verboten_keys 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +2 -2
- data/.rubocop.yml +1 -1
- data/.tool-versions +1 -0
- data/CHANGELOG.md +11 -1
- data/CODE_OF_CONDUCT.md +1 -1
- data/Gemfile.lock +63 -55
- data/README.md +15 -13
- data/lib/verboten_keys/filterer.rb +1 -2
- data/lib/verboten_keys/version.rb +1 -1
- data/verboten_keys.gemspec +3 -3
- metadata +7 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dde874b6a3422af5674b2bb84ea805f45f22d4c3005ba8be44a958c5e8b45205
|
4
|
+
data.tar.gz: f7aa2967c3e2021db3f4bc72f90e94bb8c2d41d23b86aa687627c2c66059e651
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0402fb83e5bcd05368db47bf8d5d61d6950f74a1d89a35cb21df88bc1db2a90e656116b062576ae6c6a6845f6b652091e3c60ee14cb0116950410a038c8125ec
|
7
|
+
data.tar.gz: aed00eea946310bdaf4de43303cfc7248c1570f80b4a50bd74f08be82ad1c68c4fd5fb2c55d4025214c9db1cb4c77c29c0f42cd3f6a86a1db5a5ffed9f95a849
|
data/.github/workflows/ci.yml
CHANGED
@@ -5,7 +5,7 @@ jobs:
|
|
5
5
|
name: 'Test Suite'
|
6
6
|
strategy:
|
7
7
|
matrix:
|
8
|
-
ruby: [2.
|
8
|
+
ruby: [2.7.6, 3.0.4, 3.1.2]
|
9
9
|
runs-on: ubuntu-latest
|
10
10
|
steps:
|
11
11
|
- uses: actions/checkout@v2
|
@@ -21,6 +21,6 @@ jobs:
|
|
21
21
|
- uses: actions/checkout@v2
|
22
22
|
- uses: ruby/setup-ruby@v1
|
23
23
|
with:
|
24
|
-
ruby-version: 3.
|
24
|
+
ruby-version: 3.1
|
25
25
|
bundler-cache: true
|
26
26
|
- run: bundle exec rubocop
|
data/.rubocop.yml
CHANGED
data/.tool-versions
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
ruby 2.7.6
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,15 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 1.1.0 - October 16, 2022
|
4
|
+
|
5
|
+
* **New**: Support for Ruby version 3.1.
|
6
|
+
* **Removed**: I've removed support for Ruby 2.5 and 2.6. The new minimum supported Ruby version is 2.7.
|
7
|
+
* **Fixed**: Updated dependencies to protect against CVEs.
|
8
|
+
|
9
|
+
## 1.0.1 - August 28, 2021
|
10
|
+
|
11
|
+
* **Fixed**: Update the `railties` dependency to protect against [CVE-2021-22942](https://discuss.rubyonrails.org/t/cve-2021-22942-possible-open-redirect-in-host-authorization-middleware/78722).
|
12
|
+
|
3
13
|
## 1.0.0 - May 11, 2021
|
4
14
|
|
5
|
-
|
15
|
+
* Initial release
|
data/CODE_OF_CONDUCT.md
CHANGED
@@ -39,7 +39,7 @@ This Code of Conduct applies within all community spaces, and also applies when
|
|
39
39
|
|
40
40
|
## Enforcement
|
41
41
|
|
42
|
-
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at
|
42
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at tom@tpritc.com. All complaints will be reviewed and investigated promptly and fairly.
|
43
43
|
|
44
44
|
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
|
45
45
|
|
data/Gemfile.lock
CHANGED
@@ -1,26 +1,26 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
verboten_keys (1.
|
4
|
+
verboten_keys (1.1.0)
|
5
5
|
rack (>= 1.0, < 3)
|
6
6
|
|
7
7
|
GEM
|
8
8
|
remote: https://rubygems.org/
|
9
9
|
specs:
|
10
|
-
actionpack (6.1.
|
11
|
-
actionview (= 6.1.
|
12
|
-
activesupport (= 6.1.
|
10
|
+
actionpack (6.1.7)
|
11
|
+
actionview (= 6.1.7)
|
12
|
+
activesupport (= 6.1.7)
|
13
13
|
rack (~> 2.0, >= 2.0.9)
|
14
14
|
rack-test (>= 0.6.3)
|
15
15
|
rails-dom-testing (~> 2.0)
|
16
16
|
rails-html-sanitizer (~> 1.0, >= 1.2.0)
|
17
|
-
actionview (6.1.
|
18
|
-
activesupport (= 6.1.
|
17
|
+
actionview (6.1.7)
|
18
|
+
activesupport (= 6.1.7)
|
19
19
|
builder (~> 3.1)
|
20
20
|
erubi (~> 1.4)
|
21
21
|
rails-dom-testing (~> 2.0)
|
22
22
|
rails-html-sanitizer (~> 1.1, >= 1.2.0)
|
23
|
-
activesupport (6.1.
|
23
|
+
activesupport (6.1.7)
|
24
24
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
25
25
|
i18n (>= 1.6, < 2)
|
26
26
|
minitest (>= 5.1)
|
@@ -28,81 +28,89 @@ GEM
|
|
28
28
|
zeitwerk (~> 2.3)
|
29
29
|
ast (2.4.2)
|
30
30
|
builder (3.2.4)
|
31
|
-
concurrent-ruby (1.1.
|
31
|
+
concurrent-ruby (1.1.10)
|
32
32
|
crass (1.0.6)
|
33
|
-
diff-lcs (1.
|
34
|
-
erubi (1.
|
35
|
-
i18n (1.
|
33
|
+
diff-lcs (1.5.0)
|
34
|
+
erubi (1.11.0)
|
35
|
+
i18n (1.12.0)
|
36
36
|
concurrent-ruby (~> 1.0)
|
37
|
-
|
37
|
+
json (2.6.2)
|
38
|
+
loofah (2.19.0)
|
38
39
|
crass (~> 1.0.2)
|
39
40
|
nokogiri (>= 1.5.9)
|
40
41
|
method_source (1.0.0)
|
41
|
-
|
42
|
-
|
42
|
+
mini_portile2 (2.8.0)
|
43
|
+
minitest (5.16.3)
|
44
|
+
nokogiri (1.13.8)
|
45
|
+
mini_portile2 (~> 2.8.0)
|
43
46
|
racc (~> 1.4)
|
44
|
-
nokogiri (1.
|
47
|
+
nokogiri (1.13.8-x86_64-darwin)
|
45
48
|
racc (~> 1.4)
|
46
|
-
|
47
|
-
|
49
|
+
nokogiri (1.13.8-x86_64-linux)
|
50
|
+
racc (~> 1.4)
|
51
|
+
parallel (1.22.1)
|
52
|
+
parser (3.1.2.1)
|
48
53
|
ast (~> 2.4.1)
|
49
|
-
racc (1.
|
50
|
-
rack (2.2.
|
51
|
-
rack-test (
|
52
|
-
rack (>= 1.
|
54
|
+
racc (1.6.0)
|
55
|
+
rack (2.2.4)
|
56
|
+
rack-test (2.0.2)
|
57
|
+
rack (>= 1.3)
|
53
58
|
rails-dom-testing (2.0.3)
|
54
59
|
activesupport (>= 4.2.0)
|
55
60
|
nokogiri (>= 1.6)
|
56
|
-
rails-html-sanitizer (1.3
|
61
|
+
rails-html-sanitizer (1.4.3)
|
57
62
|
loofah (~> 2.3)
|
58
|
-
railties (6.1.
|
59
|
-
actionpack (= 6.1.
|
60
|
-
activesupport (= 6.1.
|
63
|
+
railties (6.1.7)
|
64
|
+
actionpack (= 6.1.7)
|
65
|
+
activesupport (= 6.1.7)
|
61
66
|
method_source
|
62
|
-
rake (>=
|
67
|
+
rake (>= 12.2)
|
63
68
|
thor (~> 1.0)
|
64
|
-
rainbow (3.
|
65
|
-
rake (13.0.
|
66
|
-
regexp_parser (2.
|
69
|
+
rainbow (3.1.1)
|
70
|
+
rake (13.0.6)
|
71
|
+
regexp_parser (2.6.0)
|
67
72
|
rexml (3.2.5)
|
68
|
-
rspec (3.
|
69
|
-
rspec-core (~> 3.
|
70
|
-
rspec-expectations (~> 3.
|
71
|
-
rspec-mocks (~> 3.
|
72
|
-
rspec-core (3.
|
73
|
-
rspec-support (~> 3.
|
74
|
-
rspec-expectations (3.
|
73
|
+
rspec (3.11.0)
|
74
|
+
rspec-core (~> 3.11.0)
|
75
|
+
rspec-expectations (~> 3.11.0)
|
76
|
+
rspec-mocks (~> 3.11.0)
|
77
|
+
rspec-core (3.11.0)
|
78
|
+
rspec-support (~> 3.11.0)
|
79
|
+
rspec-expectations (3.11.1)
|
75
80
|
diff-lcs (>= 1.2.0, < 2.0)
|
76
|
-
rspec-support (~> 3.
|
77
|
-
rspec-mocks (3.
|
81
|
+
rspec-support (~> 3.11.0)
|
82
|
+
rspec-mocks (3.11.1)
|
78
83
|
diff-lcs (>= 1.2.0, < 2.0)
|
79
|
-
rspec-support (~> 3.
|
80
|
-
rspec-support (3.
|
81
|
-
rubocop (1.
|
84
|
+
rspec-support (~> 3.11.0)
|
85
|
+
rspec-support (3.11.1)
|
86
|
+
rubocop (1.36.0)
|
87
|
+
json (~> 2.3)
|
82
88
|
parallel (~> 1.10)
|
83
|
-
parser (>= 3.
|
89
|
+
parser (>= 3.1.2.1)
|
84
90
|
rainbow (>= 2.2.2, < 4.0)
|
85
91
|
regexp_parser (>= 1.8, < 3.0)
|
86
|
-
rexml
|
87
|
-
rubocop-ast (>= 1.
|
92
|
+
rexml (>= 3.2.5, < 4.0)
|
93
|
+
rubocop-ast (>= 1.20.1, < 2.0)
|
88
94
|
ruby-progressbar (~> 1.7)
|
89
95
|
unicode-display_width (>= 1.4.0, < 3.0)
|
90
|
-
rubocop-ast (1.
|
91
|
-
parser (>= 3.
|
92
|
-
rubocop-rake (0.
|
93
|
-
rubocop
|
94
|
-
rubocop-rspec (2.3.0)
|
96
|
+
rubocop-ast (1.21.0)
|
97
|
+
parser (>= 3.1.1.0)
|
98
|
+
rubocop-rake (0.6.0)
|
95
99
|
rubocop (~> 1.0)
|
96
|
-
|
100
|
+
rubocop-rspec (2.13.2)
|
101
|
+
rubocop (~> 1.33)
|
97
102
|
ruby-progressbar (1.11.0)
|
98
|
-
thor (1.1
|
99
|
-
tzinfo (2.0.
|
103
|
+
thor (1.2.1)
|
104
|
+
tzinfo (2.0.5)
|
100
105
|
concurrent-ruby (~> 1.0)
|
101
|
-
unicode-display_width (2.
|
102
|
-
zeitwerk (2.
|
106
|
+
unicode-display_width (2.3.0)
|
107
|
+
zeitwerk (2.6.1)
|
103
108
|
|
104
109
|
PLATFORMS
|
110
|
+
ruby
|
105
111
|
x86_64-darwin-20
|
112
|
+
x86_64-darwin-21
|
113
|
+
x86_64-darwin-22
|
106
114
|
x86_64-linux
|
107
115
|
|
108
116
|
DEPENDENCIES
|
@@ -116,4 +124,4 @@ DEPENDENCIES
|
|
116
124
|
verboten_keys!
|
117
125
|
|
118
126
|
BUNDLED WITH
|
119
|
-
2.
|
127
|
+
2.3.23
|
data/README.md
CHANGED
@@ -1,12 +1,12 @@
|
|
1
1
|
# Verboten Keys
|
2
2
|
|
3
|
-
Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs. It's Rack middleware that seamlessly integrates into any Rails or Sinatra
|
3
|
+
Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs. It's Rack middleware that seamlessly integrates into any Rails or Sinatra application (or really anything that's based on Rack) and strips out any data that matches your list of forbidden keys.
|
4
4
|
|
5
|
-
It's a quick, easy, set-it-and-forget-it way to have peace
|
5
|
+
It's a quick, easy, set-it-and-forget-it way to have the peace-of-mind that nothing's getting out of your API that shouldn't be.
