
|
+
|
8
|
+
To create a controller within a module, specify the model name as a
|
9
|
+
path like 'parent_module/controller_name'.
|
10
|
+
|
11
|
+
This generates a controller class in app/controllers and invokes helper,
|
12
|
+
template engine and test framework generators.
|
@@ -0,0 +1,10 @@
|
|
1
|
+
require 'rails/generators/rails/scaffold_controller/scaffold_controller_generator'
|
2
|
+
|
3
|
+
module Rails
|
4
|
+
module Generators
|
5
|
+
class StrongParametersControllerGenerator < ScaffoldControllerGenerator
|
6
|
+
argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
|
7
|
+
source_root File.expand_path("../templates", __FILE__)
|
8
|
+
end
|
9
|
+
end
|
10
|
+
end
|
@@ -0,0 +1,94 @@
|
|
1
|
+
<% module_namespacing do -%>
|
2
|
+
class <%= controller_class_name %>Controller < ApplicationController
|
3
|
+
# GET <%= route_url %>
|
4
|
+
# GET <%= route_url %>.json
|
5
|
+
def index
|
6
|
+
@<%= plural_table_name %> = <%= orm_class.all(class_name) %>
|
7
|
+
|
8
|
+
respond_to do |format|
|
9
|
+
format.html # index.html.erb
|
10
|
+
format.json { render json: <%= "@#{plural_table_name}" %> }
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
# GET <%= route_url %>/1
|
15
|
+
# GET <%= route_url %>/1.json
|
16
|
+
def show
|
17
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
18
|
+
|
19
|
+
respond_to do |format|
|
20
|
+
format.html # show.html.erb
|
21
|
+
format.json { render json: <%= "@#{singular_table_name}" %> }
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
# GET <%= route_url %>/new
|
26
|
+
# GET <%= route_url %>/new.json
|
27
|
+
def new
|
28
|
+
@<%= singular_table_name %> = <%= orm_class.build(class_name) %>
|
29
|
+
|
30
|
+
respond_to do |format|
|
31
|
+
format.html # new.html.erb
|
32
|
+
format.json { render json: <%= "@#{singular_table_name}" %> }
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
# GET <%= route_url %>/1/edit
|
37
|
+
def edit
|
38
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
39
|
+
end
|
40
|
+
|
41
|
+
# POST <%= route_url %>
|
42
|
+
# POST <%= route_url %>.json
|
43
|
+
def create
|
44
|
+
@<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
|
45
|
+
|
46
|
+
respond_to do |format|
|
47
|
+
if @<%= orm_instance.save %>
|
48
|
+
format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully created.'" %> }
|
49
|
+
format.json { render json: <%= "@#{singular_table_name}" %>, status: :created, location: <%= "@#{singular_table_name}" %> }
|
50
|
+
else
|
51
|
+
format.html { render action: "new" }
|
52
|
+
format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
# PATCH/PUT <%= route_url %>/1
|
58
|
+
# PATCH/PUT <%= route_url %>/1.json
|
59
|
+
def update
|
60
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
61
|
+
|
62
|
+
respond_to do |format|
|
63
|
+
if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
|
64
|
+
format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
|
65
|
+
format.json { head :no_content }
|
66
|
+
else
|
67
|
+
format.html { render action: "edit" }
|
68
|
+
format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
# DELETE <%= route_url %>/1
|
74
|
+
# DELETE <%= route_url %>/1.json
|
75
|
+
def destroy
|
76
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
77
|
+
@<%= orm_instance.destroy %>
|
78
|
+
|
79
|
+
respond_to do |format|
|
80
|
+
format.html { redirect_to <%= index_helper %>_url }
|
81
|
+
format.json { head :no_content }
|
82
|
+
end
|
83
|
+
end
|
84
|
+
|
85
|
+
private
|
86
|
+
|
87
|
+
# Use this method to whitelist the permissible parameters. Example:
|
88
|
+
# params.require(:person).permit(:name, :age)
|
89
|
+
# Also, you can specialize this method with per-user checking of permissible attributes.
|
90
|
+
def <%= "#{singular_table_name}_params" %>
|
91
|
+
params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
|
92
|
+
end
|
93
|
+
end
|
94
|
+
<% end -%>
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require 'rails/railtie'
|
2
|
+
|
3
|
+
module StrongParameters
|
4
|
+
class Railtie < ::Rails::Railtie
|
5
|
+
config.strong_parameters = ActiveSupport::OrderedOptions.new
|
6
|
+
|
7
|
+
if config.respond_to?(:app_generators)
|
8
|
+
config.app_generators.scaffold_controller = :strong_parameters_controller
|
9
|
+
else
|
10
|
+
config.generators.scaffold_controller = :strong_parameters_controller
|
11
|
+
end
|
12
|
+
|
13
|
+
initializer "strong_parameters.strict", :group => :all do |app|
|
14
|
+
app.config.strong_parameters.strict ||= false
|
15
|
+
end
|
16
|
+
|
17
|
+
initializer "strong_parameters.set_config" do |app|
|
18
|
+
ActionController::Parameters.strict_config = app.config.strong_parameters.strict
|
19
|
+
end
|
20
|
+
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class BooksController < ActionController::Base
|
4
|
+
def create
|
5
|
+
params.require(:book).require(:name)
|
6
|
+
head :ok
|
7
|
+
end
|
8
|
+
end
|
9
|
+
|
10
|
+
class ActionControllerRequiredParamsTest < ActionController::TestCase
|
11
|
+
tests BooksController
|
12
|
+
|
13
|
+
test "missing required parameters will raise exception" do
|
14
|
+
post :create, { magazine: { name: "Mjallo!" } }
|
15
|
+
assert_response :bad_request
|
16
|
+
|
17
|
+
post :create, { book: { title: "Mjallo!" } }
|
18
|
+
assert_response :bad_request
|
19
|
+
end
|
20
|
+
|
21
|
+
test "required parameters that are present will not raise" do
|
22
|
+
post :create, { book: { name: "Mjallo!" } }
|
23
|
+
assert_response :ok
|
24
|
+
end
|
25
|
+
|
26
|
+
test "missing parameters will be mentioned in the return" do
|
27
|
+
post :create, { magazine: { name: "Mjallo!" } }
|
28
|
+
assert_equal "Required parameter missing: book", response.body
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
class ArticlesController < ActionController::Base
|
2
|
+
def create
|
3
|
+
params[:author].strict!.permit(:name)
|
4
|
+
head :ok
|
5
|
+
end
|
6
|
+
end
|
7
|
+
|
8
|
+
class ActionControllerStrongParamsTest < ActionController::TestCase
|
9
|
+
tests ArticlesController
|
10
|
+
|
11
|
+
test "missing strict parameters will raise exception" do
|
12
|
+
post :create, { author: { pet: "Toby" } }
|
13
|
+
assert_response :unprocessable_entity
|
14
|
+
end
|
15
|
+
|
16
|
+
test "strict parameters that are present will not raise" do
|
17
|
+
post :create, { author: { name: "David" } }
|
18
|
+
assert_response :ok
|
19
|
+
end
|
20
|
+
|
21
|
+
test "extra parameters will be mentioned in the return" do
|
22
|
+
post :create, { author: { password: "rails" } }
|
23
|
+
assert_equal "Parameters forbidden: password", response.body
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
@@ -0,0 +1,25 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class PeopleController < ActionController::Base
|
4
|
+
def create
|
5
|
+
render text: params[:person].permitted? ? "untainted" : "tainted"
|
6
|
+
end
|
7
|
+
|
8
|
+
def create_with_permit
|
9
|
+
render text: params[:person].permit(:name).permitted? ? "untainted" : "tainted"
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
class ActionControllerTaintedParamsTest < ActionController::TestCase
|
14
|
+
tests PeopleController
|
15
|
+
|
16
|
+
test "parameters are tainted" do
|
17
|
+
post :create, { person: { name: "Mjallo!" } }
|
18
|
+
assert_equal "tainted", response.body
|
19
|
+
end
|
20
|
+
|
21
|
+
test "parameters can be permitted and are then not tainted" do
|
22
|
+
post :create_with_permit, { person: { name: "Mjallo!" } }
|
23
|
+
assert_equal "untainted", response.body
|
24
|
+
end
|
25
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class Person
|
4
|
+
include ActiveModel::MassAssignmentSecurity
|
5
|
+
include ActiveModel::ForbiddenAttributesProtection
|
6
|
+
|
7
|
+
public :sanitize_for_mass_assignment
|
8
|
+
end
|
9
|
+
|
10
|
+
class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
|
11
|
+
test "forbidden attributes cannot be used for mass updating" do
|
12
|
+
assert_raises(ActiveModel::ForbiddenAttributes) do
|
13
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b"))
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
test "permitted attributes can be used for mass updating" do
|
18
|
+
assert_nothing_raised do
|
19
|
+
assert_equal({ "a" => "b" },
|
20
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b").permit(:a)))
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
test "regular attributes should still be allowed" do
|
25
|
+
assert_nothing_raised do
|
26
|
+
assert_equal({ a: "b" },
|
27
|
+
Person.new.sanitize_for_mass_assignment(a: "b"))
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require 'rails/generators/test_case'
|
2
|
+
require 'generators/rails/strong_parameters_controller_generator'
|
3
|
+
|
4
|
+
class StrongParametersControllerGeneratorTest < Rails::Generators::TestCase
|
5
|
+
tests Rails::Generators::StrongParametersControllerGenerator
|
6
|
+
arguments %w(User name:string age:integer --orm=none)
|
7
|
+
destination File.expand_path("../tmp", File.dirname(__FILE__))
|
8
|
+
setup :prepare_destination
|
9
|
+
|
10
|
+
def test_controller_content
|
11
|
+
run_generator
|
12
|
+
|
13
|
+
assert_file "app/controllers/users_controller.rb" do |content|
|
14
|
+
|
15
|
+
assert_instance_method :create, content do |m|
|
16
|
+
assert_match(/@user = User\.new\(user_params\)/, m)
|
17
|
+
assert_match(/@user\.save/, m)
|
18
|
+
assert_match(/@user\.errors/, m)
|
19
|
+
end
|
20
|
+
|
21
|
+
assert_instance_method :update, content do |m|
|
22
|
+
assert_match(/@user = User\.find\(params\[:id\]\)/, m)
|
23
|
+
assert_match(/@user\.update_attributes\(user_params\)/, m)
|
24
|
+
assert_match(/@user\.errors/, m)
|
25
|
+
end
|
26
|
+
|
27
|
+
assert_match(/def user_params/, content)
|
28
|
+
assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content)
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,95 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class NestedParametersTest < ActiveSupport::TestCase
|
5
|
+
test "permitted nested parameters" do
|
6
|
+
params = ActionController::Parameters.new({
|
7
|
+
book: {
|
8
|
+
title: "Romeo and Juliet",
|
9
|
+
authors: [{
|
10
|
+
name: "William Shakespeare",
|
11
|
+
born: "1564-04-26"
|
12
|
+
}, {
|
13
|
+
name: "Christopher Marlowe"
|
14
|
+
}],
|
15
|
+
details: {
|
16
|
+
pages: 200,
|
17
|
+
genre: "Tragedy"
|
18
|
+
}
|
19
|
+
},
|
20
|
+
magazine: "Mjallo!"
|
21
|
+
})
|
22
|
+
|
23
|
+
permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages } ]
|
24
|
+
|
25
|
+
assert permitted.permitted?
|
26
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
27
|
+
assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
|
28
|
+
assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
|
29
|
+
assert_equal 200, permitted[:book][:details][:pages]
|
30
|
+
assert_nil permitted[:book][:details][:genre]
|
31
|
+
assert_nil permitted[:book][:authors][1][:born]
|
32
|
+
assert_nil permitted[:magazine]
|
33
|
+
end
|
34
|
+
|
35
|
+
test "nested arrays with strings" do
|
36
|
+
params = ActionController::Parameters.new({
|
37
|
+
:book => {
|
38
|
+
:genres => ["Tragedy"]
|
39
|
+
}
|
40
|
+
})
|
41
|
+
|
42
|
+
permitted = params.permit :book => :genres
|
43
|
+
assert_equal ["Tragedy"], permitted[:book][:genres]
|
44
|
+
end
|
45
|
+
|
46
|
+
test "permit may specify symbols or strings" do
|
47
|
+
params = ActionController::Parameters.new({
|
48
|
+
:book => {
|
49
|
+
:title => "Romeo and Juliet",
|
50
|
+
:author => "William Shakespeare"
|
51
|
+
},
|
52
|
+
:magazine => "Shakespeare Today"
|
53
|
+
})
|
54
|
+
|
55
|
+
permitted = params.permit({:book => ["title", :author]}, "magazine")
|
56
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
57
|
+
assert_equal "William Shakespeare", permitted[:book][:author]
|
58
|
+
assert_equal "Shakespeare Today", permitted[:magazine]
|
59
|
+
end
|
60
|
+
|
61
|
+
test "nested array with strings that should be hashes" do
|
62
|
+
params = ActionController::Parameters.new({
|
63
|
+
book: {
|
64
|
+
genres: ["Tragedy"]
|
65
|
+
}
|
66
|
+
})
|
67
|
+
|
68
|
+
permitted = params.permit book: { genres: :type }
|
69
|
+
assert_empty permitted[:book][:genres]
|
70
|
+
end
|
71
|
+
|
72
|
+
test "nested array with strings that should be hashes and additional values" do
|
73
|
+
params = ActionController::Parameters.new({
|
74
|
+
book: {
|
75
|
+
title: "Romeo and Juliet",
|
76
|
+
genres: ["Tragedy"]
|
77
|
+
}
|
78
|
+
})
|
79
|
+
|
80
|
+
permitted = params.permit book: [ :title, { genres: :type } ]
|
81
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
82
|
+
assert_empty permitted[:book][:genres]
|
83
|
+
end
|
84
|
+
|
85
|
+
test "nested string that should be a hash" do
|
86
|
+
params = ActionController::Parameters.new({
|
87
|
+
book: {
|
88
|
+
genre: "Tragedy"
|
89
|
+
}
|
90
|
+
})
|
91
|
+
|
92
|
+
permitted = params.permit book: { genre: :type }
|
93
|
+
assert_nil permitted[:book][:genre]
|
94
|
+
end
|
95
|
+
end
|
@@ -0,0 +1,10 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class ParametersRequireTest < ActiveSupport::TestCase
|
5
|
+
test "required parameters must be present not merely not nil" do
|
6
|
+
assert_raises(ActionController::ParameterMissing) do
|
7
|
+
ActionController::Parameters.new(person: {}).require(:person)
|
8
|
+
end
|
9
|
+
end
|
10
|
+
end
|
@@ -0,0 +1,74 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class ParametersStrictTest < ActiveSupport::TestCase
|
5
|
+
setup do
|
6
|
+
@params = ActionController::Parameters.new({ person: {
|
7
|
+
age: "32", name: { first: "David", last: "Heinemeier Hansson" }
|
8
|
+
}})
|
9
|
+
end
|
10
|
+
|
11
|
+
test 'raises ParameterForbidden when we have extra parameters' do
|
12
|
+
e = assert_raises(ActionController::ParameterForbidden) do
|
13
|
+
@params[:person].strict!.permit(:age)
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
test 'doesnt raise ParameterForbidden when the parameter are exact' do
|
18
|
+
assert_nothing_raised do
|
19
|
+
@params[:person].strict!.permit(:age, :name)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
test 'doesnt raise ParameterForbidden when the parameter are exact using nesting' do
|
24
|
+
assert_nothing_raised do
|
25
|
+
@params[:person].strict!.permit(:age, name: [:first, :last])
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
test 'raises ParameterForbidden when we have extra nested parameters' do
|
30
|
+
e = assert_raises(ActionController::ParameterForbidden) do
|
31
|
+
@params[:person].strict!.permit(:age, name: [:first, :third])
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
test 'raises ParameterForbidden when we have extra deep nested parameters' do
|
36
|
+
e = assert_raises(ActionController::ParameterForbidden) do
|
37
|
+
@params.strict!.permit(person: [ :age, name: [:first, :third]])
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
test 'doesnt raise ParameterForbidden when the parameter are exact using deep nesting' do
|
42
|
+
assert_nothing_raised do
|
43
|
+
@params.strict!.permit(person: [ :age, name: [:first, :last]])
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
test 'the strict params are permitted' do
|
48
|
+
assert @params[:person].strict!.permit(:age, :name).permitted?
|
49
|
+
end
|
50
|
+
|
51
|
+
test 'works with embedded hashes' do
|
52
|
+
nested_hash_params = ActionController::Parameters.new(
|
53
|
+
email: "test@example.com", profile: {person_description: { age: 35, sex: 'f'}}
|
54
|
+
)
|
55
|
+
|
56
|
+
e = assert_raises(ActionController::ParameterForbidden) do
|
57
|
+
nested_hash_params.strict!.permit( :email, profile: { person_description: []})
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
test 'raises when enabled from class config' do
|
62
|
+
ActionController::Parameters.strict_config = true
|
63
|
+
e = assert_raises(ActionController::ParameterForbidden) do
|
64
|
+
@params[:person].permit(:age)
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
test 'its disabled by default' do
|
69
|
+
assert_nothing_raised do
|
70
|
+
@params[:person].permit(:age)
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
end
|
@@ -0,0 +1,61 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class ParametersTaintTest < ActiveSupport::TestCase
|
5
|
+
setup do
|
6
|
+
@params = ActionController::Parameters.new({ person: {
|
7
|
+
age: "32", name: { first: "David", last: "Heinemeier Hansson" }
|
8
|
+
}})
|
9
|
+
end
|
10
|
+
|
11
|
+
test "fetch raises ParameterMissing exception" do
|
12
|
+
e = assert_raises(ActionController::ParameterMissing) do
|
13
|
+
@params.fetch :foo
|
14
|
+
end
|
15
|
+
assert_equal :foo, e.param
|
16
|
+
end
|
17
|
+
|
18
|
+
test "fetch doesnt raise ParameterMissing exception if there is a default" do
|
19
|
+
assert_nothing_raised do
|
20
|
+
assert_equal "monkey", @params.fetch(:foo, "monkey")
|
21
|
+
assert_equal "monkey", @params.fetch(:foo) { "monkey" }
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
test "permitted is sticky on accessors" do
|
26
|
+
assert !@params.slice(:person).permitted?
|
27
|
+
assert !@params[:person][:name].permitted?
|
28
|
+
|
29
|
+
@params.each { |key, value| assert(value.permitted?) if key == :person }
|
30
|
+
|
31
|
+
assert !@params.fetch(:person).permitted?
|
32
|
+
|
33
|
+
assert !@params.values_at(:person).first.permitted?
|
34
|
+
end
|
35
|
+
|
36
|
+
test "permitted is sticky on mutators" do
|
37
|
+
assert !@params.delete_if { |k| k == :person }.permitted?
|
38
|
+
assert !@params.keep_if { |k,v| k == :person }.permitted?
|
39
|
+
end
|
40
|
+
|
41
|
+
test "permitted is sticky beyond merges" do
|
42
|
+
assert !@params.merge(a: "b").permitted?
|
43
|
+
end
|
44
|
+
|
45
|
+
test "modifying the parameters" do
|
46
|
+
@params[:person][:hometown] = "Chicago"
|
47
|
+
@params[:person][:family] = { brother: "Jonas" }
|
48
|
+
|
49
|
+
assert_equal "Chicago", @params[:person][:hometown]
|
50
|
+
assert_equal "Jonas", @params[:person][:family][:brother]
|
51
|
+
end
|
52
|
+
|
53
|
+
test "permitting parameters that are not there should not include the keys" do
|
54
|
+
assert !@params.permit(:person, :funky).has_key?(:funky)
|
55
|
+
end
|
56
|
+
|
57
|
+
test "permit state is kept on a dup" do
|
58
|
+
@params.permit!
|
59
|
+
assert_equal @params.permitted?, @params.dup.permitted?
|
60
|
+
end
|
61
|
+
end
|
data/test/test_helper.rb
ADDED
@@ -0,0 +1,27 @@
|
|
1
|
+
# Configure Rails Environment
|
2
|
+
ENV["RAILS_ENV"] = "test"
|
3
|
+
|
4
|
+
require 'test/unit'
|
5
|
+
require 'strong_parameters'
|
6
|
+
|
7
|
+
module ActionController
|
8
|
+
SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
|
9
|
+
SharedTestRoutes.draw do
|
10
|
+
match ':controller(/:action)'
|
11
|
+
end
|
12
|
+
|
13
|
+
class Base
|
14
|
+
include ActionController::Testing
|
15
|
+
include SharedTestRoutes.url_helpers
|
16
|
+
end
|
17
|
+
|
18
|
+
class ActionController::TestCase
|
19
|
+
setup do
|
20
|
+
@routes = SharedTestRoutes
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
|
26
|
+
# Load support files
|
27
|
+
Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
|
metadata
ADDED
@@ -0,0 +1,140 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: strict_parameters
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.4
|
5
|
+
prerelease:
|
6
|
+
platform: ruby
|
7
|
+
authors:
|
8
|
+
- David Heinemeier Hansson
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2012-08-20 00:00:00.000000000 Z
|
13
|
+
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
15
|
+
name: actionpack
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
17
|
+
none: false
|
18
|
+
requirements:
|
19
|
+
- - ! '>='
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: 3.2.0
|
22
|
+
type: :runtime
|
23
|
+
prerelease: false
|
24
|
+
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
26
|
+
requirements:
|
27
|
+
- - ! '>='
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: 3.2.0
|
30
|
+
- !ruby/object:Gem::Dependency
|
31
|
+
name: activemodel
|
32
|
+
requirement: !ruby/object:Gem::Requirement
|
33
|
+
none: false
|
34
|
+
requirements:
|
35
|
+
- - ! '>='
|
36
|
+
- !ruby/object:Gem::Version
|
37
|
+
version: 3.2.0
|
38
|
+
type: :runtime
|
39
|
+
prerelease: false
|
40
|
+
version_requirements: !ruby/object:Gem::Requirement
|
41
|
+
none: false
|
42
|
+
requirements:
|
43
|
+
- - ! '>='
|
44
|
+
- !ruby/object:Gem::Version
|
45
|
+
version: 3.2.0
|
46
|
+
- !ruby/object:Gem::Dependency
|
47
|
+
name: railties
|
48
|
+
requirement: !ruby/object:Gem::Requirement
|
49
|
+
none: false
|
50
|
+
requirements:
|
51
|
+
- - ! '>='
