strong_parameters 0.1.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,44 @@
+= Strong Parameters
+
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+
+    class PeopleController < ActionController::Base
+      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+      # without an explicit permit step.
+      def create
+        Person.create(params[:person])
+      end
+      
+      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by 
+      # ActionController::Base and turned into that 400 Bad Request reply.
+      def update
+        redirect_to current_account.people.find(params[:id]).tap do |person|
+          person.update_attributes!(person_params)
+        end
+      end
+      
+      private
+        # Using a private method to encapsulate the permissible parameters is just a good pattern
+        # since you'll be able to reuse the same permit list between create and update. Also, you
+        # can specialize this method with per-user checking of permissible attributes.
+        def person_params
+          params.required(:person).permit(:name, :age)
+        end
+    end
+
+Thanks to Nick Kallen for the permit idea!
+
+== Todos
+
+* Make this play nice with nested parameters [???]. Design:
+
+    params.permit(:name, friends: [ :name, { family: [ :name ] }])
+
+* Automatically permit parameters coming from a signed form [Yehuda]
+
+== Compatibility
+
+Due to a testing issue, this plugin is only fully compatible with rails/3-2-stable rev 275ee0dc7b and forward as well as rails/master rev b49a7ddce1 and forward.

data/Rakefile

@@ -0,0 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'StrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/action_controller/parameters.rb

@@ -0,0 +1,81 @@
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    attr_accessor :permitted
+    alias :permitted? :permitted
+
+    def initialize(attributes = nil)
+      super(attributes)
+      @permitted = false
+    end
+
+    def permit!
+      @permitted = true
+      self
+    end
+
+    def required(key)
+      self[key].presence || raise(ActionController::ParameterMissing.new(key))
+    end
+
+    def permit(*keys)
+      slice(*keys).permit!
+    end
+
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+
+    def fetch(key)
+      unless block_given? || key?(key)
+        raise ActionController::ParameterMissing.new(key)
+      end
+
+      convert_hashes_to_parameters(key, super)
+    end
+
+    def slice(*keys)
+      self.class.new(super)
+    end
+
+    private
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+  end
+
+  module StrongParameters
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from(ActionController::ParameterMissing) { head :bad_request }
+    end
+
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+end
+
+ActionController::Base.send :include, ActionController::StrongParameters

data/lib/active_model/forbidden_attributes_protection.rb

@@ -0,0 +1,16 @@
+module ActiveModel
+  class ForbiddenAttributes < StandardError
+  end
+
+  module ForbiddenAttributesProtection
+    def sanitize_for_mass_assignment(new_attributes, options = {})
+      if !new_attributes.respond_to?(:permitted?) || (new_attributes.respond_to?(:permitted?) && new_attributes.permitted?)
+        super
+      else
+        raise ActiveModel::ForbiddenAttributes
+      end
+    end
+  end
+end
+
+ActiveModel.autoload :ForbiddenAttributesProtection

data/lib/strong_parameters.rb

@@ -0,0 +1,2 @@
+require 'action_controller/parameters'
+require 'active_model/forbidden_attributes_protection'

data/lib/strong_parameters/version.rb

@@ -0,0 +1,3 @@
+module StrongParameters
+  VERSION = "0.1.0"
+end

data/test/action_controller_required_params_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class BooksController < ActionController::Base
+  def create
+    params.required(:book).required(:name)
+    head :ok
+  end
+end
+
+class ActionControllerRequiredParamsTest < ActionController::TestCase
+  tests BooksController
+  
+  test "missing required parameters will raise exception" do
+    post :create, { magazine: { name: "Mjallo!" } }
+    assert_response :bad_request
+
+    post :create, { book: { title: "Mjallo!" } }
+    assert_response :bad_request
+  end
+  
+  test "required parameters that are present will not raise" do
+    post :create, { book: { name: "Mjallo!" } }
+    assert_response :ok
+  end
+end

data/test/action_controller_tainted_params_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class PeopleController < ActionController::Base
+  def create
+    render text: params[:person].permitted? ? "untainted" : "tainted"
+  end
+  
+  def create_with_permit
+    render text: params[:person].permit(:name).permitted? ? "untainted" : "tainted"
+  end
+end
+
+class ActionControllerTaintedParamsTest < ActionController::TestCase
+  tests PeopleController
+  
+  test "parameters are tainted" do
+    post :create, { person: { name: "Mjallo!" } }
+    assert_equal "tainted", response.body
+  end
+  
+  test "parameters can be permitted and are then not tainted" do
+    post :create_with_permit, { person: { name: "Mjallo!" } }
+    assert_equal "untainted", response.body
+  end
+end

data/test/active_model_mass_assignment_taint_protection_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class Person
+  include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::ForbiddenAttributesProtection
+  
+  public :sanitize_for_mass_assignment
+end
+
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating" do
+    assert_raises(ActiveModel::ForbiddenAttributes) do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b"))
+    end
+  end
+
+  test "permitted attributes can be used for mass updating" do
+    assert_nothing_raised do
+      assert_equal({ "a" => "b" },
+        Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b").permit(:a)))
+    end
+  end
+  
+  test "regular attributes should still be allowed" do
+    assert_nothing_raised do
+      assert_equal({ a: "b" },
+        Person.new.sanitize_for_mass_assignment(a: "b"))
+    end
+  end
+end

data/test/dummy/log/test.log

@@ -0,0 +1,88 @@
+   (0.2ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.2ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.2ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.2ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.2ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.2ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.2ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.0ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.3ms)  begin transaction
+   (0.0ms)  rollback transaction
+   (0.3ms)  begin transaction
+   (0.0ms)  rollback transaction

data/test/parameters_require_test.rb

@@ -0,0 +1,10 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class ParametersRequireTest < ActiveSupport::TestCase
+  test "required parameters must be present not merely not nil" do
+    assert_raises(ActionController::ParameterMissing) do
+      ActionController::Parameters.new(person: {}).required(:person)
+    end
+  end
+end

data/test/parameters_taint_test.rb

@@ -0,0 +1,45 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class ParametersTaintTest < ActiveSupport::TestCase
+  setup do
+    @params = ActionController::Parameters.new({ person: { 
+      age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+    }})
+  end
+
+  test "fetch raises ParameterMissing exception" do
+    e = assert_raises(ActionController::ParameterMissing) do
+      @params.fetch :foo
+    end
+    assert_equal :foo, e.param
+  end
+
+  test "permitted is sticky on accessors" do
+    assert !@params.slice(:person).permitted?
+    assert !@params[:person][:name].permitted?
+
+    @params.each { |key, value| assert(value.permitted?) if key == :person }
+
+    assert !@params.fetch(:person).permitted?
+
+    assert !@params.values_at(:person).first.permitted?
+  end
+
+  test "permitted is sticky on mutators" do
+    assert !@params.delete_if { |k| k == :person }.permitted?
+    assert !@params.keep_if { |k,v| k == :person }.permitted?
+  end
+
+  test "permitted is sticky beyond merges" do
+    assert !@params.merge(a: "b").permitted?
+  end
+
+  test "modifying the parameters" do
+    @params[:person][:hometown] = "Chicago"
+    @params[:person][:family] = { brother: "Jonas" }
+
+    assert_equal "Chicago", @params[:person][:hometown]
+    assert_equal "Jonas", @params[:person][:family][:brother]
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,27 @@
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+
+require 'test/unit'
+require 'strong_parameters'
+
+module ActionController
+  SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
+  SharedTestRoutes.draw do
+    match ':controller(/:action)'
+  end
+
+  class Base
+    include ActionController::Testing
+    include SharedTestRoutes.url_helpers
+  end
+
+  class ActionController::TestCase
+    setup do
+      @routes = SharedTestRoutes
+    end
+  end
+end
+
+
+# Load support files
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: strong_parameters
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- David Heinemeier Hansson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-03-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: &70323933135920 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *70323933135920
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: &70323933135420 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *70323933135420
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &70323933135040 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70323933135040
+description: 
+email:
+- david@heinemeierhansson.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/action_controller/parameters.rb
+- lib/active_model/forbidden_attributes_protection.rb
+- lib/strong_parameters/version.rb
+- lib/strong_parameters.rb
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+- test/action_controller_required_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/dummy/db/test.sqlite3
+- test/dummy/log/test.log
+- test/parameters_require_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb
+homepage: 
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: Permitted and required parameters for Action Pack
+test_files:
+- test/action_controller_required_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/dummy/db/test.sqlite3
+- test/dummy/log/test.log
+- test/parameters_require_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb