strong_parameters_rails2 0.1.6.dev

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,83 @@
+= Strong Parameters
+
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+
+    class PeopleController < ActionController::Base
+      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+      # without an explicit permit step.
+      def create
+        Person.create(params[:person])
+      end
+
+      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by
+      # ActionController::Base and turned into that 400 Bad Request reply.
+      def update
+        redirect_to current_account.people.find(params[:id]).tap { |person|
+          person.update_attributes!(person_params)
+        }
+      end
+
+      private
+        # Using a private method to encapsulate the permissible parameters is just a good pattern
+        # since you'll be able to reuse the same permit list between create and update. Also, you
+        # can specialize this method with per-user checking of permissible attributes.
+        def person_params
+          params.require(:person).permit(:name, :age)
+        end
+    end
+
+You can also use permit on nested parameters, like:
+
+    params.permit(:name, friends: [ :name, { family: [ :name ] }])
+
+Thanks to Nick Kallen for the permit idea!
+
+== Installation
+
+In Gemfile:
+
+    gem 'strong_parameters_rails2', :require => 'strong_parameters'
+
+and then run `bundle`. To activate the strong parameters, you need to include this module in
+every model you want protected.
+
+=== Simple
+
+    class Post < ActiveRecord::Base
+      include ActiveRecord::ForbiddenAttributesProtection
+    end
+
+=== Rails 3 ready
+
+    StrongParameters::ModelExtension = if Rails::VERSION::MAJOR == 2
+      ActiveRecord::ForbiddenAttributesProtection
+    else
+      ActiveModel::ForbiddenAttributesProtection
+    end
+
+    class Post < ActiveRecord::Base
+      include StrongParameters::ModelExtension
+    end
+
+=== Just logging for existing models
+
+    ActiveRecord::ForbiddenAttributesProtection.class_eval do
+      remove_method :assign_attributes_with_permitted # more sure we overwrite the correct method
+      def assign_attributes_with_permitted(attributes)
+        if attributes.respond_to?(:permitted?) && !attributes.permitted?
+          if Rails.env.production?
+            Rails.logger.error("Failed permitted attributes check \n#{caller[0..-10].join("\n")}")
+          else
+            raise ActiveRecord::ForbiddenAttributes
+          end
+        end
+        assign_attributes_without_permitted(attributes)
+      end
+    end
+
+== Compatibility
+
+This gem only supports Rails 2

data/Rakefile

@@ -0,0 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'StrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/action_controller/parameters.rb

@@ -0,0 +1,145 @@
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+
+  class Parameters < HashWithIndifferentAccess
+    attr_accessor :permitted
+    alias :permitted? :permitted
+
+    def initialize(attributes = nil)
+      super(attributes)
+      @permitted = false
+    end
+
+    def permit!
+      each_pair do |key, value|
+        convert_hashes_to_parameters(key, value)
+        self[key].permit! if self[key].respond_to? :permit!
+      end
+
+      @permitted = true
+      self
+    end
+
+    def require(key)
+      self[key].presence || raise(ActionController::ParameterMissing.new(key))
+    end
+
+    alias :required :require
+
+    def permit(*filters)
+      params = self.class.new
+
+      filters.each do |filter|
+        case filter
+        when Symbol, String then
+          params[filter] = self[filter] if has_key?(filter)
+          keys.grep(/\A#{Regexp.escape(filter.to_s)}\(\d+[if]?\)\z/).each { |key| params[key] = self[key] }
+        when Hash then
+          self.slice(*filter.keys).each do |key, value|
+            return unless value
+
+            key = key.to_sym
+
+            params[key] = each_element(value) do |value|
+              # filters are a Hash, so we expect value to be a Hash too
+              next if filter.is_a?(Hash) && !value.is_a?(Hash)
+
+              value = self.class.new(value) if !value.respond_to?(:permit)
+
+              value.permit(*Array.wrap(filter[key]))
+            end
+          end
+        end
+      end
+
+      params.permit!
+    end
+
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError, IndexError
+      raise ActionController::ParameterMissing.new(key)
+    end
+
+    def slice(*keys)
+      self.class.new(super).tap do |new_instance|
+        new_instance.instance_variable_set :@permitted, @permitted
+      end
+    end
+
+    def dup
+      duplicate = Parameters.new(self)
+      duplicate.instance_variable_set :@permitted, @permitted
+      duplicate
+    end
+
+    protected
+      def convert_value(value)
+        if value.class == Hash
+          self.class.new(value)
+        elsif value.is_a?(Array)
+          value.dup.replace(value.map { |e| convert_value(e) })
+        else
+          value
+        end
+      end
+
+    private
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+
+      def each_element(object)
+        if object.is_a?(Array)
+          object.map { |el| yield el }.compact
+        # fields_for on an array of records uses numeric hash keys
+        elsif object.is_a?(Hash) && object.keys.all? { |k| k =~ /\A-?\d+\z/ }
+          hash = object.class.new
+          object.each { |k,v| hash[k] = yield v }
+          hash
+        else
+          yield object
+        end
+      end
+  end
+end
+
+ActionController::Base
+module ActionController
+  Base.class_eval do
+    rescue_from ActionController::ParameterMissing do |parameter_missing_exception|
+      render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
+    end
+
+    def params
+      if @_params.is_a?(Parameters)
+        @_params
+      else
+        @_params = Parameters.new(request.parameters)
+      end
+    end
+
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+end

data/lib/active_record/forbidden_attributes_protection.rb

@@ -0,0 +1,22 @@
+require 'active_record'
+
+module ActiveRecord
+  class ForbiddenAttributes < StandardError
+  end
+
+  module ForbiddenAttributesProtection
+    private
+
+    def assign_attributes_with_permitted(attributes)
+      if !attributes.respond_to?(:permitted?) || attributes.permitted?
+        assign_attributes_without_permitted(attributes)
+      else
+        raise ActiveRecord::ForbiddenAttributes
+      end
+    end
+
+    def self.included(base)
+      base.alias_method_chain :assign_attributes, :permitted
+    end
+  end
+end

data/lib/strong_parameters/version.rb

@@ -0,0 +1,3 @@
+module StrongParameters
+  VERSION = "0.1.6.dev"
+end

data/lib/strong_parameters.rb

@@ -0,0 +1,2 @@
+require 'action_controller/parameters'
+require 'active_record/forbidden_attributes_protection'

data/test/action_controller_required_params_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class BooksController < ActionController::Base
+  def create
+    params.require(:book).require(:name)
+    head :ok
+  end
+end
+
+class ActionControllerRequiredParamsTest < ActionController::TestCase
+  tests BooksController
+
+  test "missing required parameters will raise exception" do
+    post :create, { :magazine => { :name => "Mjallo!" } }
+    assert_response :bad_request
+
+    post :create, { :book => { :title => "Mjallo!" } }
+    assert_response :bad_request
+  end
+
+  test "required parameters that are present will not raise" do
+    post :create, { :book => { :name => "Mjallo!" } }
+    assert_response :ok
+  end
+
+  test "missing parameters will be mentioned in the return" do
+    post :create, { :magazine => { :name => "Mjallo!" } }
+    assert_equal "Required parameter missing: book", response.body
+  end
+end

data/test/action_controller_tainted_params_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class PeopleController < ActionController::Base
+  def create
+    render :text => params[:person].permitted? ? "untainted" : "tainted"
+  end
+
+  def create_with_permit
+    render :text => params[:person].permit(:name).permitted? ? "untainted" : "tainted"
+  end
+end
+
+class ActionControllerTaintedParamsTest < ActionController::TestCase
+  tests PeopleController
+
+  test "parameters are tainted" do
+    post :create, { :person => { :name => "Mjallo!" } }
+    assert_equal "tainted", response.body
+  end
+
+  test "parameters can be permitted and are then not tainted" do
+    post :create_with_permit, { :person => { :name => "Mjallo!" } }
+    assert_equal "untainted", response.body
+  end
+end

data/test/active_record_mass_assignment_taint_protection_test.rb

@@ -0,0 +1,50 @@
+require 'test_helper'
+require 'active_record/forbidden_attributes_protection'
+
+ActiveRecord::Base.establish_connection(
+  :adapter => "sqlite3",
+  :database => ":memory:"
+)
+
+ActiveRecord::Schema.define(:version => 1) do
+  create_table :people do |t|
+    t.string :a
+  end
+end
+
+class Person < ActiveRecord::Base
+  include ActiveRecord::ForbiddenAttributesProtection
+  public :assign_attributes_with_permitted
+end
+
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating via new" do
+    assert_raises(ActiveRecord::ForbiddenAttributes) do
+      Person.new(ActionController::Parameters.new(:a => "b"))
+    end
+  end
+
+  test "forbidden attributes cannot be used for mass updating via update_attributes" do
+    person = Person.create!
+    assert_raises(ActiveRecord::ForbiddenAttributes) do
+      person.update_attributes(ActionController::Parameters.new(:a => "b"))
+    end
+  end
+
+  test "forbidden attributes cannot be used for mass updating via attributes=" do
+    person = Person.new
+    assert_raises(ActiveRecord::ForbiddenAttributes) do
+      person.attributes = ActionController::Parameters.new(:a => "b")
+    end
+  end
+
+  test "permitted attributes can be used for mass updating" do
+    person = Person.new(ActionController::Parameters.new(:a => "b").permit(:a))
+    assert_equal({ "a" => "b" }, person.attributes.slice("a"))
+  end
+
+  test "regular attributes should still be allowed" do
+    person = Person.new(:a => "b")
+    assert_equal({ "a" => "b" }, person.attributes.slice("a"))
+  end
+end

data/test/multi_parameter_attributes_test.rb

@@ -0,0 +1,39 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class MultiParameterAttributesTest < ActiveSupport::TestCase
+  test "permitted multi-parameter attribute keys" do
+    params = ActionController::Parameters.new({
+      :book => {
+        "shipped_at(1i)"   => "2012",
+        "shipped_at(2i)"   => "3",
+        "shipped_at(3i)"   => "25",
+        "shipped_at(4i)"   => "10",
+        "shipped_at(5i)"   => "15",
+        "published_at(1i)" => "1999",
+        "published_at(2i)" => "2",
+        "published_at(3i)" => "5",
+        "price(1)"         => "R$",
+        "price(2f)"        => "2.02"
+      }
+    })
+
+    permitted = params.permit :book => [ :shipped_at, :price ]
+
+    assert permitted.permitted?
+
+    assert_equal "2012", permitted[:book]["shipped_at(1i)"]
+    assert_equal "3", permitted[:book]["shipped_at(2i)"]
+    assert_equal "25", permitted[:book]["shipped_at(3i)"]
+    assert_equal "10", permitted[:book]["shipped_at(4i)"]
+    assert_equal "15", permitted[:book]["shipped_at(5i)"]
+
+    assert_equal "R$", permitted[:book]["price(1)"]
+    assert_equal "2.02", permitted[:book]["price(2f)"]
+
+    assert_nil permitted[:book]["published_at(1i)"]
+    assert_nil permitted[:book]["published_at(2i)"]
+    assert_nil permitted[:book]["published_at(3i)"]
+  end
+end
+

data/test/nested_parameters_test.rb

@@ -0,0 +1,131 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class NestedParametersTest < ActiveSupport::TestCase
+  test "permitted nested parameters" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :authors => [{
+          :name => "William Shakespeare",
+          :born => "1564-04-26"
+        }, {
+          :name => "Christopher Marlowe"
+        }],
+        :details => {
+          :pages => 200,
+          :genre => "Tragedy"
+        }
+      },
+      :magazine => "Mjallo!"
+    })
+
+    permitted = params.permit :book => [ :title, { :authors => [ :name ] }, { :details => :pages } ]
+
+    assert permitted.permitted?
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+    assert_equal 200, permitted[:book][:details][:pages]
+    assert_nil permitted[:book][:details][:genre]
+    assert_nil permitted[:book][:authors][1][:born]
+    assert_nil permitted[:magazine]
+  end
+
+  test "nested arrays with strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => :genres
+    assert_equal ["Tragedy"], permitted[:book][:genres]
+  end
+
+  test "permit may specify symbols or strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :author => "William Shakespeare"
+      },
+      :magazine => "Shakespeare Today"
+    })
+
+    permitted = params.permit({ :book => ["title", :author] }, "magazine")
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:author]
+    assert_equal "Shakespeare Today", permitted[:magazine]
+  end
+
+  test "nested array with strings that should be hashes" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => { :genres => :type }
+    assert permitted[:book][:genres].empty?
+  end
+
+  test "nested array with strings that should be hashes and additional values" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => [ :title, { :genres => :type } ]
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert permitted[:book][:genres].empty?
+  end
+
+  test "nested string that should be a hash" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genre => "Tragedy"
+      }
+    })
+
+    permitted = params.permit :book => { :genre => :type }
+    assert_nil permitted[:book][:genre]
+  end
+
+  test "fields_for_style_nested_params" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'0' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'1' => { :name => 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [ :name ] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['0']
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+  end
+
+  test "fields_for_style_nested_params with negative numbers" do
+    params    = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'-1' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'-2' => { :name => 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [:name] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+  end
+end

data/test/parameters_require_test.rb

@@ -0,0 +1,10 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class ParametersRequireTest < ActiveSupport::TestCase
+  test "required parameters must be present not merely not nil" do
+    assert_raises(ActionController::ParameterMissing) do
+      ActionController::Parameters.new(:person => {}).require(:person)
+    end
+  end
+end

data/test/parameters_taint_test.rb

@@ -0,0 +1,93 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class ParametersTaintTest < ActiveSupport::TestCase
+  def setup
+    @params = ActionController::Parameters.new({ :person => {
+      :age => "32", :name => { :first => "David", :last => "Heinemeier Hansson" }
+    }})
+  end
+
+  test "fetch raises ParameterMissing exception" do
+    e = assert_raises(ActionController::ParameterMissing) do
+      @params.fetch :foo
+    end
+    assert_equal :foo, e.param
+  end
+
+  test "fetch doesnt raise ParameterMissing exception if there is a default" do
+    assert_nothing_raised do
+      assert_equal "monkey", @params.fetch(:foo, "monkey")
+      assert_equal "monkey", @params.fetch(:foo) { "monkey" }
+    end
+  end
+
+  test "not permitted is sticky on accessors" do
+    assert !@params.slice(:person).permitted?
+    assert !@params[:person][:name].permitted?
+    assert !@params[:person].except(:name).permitted?
+
+    @params.each { |key, value| assert(!value.permitted?) if key == "person" }
+
+    assert !@params.fetch(:person).permitted?
+
+    assert !@params.values_at(:person).first.permitted?
+  end
+
+  test "permitted is sticky on accessors" do
+    @params.permit!
+    assert @params.slice(:person).permitted?
+    assert @params[:person][:name].permitted?
+    assert @params[:person].except(:name).permitted?
+
+    @params.each { |key, value| assert(value.permitted?) if key == "person" }
+
+    assert @params.fetch(:person).permitted?
+
+    assert @params.values_at(:person).first.permitted?
+  end
+
+  test "not permitted is sticky on mutators" do
+    assert !@params.delete_if { |k, v| k == "person" }.permitted?
+    assert !@params.keep_if { |k, v| k == "person" }.permitted? if @params.respond_to?(:keep_if)
+  end
+
+  test "permitted is sticky on mutators" do
+    @params.permit!
+    assert @params.delete_if { |k, v| k == "person" }.permitted?
+    assert @params.keep_if { |k, v| k == "person" }.permitted? if @params.respond_to?(:keep_if)
+  end
+
+  test "not permitted is sticky beyond merges" do
+    assert !@params.merge(:a => "b").permitted?
+  end
+
+  test "permitted is sticky beyond merges" do
+    @params.permit!
+    assert @params.merge(:a => "b").permitted?
+  end
+
+  test "modifying the parameters" do
+    @params[:person][:hometown] = "Chicago"
+    @params[:person][:family] = { :brother => "Jonas" }
+
+    assert_equal "Chicago", @params[:person][:hometown]
+    assert_equal "Jonas", @params[:person][:family][:brother]
+  end
+
+  test "permitting parameters that are not there should not include the keys" do
+    assert !@params.permit(:person, :funky).has_key?(:funky)
+  end
+
+  test "permit state is kept on a dup" do
+    @params.permit!
+    assert_equal @params.permitted?, @params.dup.permitted?
+  end
+
+  test "permit is recursive" do
+    @params.permit!
+    assert @params.permitted?
+    assert @params[:person].permitted?
+    assert @params[:person][:name].permitted?
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,18 @@
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+
+require 'test/unit'
+require 'strong_parameters'
+require 'mocha'
+require 'active_support/test_case'
+require 'action_controller/test_process'
+
+ActionController::Routing::Routes.reload rescue nil
+
+MissingSourceFile::REGEXPS << [/^cannot load such file -- (.+)$/i, 1]
+
+ActionController::TestCase.class_eval do
+  def response
+    @response
+  end
+end

metadata

@@ -0,0 +1,153 @@
+--- !ruby/object:Gem::Specification
+name: strong_parameters_rails2
+version: !ruby/object:Gem::Version
+  version: 0.1.6.dev
+  prerelease: 6
+platform: ruby
+authors:
+- Michael Grosser
+- David Heinemeier Hansson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-11-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- michael@grosser.it
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/action_controller/parameters.rb
+- lib/active_record/forbidden_attributes_protection.rb
+- lib/strong_parameters/version.rb
+- lib/strong_parameters.rb
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+- test/action_controller_required_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_record_mass_assignment_taint_protection_test.rb
+- test/multi_parameter_attributes_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb
+homepage: 
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 1783000803371322275
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Permitted and required parameters for Action Pack
+test_files:
+- test/action_controller_required_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_record_mass_assignment_taint_protection_test.rb
+- test/multi_parameter_attributes_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb