stronger_parameters 2.7.0 → 2.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 44698724e39acaded3b387e94f5c2c6e83b88555
-  data.tar.gz: 49aa2b14a5d4d9348c92e79c58310552e1dcdddc
+  metadata.gz: 0765498e474bdda1bbd86952faeb949bb8dee68d
+  data.tar.gz: 552b525dd274336986326681a21a334139bfbb25
 SHA512:
-  metadata.gz: 98d2d44613d8c56f59e42143d344160ab4a7240cca977555e6576c7f391908d1b6e5e3c7ac7222f49eb8ced23095a370382dc47d5f76d186162ce9bbd6567bb3
-  data.tar.gz: f83fb3b52e66157edb4a8d9c184d8e3b594d65d7285f3a355d3d9c93bd8c60f3a0464072795ac63e9bce25d59a152bf90edee491ee2d196dc8d5c5e8dd6a4b2d
+  metadata.gz: f1317839557a9579b3710b15c314de07a02766e6ac511a84ef3b98fe3dd8fe8dd5c00c442d3c952d67f0287cc57589944eac80e41fe2e2eaa27101f8bb612f06
+  data.tar.gz: 5abbe1cc2b805bf72ff355c4d79de711bb09c18aaa1a4e97aceaf13d4e7bfe8c321d890f7d118fcef69036fb19ee5613f86dce9cfa2065c7e1f5d6f6c47d8e74

data/README.md

@@ -158,6 +158,68 @@ Just want to log violations in production:
 ActionController::Parameters.action_on_invalid_parameters = :log
 ```
 
+## Controller support (compatible with Rails 3 and 4, untested on Rails 5)
+
+Include `PermittedParameters` into a controller to force the developer
+to explicitly permit params for every action.
+
+Examples:
+
+```ruby
+class TestController < ApplicationController
+  include StrongerParameters::ControllerSupport::PermittedParameters
+
+  permitted_parameters :all, locale: Parameters.string # permit :locale in all actions for this controller
+
+  permitted_parameters :show, id: Parameters.integer
+  def show
+  end
+
+  permitted_parameters :create, topic: { forum: { id: Parameters.integer } }
+  def create
+  end
+
+  permitted_parameters :index, {} # no parameters permitted
+  def index
+  end
+
+  permitted_parameters :update, :anything # all parameters permitted, use when migrating old controllers/actions
+  def update
+  end
+```
+
+
+### Log only mode
+
+Just want to log violations in production, let all params pass through:
+
+```ruby
+class MyController < ApplicationController
+  log_unpermitted_parameters! if Rails.env.production? # Still want other environments to raise
+
+  permitted_parameters :update, user: { name: Parameters.string }
+  def update
+  end
+end
+```
+
+### Notifying users about unpermitted params
+
+Add headers to all requests that have unpermitted params:
+
+```Ruby
+# config/application.rb
+config.stronger_parameters_violation_header = 'X-StrongerParameters-API-Warn'
+```
+
+```shell
+curl -I 'http://localhost/api/users/1.json' -X POST -d '{ "user": { "id": 1 } }'
+=> HTTP/1.1 200 OK
+=> ...
+=> X-StrongerParameters-API-Warn: Removed restricted keys ["user.id"] from parameters
+```
+
+
 ## Types
 
 | Syntax                         | (Simplified) Definition                                                                    |

data/lib/stronger_parameters/controller_support/permitted_parameters.rb

@@ -0,0 +1,159 @@
+require 'stronger_parameters/constraints'
+
+module StrongerParameters
+  module ControllerSupport
+    module PermittedParameters
+      def self.included(klass)
+        klass.extend ClassMethods
+        if klass.respond_to?(:before_action)
+          klass.before_action :permit_parameters
+        else
+          klass.before_filter :permit_parameters
+        end
+      end
+
+      class PermittedParametersHash < Hash
+        def initialize(other = nil)
+          super()
+          merge!(other) unless other.nil?
+        end
+
+        def merge!(other)
+          other.each do |key, value|
+            value = sugar(value)
+
+            if value.is_a?(StrongerParameters::Constraint)
+              self[key] = value
+            else
+              self[key] ||= self.class.new
+              self[key].merge!(value)
+            end
+          end
+
+          self
+        end
+
+        def merge(other)
+          dup.merge!(other)
+        end
+
+        private
+
+        def sugar(value)
+          case value
+          when Array
+            ActionController::Parameters.array(*value.map { |v| sugar(v) })
+          when Hash
+            constraints = value.each_with_object({}) do |(key, v), memo|
+              memo[key] = sugar(v)
+            end
+            ActionController::Parameters.map(constraints)
+          else
+            value
+          end
+        end
+      end
+
+      DEFAULT_PERMITTED = PermittedParametersHash.new(
+        controller: ActionController::Parameters.anything,
+        action: ActionController::Parameters.anything,
+        format: ActionController::Parameters.anything,
+        authenticity_token: ActionController::Parameters.string
+      )
+
+      module ClassMethods
+        def self.extended(base)
+          base.send :class_attribute, :log_unpermitted_parameters, instance_accessor: false
+        end
+
+        def log_unpermitted_parameters!