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: 3.2.0
|
54
|
+
type: :runtime
|
55
|
+
prerelease: false
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
57
|
+
none: false
|
58
|
+
requirements:
|
59
|
+
- - ! '>='
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: 3.2.0
|
62
|
+
- !ruby/object:Gem::Dependency
|
63
|
+
name: rake
|
64
|
+
requirement: !ruby/object:Gem::Requirement
|
65
|
+
none: false
|
66
|
+
requirements:
|
67
|
+
- - ! '>='
|
68
|
+
- !ruby/object:Gem::Version
|
69
|
+
version: '0'
|
70
|
+
type: :development
|
71
|
+
prerelease: false
|
72
|
+
version_requirements: !ruby/object:Gem::Requirement
|
73
|
+
none: false
|
74
|
+
requirements:
|
75
|
+
- - ! '>='
|
76
|
+
- !ruby/object:Gem::Version
|
77
|
+
version: '0'
|
78
|
+
description:
|
79
|
+
email:
|
80
|
+
- david@heinemeierhansson.com
|
81
|
+
executables: []
|
82
|
+
extensions: []
|
83
|
+
extra_rdoc_files: []
|
84
|
+
files:
|
85
|
+
- lib/action_controller/parameters.rb
|
86
|
+
- lib/active_model/forbidden_attributes_protection.rb
|
87
|
+
- lib/generators/rails/strong_parameters_controller_generator.rb
|
88
|
+
- lib/generators/rails/templates/controller.rb
|
89
|
+
- lib/generators/rails/USAGE
|
90
|
+
- lib/strict_parameters.rb
|
91
|
+
- lib/strong_parameters/railtie.rb
|
92
|
+
- lib/strong_parameters/version.rb
|
93
|
+
- MIT-LICENSE
|
94
|
+
- Rakefile
|
95
|
+
- README.rdoc
|
96
|
+
- test/action_controller_required_params_test.rb
|
97
|
+
- test/action_controller_strict_params_test.rb
|
98
|
+
- test/action_controller_tainted_params_test.rb
|
99
|
+
- test/active_model_mass_assignment_taint_protection_test.rb
|
100
|
+
- test/controller_generator_test.rb
|
101
|
+
- test/nested_parameters_test.rb
|
102
|
+
- test/parameters_require_test.rb
|
103
|
+
- test/parameters_strict_test.rb
|
104
|
+
- test/parameters_taint_test.rb
|
105
|
+
- test/test_helper.rb
|
106
|
+
homepage:
|
107
|
+
licenses: []
|
108
|
+
post_install_message:
|
109
|
+
rdoc_options: []
|
110
|
+
require_paths:
|
111
|
+
- lib
|
112
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
113
|
+
none: false
|
114
|
+
requirements:
|
115
|
+
- - ! '>='
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '0'
|
118
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
119
|
+
none: false
|
120
|
+
requirements:
|
121
|
+
- - ! '>='
|
122
|
+
- !ruby/object:Gem::Version
|
123
|
+
version: '0'
|
124
|
+
requirements: []
|
125
|
+
rubyforge_project:
|
126
|
+
rubygems_version: 1.8.23
|
127
|
+
signing_key:
|
128
|
+
specification_version: 3
|
129
|
+
summary: Permitted and required parameters for Action Pack
|
130
|
+
test_files:
|
131
|
+
- test/action_controller_required_params_test.rb
|
132
|
+
- test/action_controller_strict_params_test.rb
|
133
|
+
- test/action_controller_tainted_params_test.rb
|
134
|
+
- test/active_model_mass_assignment_taint_protection_test.rb
|
135
|
+
- test/controller_generator_test.rb
|
136
|
+
- test/nested_parameters_test.rb
|
137
|
+
- test/parameters_require_test.rb
|
138
|
+
- test/parameters_strict_test.rb
|
139
|
+
- test/parameters_taint_test.rb
|
140
|
+
- test/test_helper.rb
|