|
6
6
|
|
7
7
|
## What it does
|
8
8
|
|
9
|
-
Imagine you've got an API endpoint that returns a user's profile, and you've accidentally serialized the user incorrectly
|
9
|
+
Imagine you've got an API endpoint that returns a user's profile, and you've accidentally serialized the user incorrectly and it's now returning your entire user object serialized as JSON:
|
10
10
|
|
11
11
|
```
|
12
12
|
GET /api/v1/users/123
|
@@ -14,13 +14,13 @@ GET /api/v1/users/123
|
|
14
14
|
'id': 123,
|
15
15
|
'name': 'Jane Doe',
|
16
16
|
'email': 'jane.doe@example.com',
|
17
|
-
'
|
17
|
+
'deepest_secret': 'Framed their sibling for a murder they commited'
|
18
18
|
}
|
19
19
|
```
|
20
20
|
|
21
21
|
Oh no, this is a disaster!
|
22
22
|
|
23
|
-
If only there was a way to automatically filter out accidents like this! This is where Verboten Keys helps out. If you had Verboten Keys in your application, and had `
|
23
|
+
If only there was a way to automatically filter out accidents like this! This is where Verboten Keys helps out. If you had Verboten Keys in your application, and had `deepest_secret` set as a forbidden key, the exact same response would look like this:
|
24
24
|
|
25
25
|
```
|
26
26
|
GET /api/v1/users/123
|
@@ -31,14 +31,14 @@ GET /api/v1/users/123
|
|
31
31
|
}
|
32
32
|
```
|
33
33
|
|
34
|
-
Verboten Keys
|
34
|
+
Verboten Keys filtered out the leaking `deepest_secret` while leaving the rest of the request intact. When all else fails, we prevent you accidentally leaking sensitive data. Verboten Keys is your last line of defense.
|
35
35
|
|
36
36
|
## Installation
|
37
37
|
|
38
38
|
To install Verboten Keys in your app, simply add this line to your application's `Gemfile` and run `bundle install`:
|
39
39
|
|
40
40
|
```ruby
|
41
|
-
gem '
|
41
|
+
gem 'verboten_keys'
|
42
42
|
```
|
43
43
|
|
44
44
|
### Rails
|
@@ -51,13 +51,13 @@ If your application is using Sinatra, simply add the Verboten Keys middleware in
|
|
51
51
|
|
52
52
|
```ruby
|
53
53
|
require 'sinatra'
|
54
|
-
require '
|
54
|
+
require 'verboten_keys'
|
55
55
|
|
56
56
|
use Rack::Lint
|
57
57
|
use VerbotenKeys::Middleware
|
58
58
|
|
59
59
|
get '/hello' do
|
60
|
-
'Hello
|
60
|
+
{ greeting: 'Hello, world!' }
|
61
61
|
end
|
62
62
|
```
|
63
63
|
|
@@ -65,16 +65,18 @@ You should include it last, so nothing gets missed when the middleware parses an
|
|
65
65
|
|
66
66
|
## Configuration
|
67
67
|
|
68
|
-
Every application has its own security needs, and Verboten Keys is designed to be configurable, so you can get it just so. To configure Verboten Keys, simply call its `configure` method, which
|
68
|
+
Every application has its own security needs, and Verboten Keys is designed to be configurable, so you can get it just so. To configure Verboten Keys, simply call its `configure` method, which yields a block with the current configuration:
|
69
69
|
|
70
70
|
```ruby
|
71
|
+
# In config/initializers/verbotten_keys.rb:
|
72
|
+
|
71
73
|
VerbotenKeys.configure do |config|
|
72
|
-
config.forbidden_keys = [:
|
74
|
+
config.forbidden_keys = [:deepest_secret, :secret_token]
|
73
75
|
config.strategy = :remove
|
74
76
|
end
|
75
77
|
```
|
76
78
|
|
77
|
-
The `forbidden_keys` option lets you set the keys that will be filtered out of the response. It takes an array of symbols, and will raise an error if it's not in the right format. You should include all of the columns and attributes you absolutely
|
79
|
+
The `forbidden_keys` option lets you set the keys that will be filtered out of the response. It takes an array of symbols, and will raise an error if it's not in the right format. You should include all of the columns and attributes you absolutely do not want to ever leak from your API. The default value is `[]`, which means you need to set this up otherwise Verboten Keys won't do anything.
|
78
80
|
|
79
81
|
The `strategy` option lets you pick how Verboten Keys should handle a forbidden key it finds. The default value is `:remove`. Acceptable options are `:remove` and `:nullify`:
|
80
82
|
|
@@ -87,4 +89,4 @@ Bug reports and pull requests are welcome on [GitHub](https://github.com/tpritc/
|
|
87
89
|
|
88
90
|
## License
|
89
91
|
|
90
|
-
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT). If you or your organization need a custom, commercial license for any reason, [send me an email](mailto:
|
92
|
+
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT). If you or your organization need a custom, commercial license for any reason, [send me an email](mailto:tom@tpritc.com) and I'll be happy to set something up for you.
|
data/verboten_keys.gemspec
CHANGED
@@ -6,12 +6,12 @@ Gem::Specification.new do |spec|
|
|
6
6
|
spec.name = 'verboten_keys'
|
7
7
|
spec.version = VerbotenKeys::VERSION
|
8
8
|
spec.authors = ['Tom Pritchard']
|
9
|
-
spec.email = ['
|
9
|
+
spec.email = ['tom@tpritc.com']
|
10
10
|
|
11
11
|
spec.summary = 'Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs.'
|
12
12
|
spec.homepage = 'https://github.com/tpritc/verboten_keys'
|
13
13
|
spec.license = 'MIT'
|
14
|
-
spec.required_ruby_version = Gem::Requirement.new('>= 2.
|
14
|
+
spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
|
15
15
|
|
16
16
|
spec.metadata['source_code_uri'] = 'https://github.com/tpritc/verboten_keys'
|
17
17
|
spec.metadata['changelog_uri'] = 'https://github.com/tpritc/verboten_keys/blob/main/CHANGELOG.md'
|
@@ -20,7 +20,6 @@ Gem::Specification.new do |spec|
|
|
20
20
|
`git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
21
21
|
end
|
22
22
|
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
23
|
-
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
24
23
|
spec.require_paths = ['lib']
|
25
24
|
|
26
25
|
spec.add_runtime_dependency 'rack', '>= 1.0', '< 3'
|
@@ -31,4 +30,5 @@ Gem::Specification.new do |spec|
|
|
31
30
|
spec.add_development_dependency 'rubocop', '~> 1.7'
|
32
31
|
spec.add_development_dependency 'rubocop-rake', '~> 0.5'
|
33
32
|
spec.add_development_dependency 'rubocop-rspec', '~> 2.3'
|
33
|
+
spec.metadata['rubygems_mfa_required'] = 'true'
|
34
34
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: verboten_keys
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Pritchard
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-10-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -130,7 +130,7 @@ dependencies:
|
|
130
130
|
version: '2.3'
|
131
131
|
description:
|
132
132
|
email:
|
133
|
-
-
|
133
|
+
- tom@tpritc.com
|
134
134
|
executables:
|
135
135
|
- console
|
136
136
|
- setup
|
@@ -141,6 +141,7 @@ files:
|
|
141
141
|
- ".gitignore"
|
142
142
|
- ".rspec"
|
143
143
|
- ".rubocop.yml"
|
144
|
+
- ".tool-versions"
|
144
145
|
- CHANGELOG.md
|
145
146
|
- CODE_OF_CONDUCT.md
|
146
147
|
- Gemfile
|
@@ -164,6 +165,7 @@ licenses:
|
|
164
165
|
metadata:
|
165
166
|
source_code_uri: https://github.com/tpritc/verboten_keys
|
166
167
|
changelog_uri: https://github.com/tpritc/verboten_keys/blob/main/CHANGELOG.md
|
168
|
+
rubygems_mfa_required: 'true'
|
167
169
|
post_install_message:
|
168
170
|
rdoc_options: []
|
169
171
|
require_paths:
|
@@ -172,14 +174,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
172
174
|
requirements:
|
173
175
|
- - ">="
|
174
176
|
- !ruby/object:Gem::Version
|
175
|
-
version: 2.
|
177
|
+
version: 2.7.0
|
176
178
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
177
179
|
requirements:
|
178
180
|
- - ">="
|
179
181
|
- !ruby/object:Gem::Version
|
180
182
|
version: '0'
|
181
183
|
requirements: []
|
182
|
-
rubygems_version: 3.
|
184
|
+
rubygems_version: 3.1.6
|
183
185
|
signing_key:
|
184
186
|
specification_version: 4
|
185
187
|
summary: Verboten Keys is a last line of defense to help prevent you and your team
|