+          self.log_unpermitted_parameters = true
+        end
+
+        def permitted_parameters(action, permitted)
+          if permit_parameters[action] == :anything && permitted != :anything
+            raise ArgumentError, "#{self}/#{action} can not add to :anything"
+          end
+
+          permit_parameters.deep_merge!(action => permitted)
+        end
+
+        def permitted_parameters_for(action)
+          unless for_action = permit_parameters[action]
+            location = instance_method(action).source_location
+            raise KeyError, "Action #{action} for #{self} does not have any permitted parameters (#{location.join(":")})"
+          end
+          return :anything if for_action == :anything
+          permit_parameters[:all].merge(for_action)
+        end
+
+        private
+
+        def permit_parameters
+          @permit_parameters ||= if superclass.respond_to?(:permit_parameters, true)
+            superclass.send(:permit_parameters).deep_dup
+          else
+            { all: DEFAULT_PERMITTED.dup }
+          end
+        end
+      end
+
+      private
+
+      def permit_parameters
+        action = params[:action].to_sym
+        permitted = self.class.permitted_parameters_for(action)
+
+        if permitted == :anything
+          Rails.logger.warn("#{params[:controller]}/#{params[:action]} does not filter parameters")
+          return
+        end
+
+        permitted_params = without_invalid_parameter_exceptions { params.permit(permitted) }
+        unpermitted_keys = flat_keys(params) - flat_keys(permitted_params)
+        log_unpermitted = self.class.log_unpermitted_parameters
+
+        show_unpermitted_keys(unpermitted_keys, log_unpermitted)
+
+        return if log_unpermitted
+
+        params.replace(permitted_params)
+        params.permit!
+        request.params.replace(permitted_params)
+
+        logged_params = request.send(:parameter_filter).filter(permitted_params) # Removing passwords, etc
+        Rails.logger.info("  Filtered Parameters: #{logged_params.inspect}")
+      end
+
+      def show_unpermitted_keys(unpermitted_keys, log_unpermitted)
+        return if unpermitted_keys.empty?
+
+        log_prefix = (log_unpermitted ? 'Found' : 'Removed')
+        message = "#{log_prefix} restricted keys #{unpermitted_keys.inspect} from parameters according to permitted list"
+
+        header = Rails.configuration.stronger_parameters_violation_header if Rails.configuration.respond_to?(:stronger_parameters_violation_header)
+        response.headers[header] = message if response && header
+
+        Rails.logger.info("  #{message}")
+      end
+
+      def without_invalid_parameter_exceptions
+        if self.class.log_unpermitted_parameters
+          begin
+            old = ActionController::Parameters.action_on_invalid_parameters
+            ActionController::Parameters.action_on_invalid_parameters = :log
+            yield
+          ensure
+            ActionController::Parameters.action_on_invalid_parameters = old
+          end
+        else
+          yield
+        end
+      end
+
+      def flat_keys(hash)
+        hash.flat_map { |k, v| v.is_a?(Hash) ? flat_keys(v).map { |x| "#{k}.#{x}" }.push(k) : k }
+      end
+    end
+  end
+end

data/lib/stronger_parameters/version.rb

@@ -1,3 +1,3 @@
 module StrongerParameters
-  VERSION = '2.7.0'
+  VERSION = '2.8.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stronger_parameters
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 2.8.0
 platform: ruby
 authors:
 - Mick Staugaard
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-15 00:00:00.000000000 Z
+date: 2017-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -168,6 +168,7 @@ files:
 - lib/stronger_parameters/constraints/nil_string_constraint.rb
 - lib/stronger_parameters/constraints/regexp_constraint.rb
 - lib/stronger_parameters/constraints/string_constraint.rb
+- lib/stronger_parameters/controller_support/permitted_parameters.rb
 - lib/stronger_parameters/errors.rb
 - lib/stronger_parameters/parameters.rb
 - lib/stronger_parameters/version.rb
@@ -191,7 +192,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Type checking and type casting of parameters for Action Pack