strongly_typed_parameters 0.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,90 @@
+= Strong(ly typed) Parameters
+
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+In this fork, the type of each parameter is also validated to avoid unexpected behavior with implicit casting.
+
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+
+    class PeopleController < ActionController::Base
+      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+      # without an explicit permit step.
+      def create
+        Person.create(params[:person])
+      end
+
+      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by
+      # ActionController::Base and turned into that 400 Bad Request reply.
+      def update
+        person = current_account.people.find(params[:id])
+        person.update_attributes!(person_params)
+        redirect_to person
+      end
+
+      private
+        # Using a private method to encapsulate the permissible parameters is just a good pattern
+        # since you'll be able to reuse the same permit list between create and update. Also, you
+        # can specialize this method with per-user checking of permissible attributes.
+        def person_params
+          params.require(:person).permit(:name, :age)
+        end
+    end
+
+== Permitted Types
+
+Given
+
+    params.permit(:id)
+
+the key +:id+ will pass the whitelisting if it appears in +params+ and is a String. Otherwise the key is going to be filtered out, so arrays, hashes, or any other objects cannot be injected.
+
+If instead the argument is given as
+
+    params.permit(:id => Numeric)
+
+the +:id+ value must be a number. Any class or module can be given here. The marker module Boolean is included in TrueClass and FalseClass.
+
+To declare that the value in +params+ must be an array of values of a certain type, wrap the type constant in an Array:
+
+    params.permit(:id => [Numeric])
+
+== Defaults with ActiveRecord
+
+If a parameter shares a name with an ActiveRecord model, the default types for its attributes are those of that model, rather than String.
+
+== Nested Parameters
+
+You can also use permit on nested parameters, like:
+
+    params.permit(:name, {:emails => [String]}, :friends => [ :name, { :family => [ :name ] }])
+
+Thanks to Nick Kallen for the permit idea!
+
+== Handling of Unpermitted Keys
+
+By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.
+
+Additionally, this behaviour can be changed by changing the +config.action_controller.action_on_unpermitted_parameters+ property in your environment files. If set to +:log+ the unpermitted attributes will be logged, if set to +:raise+ an exception will be raised.
+
+== Installation
+
+In Gemfile:
+
+    gem 'strongly_typed_parameters'
+
+and then run `bundle`. To activate the strong parameters, you need to include this module in
+every model you want protected.
+
+    class Post < ActiveRecord::Base
+      include ActiveModel::ForbiddenAttributesProtection
+    end
+
+If you want to now disable the default whitelisting that occurs in later versions of Rails, change the +config.active_record.whitelist_attributes+ property in your +config/application.rb+:
+
+    config.active_record.whitelist_attributes = false
+
+This will allow you to remove / not have to use +attr_accessible+ and do mass assignment inside your code and tests.
+
+== Compatibility
+
+This plugin is only fully compatible with Rails versions 3.0, 3.1 and 3.2 but not 4.0+, as the non-typechecking version is part of Rails Core in 4.0.

data/Rakefile

@@ -0,0 +1,28 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+  require 'bundler/gem_tasks'
+rescue LoadError
+  raise 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'StrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task :default => :test

