verboten_keys 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25f79502f4a51d148ef9fc89c1c6883fd754868bbc27f8c53db220e4a4ad227b
-  data.tar.gz: c688bf6e1dc5ebb4e75dd670cb9b81950ae161f454e7258356ce46c454d3b73d
+  metadata.gz: c52ed1ed9e73caade0a8e5c853f9b3dd6c77da8638d8fd91898481e582472669
+  data.tar.gz: bfa901bb3430df012d1889f1f088da5405492fede5cc58cea19ae267f65ce42e
 SHA512:
-  metadata.gz: 06c3248d1379afb108ee4f98f3805a44162fb986f3b58a483079c1afd205dae9c128a679e4f3aff0aed0220bea6c3cc83988050cdd10be0da3816b3d80f41a45
-  data.tar.gz: 6ced8772a5aa49723113b76f109be121332a06ed6401adc7ed2b7063afc5e768b25e91e2573fe183b6f9f764e40f61c226e2ce357502597d877eb07ef0ece01c
+  metadata.gz: fa3dd9b6736deae8bd3c02017cf8bf3c7fd30cac97363261a0f180bd0c367933c0d9cebb81131c07a8da20a9ce4173fadb12d93ba1b63529fb895170797ad698
+  data.tar.gz: 043f9bab13f99bfb969819be266330c0ce4e4376b65d3aaa6bf887ffe054854acf83ceefdb867200cb7e05873c1d04df2b2125d52f45e54ecddfd56e90328d3f

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 1.0.1 - August 28, 2021
+
+- Update the `railties` dependency to protect against [CVE-2021-22942](https://discuss.rubyonrails.org/t/cve-2021-22942-possible-open-redirect-in-host-authorization-middleware/78722)
+
 ## 1.0.0 - May 11, 2021
 
 - Initial release

data/Gemfile.lock

@@ -1,26 +1,26 @@
 PATH
   remote: .
   specs:
-    verboten_keys (1.0.0)
+    verboten_keys (1.0.1)
       rack (>= 1.0, < 3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.1.3.2)
-      actionview (= 6.1.3.2)
-      activesupport (= 6.1.3.2)
+    actionpack (6.1.4.1)
+      actionview (= 6.1.4.1)
+      activesupport (= 6.1.4.1)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.3.2)
-      activesupport (= 6.1.3.2)
+    actionview (6.1.4.1)
+      activesupport (= 6.1.4.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.1.3.2)
+    activesupport (6.1.4.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -28,20 +28,20 @@ GEM
       zeitwerk (~> 2.3)
     ast (2.4.2)
     builder (3.2.4)
-    concurrent-ruby (1.1.8)
+    concurrent-ruby (1.1.9)
     crass (1.0.6)
     diff-lcs (1.4.4)
     erubi (1.10.0)
     i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    loofah (2.9.1)
+    loofah (2.12.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
     minitest (5.14.4)
-    nokogiri (1.11.3-x86_64-darwin)
+    nokogiri (1.12.3-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.11.3-x86_64-linux)
+    nokogiri (1.12.3-x86_64-linux)
       racc (~> 1.4)
     parallel (1.20.1)
     parser (3.0.1.1)
@@ -53,16 +53,16 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
+    rails-html-sanitizer (1.4.2)
       loofah (~> 2.3)
-    railties (6.1.3.2)
-      actionpack (= 6.1.3.2)
-      activesupport (= 6.1.3.2)
+    railties (6.1.4.1)
+      actionpack (= 6.1.4.1)
+      activesupport (= 6.1.4.1)
       method_source
-      rake (>= 0.8.7)
+      rake (>= 0.13)
       thor (~> 1.0)
     rainbow (3.0.0)
-    rake (13.0.3)
+    rake (13.0.6)
     regexp_parser (2.1.1)
     rexml (3.2.5)
     rspec (3.10.0)

data/README.md

@@ -1,12 +1,12 @@
 # Verboten Keys
 
-Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs. It's Rack middleware that seamlessly integrates into any Rails or Sinatra project (or really anything that's based on Rack) and strips out any data that matches your list of forbidden keys.
+Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs. It's Rack middleware that seamlessly integrates into any Rails or Sinatra application (or really anything that's based on Rack) and strips out any data that matches your list of forbidden keys.
 
-It's a quick, easy, set-it-and-forget-it way to have peace of mind that nothing's getting out of your API that should be.
+It's a quick, easy, set-it-and-forget-it way to have the peace-of-mind that nothing's getting out of your API that shouldn't be.
 
 ## What it does
 
-Imagine you've got an API endpoint that returns a user's profile, and you've accidentally serialized the user incorrectly, and now it's returning your entire user object serialized as JSON:
+Imagine you've got an API endpoint that returns a user's profile, and you've accidentally serialized the user incorrectly and it's now returning your entire user object serialized as JSON:
 
 ```
 GET /api/v1/users/123
@@ -31,14 +31,14 @@ GET /api/v1/users/123
 }
 ```
 
-Verboten Keys is your last line of defense. When all else fails, we prevent you accidentally leaking private data.
+Verboten Keys filtered out the leaking `password_digest` while leaving the rest of the request intact. When all else fails, we prevent you accidentally leaking sensitive data. Verboten Keys is your last line of defense.
 
 ## Installation
 
 To install Verboten Keys in your app, simply add this line to your application's `Gemfile` and run `bundle install`:
 
 ```ruby
-gem 'verboten-keys'
+gem 'verboten_keys'
 ```
 
 ### Rails
@@ -51,13 +51,13 @@ If your application is using Sinatra, simply add the Verboten Keys middleware in
 
 ```ruby
 require 'sinatra'
-require 'verboten-keys'
+require 'verboten_keys'
 
 use Rack::Lint
 use VerbotenKeys::Middleware
 
 get '/hello' do
-  'Hello World'
+  { greeting: 'Hello, world!' }
 end
 ```
 
@@ -65,7 +65,7 @@ You should include it last, so nothing gets missed when the middleware parses an
 
 ## Configuration
 
-Every application has its own security needs, and Verboten Keys is designed to be configurable, so you can get it just so. To configure Verboten Keys, simply call its `configure` method, which takes a block and yields the current configuration:
+Every application has its own security needs, and Verboten Keys is designed to be configurable, so you can get it just so. To configure Verboten Keys, simply call its `configure` method, which yields a block with the current configuration:
 
 ```ruby
 VerbotenKeys.configure do |config|
@@ -74,7 +74,7 @@ VerbotenKeys.configure do |config|
 end
 ```
 
-The `forbidden_keys` option lets you set the keys that will be filtered out of the response. It takes an array of symbols, and will raise an error if it's not in the right format. You should include all of the columns and attributes you absolutely _do not_ want to ever leak from your API. The default value is `[]`.
+The `forbidden_keys` option lets you set the keys that will be filtered out of the response. It takes an array of symbols, and will raise an error if it's not in the right format. You should include all of the columns and attributes you absolutely do not want to ever leak from your API. The default value is `[]`, which means you need to set this up otherwise Verboten Keys won't do anything.
 
 The `strategy` option lets you pick how Verboten Keys should handle a forbidden key it finds. The default value is `:remove`. Acceptable options are `:remove` and `:nullify`:
 

data/lib/verboten_keys/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module VerbotenKeys
-  VERSION = '1.0.0'
+  VERSION = '1.0.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: verboten_keys
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Tom Pritchard
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-11 00:00:00.000000000 Z
+date: 2021-08-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack