verboten_keys 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25f79502f4a51d148ef9fc89c1c6883fd754868bbc27f8c53db220e4a4ad227b
-  data.tar.gz: c688bf6e1dc5ebb4e75dd670cb9b81950ae161f454e7258356ce46c454d3b73d
+  metadata.gz: dde874b6a3422af5674b2bb84ea805f45f22d4c3005ba8be44a958c5e8b45205
+  data.tar.gz: f7aa2967c3e2021db3f4bc72f90e94bb8c2d41d23b86aa687627c2c66059e651
 SHA512:
-  metadata.gz: 06c3248d1379afb108ee4f98f3805a44162fb986f3b58a483079c1afd205dae9c128a679e4f3aff0aed0220bea6c3cc83988050cdd10be0da3816b3d80f41a45
-  data.tar.gz: 6ced8772a5aa49723113b76f109be121332a06ed6401adc7ed2b7063afc5e768b25e91e2573fe183b6f9f764e40f61c226e2ce357502597d877eb07ef0ece01c
+  metadata.gz: 0402fb83e5bcd05368db47bf8d5d61d6950f74a1d89a35cb21df88bc1db2a90e656116b062576ae6c6a6845f6b652091e3c60ee14cb0116950410a038c8125ec
+  data.tar.gz: aed00eea946310bdaf4de43303cfc7248c1570f80b4a50bd74f08be82ad1c68c4fd5fb2c55d4025214c9db1cb4c77c29c0f42cd3f6a86a1db5a5ffed9f95a849

data/.github/workflows/ci.yml

@@ -5,7 +5,7 @@ jobs:
     name: 'Test Suite'
     strategy:
       matrix:
-        ruby: [2.5, 2.6, 2.7, 3.0]
+        ruby: [2.7.6, 3.0.4, 3.1.2]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -21,6 +21,6 @@ jobs:
       - uses: actions/checkout@v2
       - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.0
+          ruby-version: 3.1
           bundler-cache: true
       - run: bundle exec rubocop

data/.rubocop.yml

@@ -1,6 +1,6 @@
 AllCops:
   NewCops: enable
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.7
 
 Lint/DuplicateMethods:
   Enabled: false

data/.tool-versions

@@ -0,0 +1 @@
+ruby 2.7.6

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 1.1.0 - October 16, 2022
+
+* **New**: Support for Ruby version 3.1.
+* **Removed**: I've removed support for Ruby 2.5 and 2.6. The new minimum supported Ruby version is 2.7.
+* **Fixed**: Updated dependencies to protect against CVEs.
+
+## 1.0.1 - August 28, 2021
+
+* **Fixed**: Update the `railties` dependency to protect against [CVE-2021-22942](https://discuss.rubyonrails.org/t/cve-2021-22942-possible-open-redirect-in-host-authorization-middleware/78722).
+
 ## 1.0.0 - May 11, 2021
 
-- Initial release
+* Initial release

data/CODE_OF_CONDUCT.md

@@ -39,7 +39,7 @@ This Code of Conduct applies within all community spaces, and also applies when
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at hi@tpritc.com. All complaints will be reviewed and investigated promptly and fairly.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at tom@tpritc.com. All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the reporter of any incident.
 

data/Gemfile.lock

@@ -1,26 +1,26 @@
 PATH
   remote: .
   specs:
-    verboten_keys (1.0.0)
+    verboten_keys (1.1.0)
       rack (>= 1.0, < 3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.1.3.2)
-      actionview (= 6.1.3.2)
-      activesupport (= 6.1.3.2)
+    actionpack (6.1.7)
+      actionview (= 6.1.7)
+      activesupport (= 6.1.7)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.3.2)
-      activesupport (= 6.1.3.2)
+    actionview (6.1.7)
+      activesupport (= 6.1.7)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.1.3.2)
+    activesupport (6.1.7)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -28,81 +28,89 @@ GEM
       zeitwerk (~> 2.3)
     ast (2.4.2)
     builder (3.2.4)
-    concurrent-ruby (1.1.8)
+    concurrent-ruby (1.1.10)
     crass (1.0.6)
-    diff-lcs (1.4.4)
-    erubi (1.10.0)
-    i18n (1.8.10)
+    diff-lcs (1.5.0)
+    erubi (1.11.0)
+    i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.9.1)
+    json (2.6.2)
+    loofah (2.19.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
-    minitest (5.14.4)
-    nokogiri (1.11.3-x86_64-darwin)
+    mini_portile2 (2.8.0)
+    minitest (5.16.3)
+    nokogiri (1.13.8)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.11.3-x86_64-linux)
+    nokogiri (1.13.8-x86_64-darwin)
       racc (~> 1.4)
-    parallel (1.20.1)
-    parser (3.0.1.1)
+    nokogiri (1.13.8-x86_64-linux)
+      racc (~> 1.4)
+    parallel (1.22.1)
+    parser (3.1.2.1)
       ast (~> 2.4.1)
-    racc (1.5.2)
-    rack (2.2.3)
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    racc (1.6.0)
+    rack (2.2.4)
+    rack-test (2.0.2)
+      rack (>= 1.3)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
+    rails-html-sanitizer (1.4.3)
       loofah (~> 2.3)
-    railties (6.1.3.2)
-      actionpack (= 6.1.3.2)
-      activesupport (= 6.1.3.2)
+    railties (6.1.7)
+      actionpack (= 6.1.7)
+      activesupport (= 6.1.7)
       method_source
-      rake (>= 0.8.7)
+      rake (>= 12.2)
       thor (~> 1.0)
-    rainbow (3.0.0)
-    rake (13.0.3)
-    regexp_parser (2.1.1)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    regexp_parser (2.6.0)
     rexml (3.2.5)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
-    rubocop (1.14.0)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.1)
+    rubocop (1.36.0)
+      json (~> 2.3)
       parallel (~> 1.10)
-      parser (>= 3.0.0.0)
+      parser (>= 3.1.2.1)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
-      rexml
-      rubocop-ast (>= 1.5.0, < 2.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.20.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.5.0)
-      parser (>= 3.0.1.1)
-    rubocop-rake (0.5.1)
-      rubocop
-    rubocop-rspec (2.3.0)
+    rubocop-ast (1.21.0)
+      parser (>= 3.1.1.0)
+    rubocop-rake (0.6.0)
       rubocop (~> 1.0)
-      rubocop-ast (>= 1.1.0)
+    rubocop-rspec (2.13.2)
+      rubocop (~> 1.33)
     ruby-progressbar (1.11.0)
-    thor (1.1.0)
-    tzinfo (2.0.4)
+    thor (1.2.1)
+    tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.0.0)
-    zeitwerk (2.4.2)
+    unicode-display_width (2.3.0)
+    zeitwerk (2.6.1)
 
 PLATFORMS
+  ruby
   x86_64-darwin-20
+  x86_64-darwin-21
+  x86_64-darwin-22
   x86_64-linux
 
 DEPENDENCIES
@@ -116,4 +124,4 @@ DEPENDENCIES
   verboten_keys!
 
 BUNDLED WITH
-   2.2.11
+   2.3.23

data/README.md

@@ -1,12 +1,12 @@
 # Verboten Keys
 
-Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs. It's Rack middleware that seamlessly integrates into any Rails or Sinatra project (or really anything that's based on Rack) and strips out any data that matches your list of forbidden keys.
+Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs. It's Rack middleware that seamlessly integrates into any Rails or Sinatra application (or really anything that's based on Rack) and strips out any data that matches your list of forbidden keys.
 
-It's a quick, easy, set-it-and-forget-it way to have peace of mind that nothing's getting out of your API that should be.
+It's a quick, easy, set-it-and-forget-it way to have the peace-of-mind that nothing's getting out of your API that shouldn't be.
 
 ## What it does
 
-Imagine you've got an API endpoint that returns a user's profile, and you've accidentally serialized the user incorrectly, and now it's returning your entire user object serialized as JSON:
+Imagine you've got an API endpoint that returns a user's profile, and you've accidentally serialized the user incorrectly and it's now returning your entire user object serialized as JSON:
 
 ```
 GET /api/v1/users/123
@@ -14,13 +14,13 @@ GET /api/v1/users/123
   'id': 123,
   'name': 'Jane Doe',
   'email': 'jane.doe@example.com',
-  'password_digest': '$FEUNCqbSZIOu7e1QblI...'
+  'deepest_secret': 'Framed their sibling for a murder they commited'
 }
 ```
 
 Oh no, this is a disaster!
 
-If only there was a way to automatically filter out accidents like this! This is where Verboten Keys helps out. If you had Verboten Keys in your application, and had `password_digest` set as a forbidden key, the exact same response would look like this:
+If only there was a way to automatically filter out accidents like this! This is where Verboten Keys helps out. If you had Verboten Keys in your application, and had `deepest_secret` set as a forbidden key, the exact same response would look like this:
 
 ```
 GET /api/v1/users/123
@@ -31,14 +31,14 @@ GET /api/v1/users/123
 }
 ```
 
-Verboten Keys is your last line of defense. When all else fails, we prevent you accidentally leaking private data.
+Verboten Keys filtered out the leaking `deepest_secret` while leaving the rest of the request intact. When all else fails, we prevent you accidentally leaking sensitive data. Verboten Keys is your last line of defense.
 
 ## Installation
 
 To install Verboten Keys in your app, simply add this line to your application's `Gemfile` and run `bundle install`:
 
 ```ruby
-gem 'verboten-keys'
+gem 'verboten_keys'
 ```
 
 ### Rails
@@ -51,13 +51,13 @@ If your application is using Sinatra, simply add the Verboten Keys middleware in
 
 ```ruby
 require 'sinatra'
-require 'verboten-keys'
+require 'verboten_keys'
 
 use Rack::Lint
 use VerbotenKeys::Middleware
 
 get '/hello' do
-  'Hello World'
+  { greeting: 'Hello, world!' }
 end
 ```
 
@@ -65,16 +65,18 @@ You should include it last, so nothing gets missed when the middleware parses an
 
 ## Configuration
 
-Every application has its own security needs, and Verboten Keys is designed to be configurable, so you can get it just so. To configure Verboten Keys, simply call its `configure` method, which takes a block and yields the current configuration:
+Every application has its own security needs, and Verboten Keys is designed to be configurable, so you can get it just so. To configure Verboten Keys, simply call its `configure` method, which yields a block with the current configuration:
 
 ```ruby
+# In config/initializers/verbotten_keys.rb:
+
 VerbotenKeys.configure do |config|
-  config.forbidden_keys = [:password, :password_digest, :secret_token]
+  config.forbidden_keys = [:deepest_secret, :secret_token]
   config.strategy = :remove
 end
 ```
 
-The `forbidden_keys` option lets you set the keys that will be filtered out of the response. It takes an array of symbols, and will raise an error if it's not in the right format. You should include all of the columns and attributes you absolutely _do not_ want to ever leak from your API. The default value is `[]`.
+The `forbidden_keys` option lets you set the keys that will be filtered out of the response. It takes an array of symbols, and will raise an error if it's not in the right format. You should include all of the columns and attributes you absolutely do not want to ever leak from your API. The default value is `[]`, which means you need to set this up otherwise Verboten Keys won't do anything.
 
 The `strategy` option lets you pick how Verboten Keys should handle a forbidden key it finds. The default value is `:remove`. Acceptable options are `:remove` and `:nullify`:
 
@@ -87,4 +89,4 @@ Bug reports and pull requests are welcome on [GitHub](https://github.com/tpritc/
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT). If you or your organization need a custom, commercial license for any reason, [send me an email](mailto:hi@tpritc.com) and I'll be happy to set something up for you.
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT). If you or your organization need a custom, commercial license for any reason, [send me an email](mailto:tom@tpritc.com) and I'll be happy to set something up for you.

data/lib/verboten_keys/filterer.rb

@@ -4,8 +4,7 @@ module VerbotenKeys
   class Filterer
     def self.filter_forbidden_keys(hash)
       hash
-        .map { |k, v| evaluate_key_value_pair(k, v) }
-        .to_h
+        .to_h { |k, v| evaluate_key_value_pair(k, v) }
         .delete_if { |k, _v| k.nil? }
     end
 

data/lib/verboten_keys/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module VerbotenKeys
-  VERSION = '1.0.0'
+  VERSION = '1.1.0'
 end

data/verboten_keys.gemspec

@@ -6,12 +6,12 @@ Gem::Specification.new do |spec|
   spec.name          = 'verboten_keys'
   spec.version       = VerbotenKeys::VERSION
   spec.authors       = ['Tom Pritchard']
-  spec.email         = ['hi@tpritc.com']
+  spec.email         = ['tom@tpritc.com']
 
   spec.summary       = 'Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs.'
   spec.homepage      = 'https://github.com/tpritc/verboten_keys'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
 
   spec.metadata['source_code_uri'] = 'https://github.com/tpritc/verboten_keys'
   spec.metadata['changelog_uri'] = 'https://github.com/tpritc/verboten_keys/blob/main/CHANGELOG.md'
@@ -20,7 +20,6 @@ Gem::Specification.new do |spec|
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
   spec.add_runtime_dependency 'rack', '>= 1.0', '< 3'
@@ -31,4 +30,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rubocop', '~> 1.7'
   spec.add_development_dependency 'rubocop-rake', '~> 0.5'
   spec.add_development_dependency 'rubocop-rspec', '~> 2.3'
+  spec.metadata['rubygems_mfa_required'] = 'true'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: verboten_keys
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Tom Pritchard
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-11 00:00:00.000000000 Z
+date: 2022-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -130,7 +130,7 @@ dependencies:
         version: '2.3'
 description:
 email:
-- hi@tpritc.com
+- tom@tpritc.com
 executables:
 - console
 - setup
@@ -141,6 +141,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- ".tool-versions"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -164,6 +165,7 @@ licenses:
 metadata:
   source_code_uri: https://github.com/tpritc/verboten_keys
   changelog_uri: https://github.com/tpritc/verboten_keys/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -172,14 +174,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Verboten Keys is a last line of defense to help prevent you and your team