data/lib/action_controller/parameters.rb

@@ -0,0 +1,240 @@
+require 'date'
+require 'bigdecimal'
+require 'stringio'
+
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+require 'action_dispatch/http/upload'
+
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+
+  class UnpermittedParameters < IndexError
+    attr_reader :params
+
+    def initialize(params)
+      @params = params
+      super("found unpermitted parameters: #{params.join(", ")}")
+    end
+  end
+
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    attr_accessor :permitted
+    alias :permitted? :permitted
+    attr_accessor :klass
+
+    cattr_accessor :action_on_unpermitted_parameters, :instance_accessor => false
+
+    # Never raise an UnpermittedParameters exception because of these params
+    # are present. They are added by Rails and it's of no concern.
+    NEVER_UNPERMITTED_PARAMS = %w( controller action )
+
+    def initialize(attributes = nil, klass = String)
+      super(attributes)
+      @permitted = false
+      @klass = klass
+    end
+
+    def permit!
+      each_pair do |key, value|
+        convert_hashes_to_parameters(key, value)
+        self[key].permit! if self[key].respond_to? :permit!
+      end
+
+      @permitted = true
+      self
+    end
+
+    def require(key)
+      self[key].presence || raise(ActionController::ParameterMissing.new(key))
+    end
+
+    alias :required :require
+
+    def permit(*filters)
+      params = self.class.new
+      filters.each do |filter|
+        rule = filter.is_a?(Hash) ? filter : default_rule(filter)
+        if rule.values.one? && rule.values.first.is_a?(Class)
+          permitted_scalar_filter(params, rule.keys.first, rule.values.first)
+        else
+          apply_filter(params, rule)
+        end
+      end
+
+      unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters
+
+      params.permit!
+    end
+
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError, IndexError
+      raise ActionController::ParameterMissing.new(key)
+    end
+
+    def slice(*keys)
+      self.class.new(super).tap do |new_instance|
+        new_instance.instance_variable_set :@permitted, @permitted
+      end
+    end
+
+    def dup
+      self.class.new(self).tap do |duplicate|
+        duplicate.default = default
+        duplicate.instance_variable_set :@permitted, @permitted
+      end
+    end
+
+    protected
+      def convert_value(value)
+        if value.class == Hash
+          self.class.new_from_hash_copying_default(value)
+        elsif value.is_a?(Array)
+          value.dup.replace(value.map { |e| convert_value(e) })
+        else
+          value
+        end
+      end
+
+    private
+
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+
+      def permitted_scalar?(value, klass)
+        value.is_a?(klass)
+      end
+
+      def array_of_permitted_scalars?(value,klass)
+        if value.is_a?(Array)
+          value.all? {|element| permitted_scalar?(element,klass)}
+        end
+      end
+
+      def permitted_scalar_filter(params, key, klass)
+        if has_key?(key) && permitted_scalar?(self[key],klass)
+          params[key] = self[key]
+        end
+
+        keys.grep(/\A#{Regexp.escape(key.to_s)}\(\d+[if]?\)\z/).each do |key|
+          if permitted_scalar?(self[key],klass)
+            params[key] = self[key]
+          end
+        end
+      end
+
+      def array_of_permitted_scalars_filter(params, key, rule)
+        raise ArgumentError unless rule.one?
+        if has_key?(key) && array_of_permitted_scalars?(self[key],rule.first)
+          params[key] = self[key]
+        end
+      end
+
+      def apply_filter(params, filter)
+        filter = filter.with_indifferent_access
+
+        # Slicing filters out non-declared keys.
+        slice(*filter.keys).each do |key, value|
+
+          rule = filter[key]
+
+          # Declaration {:favorite_numbers => [Numeric]}
+          if rule.is_a?(Array) && rule.first.is_a?(Class)
+            array_of_permitted_scalars_filter(params, key, rule)
+          # Declaration {:favorite_number => Numeric} or :uuid [=> String]
+          elsif rule.is_a?(Class) || rule.is_a?(Module)
+            permitted_scalar_filter(params, key, rule)
+          else
+            # Declaration {:user => :name} or {:user => [:name, :age, {:address => ...}]}
+            raise ArgumentError if rule.empty?
+            params[key] = each_element(value) do |element|
+              if element.is_a?(Hash)
+                element = self.class.new(element) unless element.respond_to?(:permit)
+                element.klass = key.camelize.constantize rescue String
+                element.permit(*Array.wrap(rule))
+              end
+            end
+          end
+        end
+      end
+
+      def default_rule(filter)
+        if @klass.respond_to?(:columns) && (type = @klass.columns.find { |attr| attr.name == filter.to_s })
+          {filter => type.klass}
+        else
+          {filter => String}
+        end
+      end
+
+      def each_element(value)
+        if value.is_a?(Array)
+          value.map { |el| yield el }.compact
+          # fields_for on an array of records uses numeric hash keys.
+        elsif value.is_a?(Hash) && value.keys.all? { |k| k =~ /\A-?\d+\z/ }
+          hash = value.class.new
+          value.each { |k,v| hash[k] = yield v }
+          hash
+        else
+          yield value
+        end
+      end
+
+      def unpermitted_parameters!(params)
+        return unless self.class.action_on_unpermitted_parameters
+
+        unpermitted_keys = unpermitted_keys(params)
+
+        if unpermitted_keys.any?
+          case self.class.action_on_unpermitted_parameters
+          when :log
+            ActionController::Base.logger.debug "Unpermitted parameters: #{unpermitted_keys.join(", ")}"
+          when :raise
+            raise ActionController::UnpermittedParameters.new(unpermitted_keys)
+          end
+        end
+      end
+
+      def unpermitted_keys(params)
+        self.keys - params.keys - NEVER_UNPERMITTED_PARAMS
+      end
+  end
+
+  module StrongParameters
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+        render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
+      end
+    end
+
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+end
+
+ActionController::Base.send :include, ActionController::StrongParameters

data/lib/active_model/forbidden_attributes_protection.rb

@@ -0,0 +1,15 @@
+module ActiveModel
+  class ForbiddenAttributes < StandardError
+  end
+
+  module ForbiddenAttributesProtection
+    def sanitize_for_mass_assignment(*options)
+      new_attributes = options.first
+      if !new_attributes.respond_to?(:permitted?) || new_attributes.permitted?
+        super
+      else
+        raise ActiveModel::ForbiddenAttributes
+      end
+    end
+  end
+end

data/lib/generators/rails/USAGE

@@ -0,0 +1,12 @@
+Description:
+    Stubs out a scaffolded controller and its views. Different from rails
+    scaffold_controller, it uses strongly_typed_parameters to whitelist permissible
+    attributes in a private method.
+    Pass the model name, either CamelCased or under_scored. The controller
+    name is retrieved as a pluralized version of the model name.
+
+    To create a controller within a module, specify the model name as a
+    path like 'parent_module/controller_name'.
+
+    This generates a controller class in app/controllers and invokes helper,
+    template engine and test framework generators.

data/lib/generators/rails/strong_parameters_controller_generator.rb

@@ -0,0 +1,17 @@
+require 'rails/version'
+require 'rails/generators/rails/scaffold_controller/scaffold_controller_generator'
+
+module Rails
+  module Generators
+    class StrongParametersControllerGenerator < ScaffoldControllerGenerator
+      argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
+      source_root File.expand_path("../templates", __FILE__)
+
+      if ::Rails::VERSION::STRING < '3.1'
+        def module_namespacing
+          yield if block_given?
+        end
+      end
+    end
+  end
+end

data/lib/generators/rails/templates/controller.rb

@@ -0,0 +1,94 @@
+<% module_namespacing do -%>
+class <%= controller_class_name %>Controller < ApplicationController
+  # GET <%= route_url %>
+  # GET <%= route_url %>.json
+  def index
+    @<%= plural_table_name %> = <%= orm_class.all(class_name) %>
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: <%= "@#{plural_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/1
+  # GET <%= route_url %>/1.json
+  def show
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/new
+  # GET <%= route_url %>/new.json
+  def new
+    @<%= singular_table_name %> = <%= orm_class.build(class_name) %>
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/1/edit
+  def edit
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+  end
+
+  # POST <%= route_url %>
+  # POST <%= route_url %>.json
+  def create
+    @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
+
+    respond_to do |format|
+      if @<%= orm_instance.save %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully created.'" %> }
+        format.json { render json: <%= "@#{singular_table_name}" %>, status: :created, location: <%= "@#{singular_table_name}" %> }
+      else
+        format.html { render action: "new" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # PATCH/PUT <%= route_url %>/1
+  # PATCH/PUT <%= route_url %>/1.json
+  def update
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+
+    respond_to do |format|
+      if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
+        format.json { head :no_content }
+      else
+        format.html { render action: "edit" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE <%= route_url %>/1
+  # DELETE <%= route_url %>/1.json
+  def destroy
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    @<%= orm_instance.destroy %>
+
+    respond_to do |format|
+      format.html { redirect_to <%= index_helper %>_url }
+      format.json { head :no_content }
+    end
+  end
+
+  private
+
+    # Use this method to whitelist the permissible parameters. Example:
+    # params.require(:person).permit(:name, :age)
+    # Also, you can specialize this method with per-user checking of permissible attributes.
+    def <%= "#{singular_table_name}_params" %>
+      params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
+    end
+end
+<% end -%>