verboten_keys 1.0.1 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +2 -2
- data/.rubocop.yml +1 -1
- data/.tool-versions +1 -0
- data/CHANGELOG.md +8 -2
- data/CODE_OF_CONDUCT.md +1 -1
- data/Gemfile.lock +62 -54
- data/README.md +7 -5
- data/lib/verboten_keys/filterer.rb +1 -2
- data/lib/verboten_keys/version.rb +1 -1
- data/verboten_keys.gemspec +3 -3
- metadata +7 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dde874b6a3422af5674b2bb84ea805f45f22d4c3005ba8be44a958c5e8b45205
|
4
|
+
data.tar.gz: f7aa2967c3e2021db3f4bc72f90e94bb8c2d41d23b86aa687627c2c66059e651
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0402fb83e5bcd05368db47bf8d5d61d6950f74a1d89a35cb21df88bc1db2a90e656116b062576ae6c6a6845f6b652091e3c60ee14cb0116950410a038c8125ec
|
7
|
+
data.tar.gz: aed00eea946310bdaf4de43303cfc7248c1570f80b4a50bd74f08be82ad1c68c4fd5fb2c55d4025214c9db1cb4c77c29c0f42cd3f6a86a1db5a5ffed9f95a849
|
data/.github/workflows/ci.yml
CHANGED
@@ -5,7 +5,7 @@ jobs:
|
|
5
5
|
name: 'Test Suite'
|
6
6
|
strategy:
|
7
7
|
matrix:
|
8
|
-
ruby: [2.
|
8
|
+
ruby: [2.7.6, 3.0.4, 3.1.2]
|
9
9
|
runs-on: ubuntu-latest
|
10
10
|
steps:
|
11
11
|
- uses: actions/checkout@v2
|
@@ -21,6 +21,6 @@ jobs:
|
|
21
21
|
- uses: actions/checkout@v2
|
22
22
|
- uses: ruby/setup-ruby@v1
|
23
23
|
with:
|
24
|
-
ruby-version: 3.
|
24
|
+
ruby-version: 3.1
|
25
25
|
bundler-cache: true
|
26
26
|
- run: bundle exec rubocop
|
data/.rubocop.yml
CHANGED
data/.tool-versions
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
ruby 2.7.6
|
data/CHANGELOG.md
CHANGED
@@ -1,9 +1,15 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 1.1.0 - October 16, 2022
|
4
|
+
|
5
|
+
* **New**: Support for Ruby version 3.1.
|
6
|
+
* **Removed**: I've removed support for Ruby 2.5 and 2.6. The new minimum supported Ruby version is 2.7.
|
7
|
+
* **Fixed**: Updated dependencies to protect against CVEs.
|
8
|
+
|
3
9
|
## 1.0.1 - August 28, 2021
|
4
10
|
|
5
|
-
|
11
|
+
* **Fixed**: Update the `railties` dependency to protect against [CVE-2021-22942](https://discuss.rubyonrails.org/t/cve-2021-22942-possible-open-redirect-in-host-authorization-middleware/78722).
|
6
12
|
|
7
13
|
## 1.0.0 - May 11, 2021
|
8
14
|
|
9
|
-
|
15
|
+
* Initial release
|
data/CODE_OF_CONDUCT.md
CHANGED
@@ -39,7 +39,7 @@ This Code of Conduct applies within all community spaces, and also applies when
|
|
39
39
|
|
40
40
|
## Enforcement
|
41
41
|
|
42
|
-
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at
|
42
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at tom@tpritc.com. All complaints will be reviewed and investigated promptly and fairly.
|
43
43
|
|
44
44
|
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
|
45
45
|
|
data/Gemfile.lock
CHANGED
@@ -1,26 +1,26 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
verboten_keys (1.0
|
4
|
+
verboten_keys (1.1.0)
|
5
5
|
rack (>= 1.0, < 3)
|
6
6
|
|
7
7
|
GEM
|
8
8
|
remote: https://rubygems.org/
|
9
9
|
specs:
|
10
|
-
actionpack (6.1.
|
11
|
-
actionview (= 6.1.
|
12
|
-
activesupport (= 6.1.
|
10
|
+
actionpack (6.1.7)
|
11
|
+
actionview (= 6.1.7)
|
12
|
+
activesupport (= 6.1.7)
|
13
13
|
rack (~> 2.0, >= 2.0.9)
|
14
14
|
rack-test (>= 0.6.3)
|
15
15
|
rails-dom-testing (~> 2.0)
|
16
16
|
rails-html-sanitizer (~> 1.0, >= 1.2.0)
|
17
|
-
actionview (6.1.
|
18
|
-
activesupport (= 6.1.
|
17
|
+
actionview (6.1.7)
|
18
|
+
activesupport (= 6.1.7)
|
19
19
|
builder (~> 3.1)
|
20
20
|
erubi (~> 1.4)
|
21
21
|
rails-dom-testing (~> 2.0)
|
22
22
|
rails-html-sanitizer (~> 1.1, >= 1.2.0)
|
23
|
-
activesupport (6.1.
|
23
|
+
activesupport (6.1.7)
|
24
24
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
25
25
|
i18n (>= 1.6, < 2)
|
26
26
|
minitest (>= 5.1)
|
@@ -28,81 +28,89 @@ GEM
|
|
28
28
|
zeitwerk (~> 2.3)
|
29
29
|
ast (2.4.2)
|
30
30
|
builder (3.2.4)
|
31
|
-
concurrent-ruby (1.1.
|
31
|
+
concurrent-ruby (1.1.10)
|
32
32
|
crass (1.0.6)
|
33
|
-
diff-lcs (1.
|
34
|
-
erubi (1.
|
35
|
-
i18n (1.
|
33
|
+
diff-lcs (1.5.0)
|
34
|
+
erubi (1.11.0)
|
35
|
+
i18n (1.12.0)
|
36
36
|
concurrent-ruby (~> 1.0)
|
37
|
-
|
37
|
+
json (2.6.2)
|
38
|
+
loofah (2.19.0)
|
38
39
|
crass (~> 1.0.2)
|
39
40
|
nokogiri (>= 1.5.9)
|
40
41
|
method_source (1.0.0)
|
41
|
-
|
42
|
-
|
42
|
+
mini_portile2 (2.8.0)
|
43
|
+
minitest (5.16.3)
|
44
|
+
nokogiri (1.13.8)
|
45
|
+
mini_portile2 (~> 2.8.0)
|
43
46
|
racc (~> 1.4)
|
44
|
-
nokogiri (1.
|
47
|
+
nokogiri (1.13.8-x86_64-darwin)
|
45
48
|
racc (~> 1.4)
|
46
|
-
|
47
|
-
|
49
|
+
nokogiri (1.13.8-x86_64-linux)
|
50
|
+
racc (~> 1.4)
|
51
|
+
parallel (1.22.1)
|
52
|
+
parser (3.1.2.1)
|
48
53
|
ast (~> 2.4.1)
|
49
|
-
racc (1.
|
50
|
-
rack (2.2.
|
51
|
-
rack-test (
|
52
|
-
rack (>= 1.
|
54
|
+
racc (1.6.0)
|
55
|
+
rack (2.2.4)
|
56
|
+
rack-test (2.0.2)
|
57
|
+
rack (>= 1.3)
|
53
58
|
rails-dom-testing (2.0.3)
|
54
59
|
activesupport (>= 4.2.0)
|
55
60
|
nokogiri (>= 1.6)
|
56
|
-
rails-html-sanitizer (1.4.
|
61
|
+
rails-html-sanitizer (1.4.3)
|
57
62
|
loofah (~> 2.3)
|
58
|
-
railties (6.1.
|
59
|
-
actionpack (= 6.1.
|
60
|
-
activesupport (= 6.1.
|
63
|
+
railties (6.1.7)
|
64
|
+
actionpack (= 6.1.7)
|
65
|
+
activesupport (= 6.1.7)
|
61
66
|
method_source
|
62
|
-
rake (>=
|
67
|
+
rake (>= 12.2)
|
63
68
|
thor (~> 1.0)
|
64
|
-
rainbow (3.
|
69
|
+
rainbow (3.1.1)
|
65
70
|
rake (13.0.6)
|
66
|
-
regexp_parser (2.
|
71
|
+
regexp_parser (2.6.0)
|
67
72
|
rexml (3.2.5)
|
68
|
-
rspec (3.
|
69
|
-
rspec-core (~> 3.
|
70
|
-
rspec-expectations (~> 3.
|
71
|
-
rspec-mocks (~> 3.
|
72
|
-
rspec-core (3.
|
73
|
-
rspec-support (~> 3.
|
74
|
-
rspec-expectations (3.
|
73
|
+
rspec (3.11.0)
|
74
|
+
rspec-core (~> 3.11.0)
|
75
|
+
rspec-expectations (~> 3.11.0)
|
76
|
+
rspec-mocks (~> 3.11.0)
|
77
|
+
rspec-core (3.11.0)
|
78
|
+
rspec-support (~> 3.11.0)
|
79
|
+
rspec-expectations (3.11.1)
|
75
80
|
diff-lcs (>= 1.2.0, < 2.0)
|
76
|
-
rspec-support (~> 3.
|
77
|
-
rspec-mocks (3.
|
81
|
+
rspec-support (~> 3.11.0)
|
82
|
+
rspec-mocks (3.11.1)
|
78
83
|
diff-lcs (>= 1.2.0, < 2.0)
|
79
|
-
rspec-support (~> 3.
|
80
|
-
rspec-support (3.
|
81
|
-
rubocop (1.
|
84
|
+
rspec-support (~> 3.11.0)
|
85
|
+
rspec-support (3.11.1)
|
86
|
+
rubocop (1.36.0)
|
87
|
+
json (~> 2.3)
|
82
88
|
parallel (~> 1.10)
|
83
|
-
parser (>= 3.
|
89
|
+
parser (>= 3.1.2.1)
|
84
90
|
rainbow (>= 2.2.2, < 4.0)
|
85
91
|
regexp_parser (>= 1.8, < 3.0)
|
86
|
-
rexml
|
87
|
-
rubocop-ast (>= 1.
|
92
|
+
rexml (>= 3.2.5, < 4.0)
|
93
|
+
rubocop-ast (>= 1.20.1, < 2.0)
|
88
94
|
ruby-progressbar (~> 1.7)
|
89
95
|
unicode-display_width (>= 1.4.0, < 3.0)
|
90
|
-
rubocop-ast (1.
|
91
|
-
parser (>= 3.
|
92
|
-
rubocop-rake (0.
|
93
|
-
rubocop
|
94
|
-
rubocop-rspec (2.3.0)
|
96
|
+
rubocop-ast (1.21.0)
|
97
|
+
parser (>= 3.1.1.0)
|
98
|
+
rubocop-rake (0.6.0)
|
95
99
|
rubocop (~> 1.0)
|
96
|
-
|
100
|
+
rubocop-rspec (2.13.2)
|
101
|
+
rubocop (~> 1.33)
|
97
102
|
ruby-progressbar (1.11.0)
|
98
|
-
thor (1.1
|
99
|
-
tzinfo (2.0.
|
103
|
+
thor (1.2.1)
|
104
|
+
tzinfo (2.0.5)
|
100
105
|
concurrent-ruby (~> 1.0)
|
101
|
-
unicode-display_width (2.
|
102
|
-
zeitwerk (2.
|
106
|
+
unicode-display_width (2.3.0)
|
107
|
+
zeitwerk (2.6.1)
|
103
108
|
|
104
109
|
PLATFORMS
|
110
|
+
ruby
|
105
111
|
x86_64-darwin-20
|
112
|
+
x86_64-darwin-21
|
113
|
+
x86_64-darwin-22
|
106
114
|
x86_64-linux
|
107
115
|
|
108
116
|
DEPENDENCIES
|
@@ -116,4 +124,4 @@ DEPENDENCIES
|
|
116
124
|
verboten_keys!
|
117
125
|
|
118
126
|
BUNDLED WITH
|
119
|
-
2.
|
127
|
+
2.3.23
|
data/README.md
CHANGED
@@ -14,13 +14,13 @@ GET /api/v1/users/123
|
|
14
14
|
'id': 123,
|
15
15
|
'name': 'Jane Doe',
|
16
16
|
'email': 'jane.doe@example.com',
|
17
|
-
'
|
17
|
+
'deepest_secret': 'Framed their sibling for a murder they commited'
|
18
18
|
}
|
19
19
|
```
|
20
20
|
|
21
21
|
Oh no, this is a disaster!
|
22
22
|
|
23
|
-
If only there was a way to automatically filter out accidents like this! This is where Verboten Keys helps out. If you had Verboten Keys in your application, and had `
|
23
|
+
If only there was a way to automatically filter out accidents like this! This is where Verboten Keys helps out. If you had Verboten Keys in your application, and had `deepest_secret` set as a forbidden key, the exact same response would look like this:
|
24
24
|
|
25
25
|
```
|
26
26
|
GET /api/v1/users/123
|
@@ -31,7 +31,7 @@ GET /api/v1/users/123
|
|
31
31
|
}
|
32
32
|
```
|
33
33
|
|
34
|
-
Verboten Keys filtered out the leaking `
|
34
|
+
Verboten Keys filtered out the leaking `deepest_secret` while leaving the rest of the request intact. When all else fails, we prevent you accidentally leaking sensitive data. Verboten Keys is your last line of defense.
|
35
35
|
|
36
36
|
## Installation
|
37
37
|
|
@@ -68,8 +68,10 @@ You should include it last, so nothing gets missed when the middleware parses an
|
|
68
68
|
Every application has its own security needs, and Verboten Keys is designed to be configurable, so you can get it just so. To configure Verboten Keys, simply call its `configure` method, which yields a block with the current configuration:
|
69
69
|
|
70
70
|
```ruby
|
71
|
+
# In config/initializers/verbotten_keys.rb:
|
72
|
+
|
71
73
|
VerbotenKeys.configure do |config|
|
72
|
-
config.forbidden_keys = [:
|
74
|
+
config.forbidden_keys = [:deepest_secret, :secret_token]
|
73
75
|
config.strategy = :remove
|
74
76
|
end
|
75
77
|
```
|
@@ -87,4 +89,4 @@ Bug reports and pull requests are welcome on [GitHub](https://github.com/tpritc/
|
|
87
89
|
|
88
90
|
## License
|
89
91
|
|
90
|
-
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT). If you or your organization need a custom, commercial license for any reason, [send me an email](mailto:
|
92
|
+
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT). If you or your organization need a custom, commercial license for any reason, [send me an email](mailto:tom@tpritc.com) and I'll be happy to set something up for you.
|
data/verboten_keys.gemspec
CHANGED
@@ -6,12 +6,12 @@ Gem::Specification.new do |spec|
|
|
6
6
|
spec.name = 'verboten_keys'
|
7
7
|
spec.version = VerbotenKeys::VERSION
|
8
8
|
spec.authors = ['Tom Pritchard']
|
9
|
-
spec.email = ['
|
9
|
+
spec.email = ['tom@tpritc.com']
|
10
10
|
|
11
11
|
spec.summary = 'Verboten Keys is a last line of defense to help prevent you and your team from accidentally leaking private information via your APIs.'
|
12
12
|
spec.homepage = 'https://github.com/tpritc/verboten_keys'
|
13
13
|
spec.license = 'MIT'
|
14
|
-
spec.required_ruby_version = Gem::Requirement.new('>= 2.
|
14
|
+
spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
|
15
15
|
|
16
16
|
spec.metadata['source_code_uri'] = 'https://github.com/tpritc/verboten_keys'
|
17
17
|
spec.metadata['changelog_uri'] = 'https://github.com/tpritc/verboten_keys/blob/main/CHANGELOG.md'
|
@@ -20,7 +20,6 @@ Gem::Specification.new do |spec|
|
|
20
20
|
`git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
21
21
|
end
|
22
22
|
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
23
|
-
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
24
23
|
spec.require_paths = ['lib']
|
25
24
|
|
26
25
|
spec.add_runtime_dependency 'rack', '>= 1.0', '< 3'
|
@@ -31,4 +30,5 @@ Gem::Specification.new do |spec|
|
|
31
30
|
spec.add_development_dependency 'rubocop', '~> 1.7'
|
32
31
|
spec.add_development_dependency 'rubocop-rake', '~> 0.5'
|
33
32
|
spec.add_development_dependency 'rubocop-rspec', '~> 2.3'
|
33
|
+
spec.metadata['rubygems_mfa_required'] = 'true'
|
34
34
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: verboten_keys
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0
|
4
|
+
version: 1.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Pritchard
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-10-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -130,7 +130,7 @@ dependencies:
|
|
130
130
|
version: '2.3'
|
131
131
|
description:
|
132
132
|
email:
|
133
|
-
-
|
133
|
+
- tom@tpritc.com
|
134
134
|
executables:
|
135
135
|
- console
|
136
136
|
- setup
|
@@ -141,6 +141,7 @@ files:
|
|
141
141
|
- ".gitignore"
|
142
142
|
- ".rspec"
|
143
143
|
- ".rubocop.yml"
|
144
|
+
- ".tool-versions"
|
144
145
|
- CHANGELOG.md
|
145
146
|
- CODE_OF_CONDUCT.md
|
146
147
|
- Gemfile
|
@@ -164,6 +165,7 @@ licenses:
|
|
164
165
|
metadata:
|
165
166
|
source_code_uri: https://github.com/tpritc/verboten_keys
|
166
167
|
changelog_uri: https://github.com/tpritc/verboten_keys/blob/main/CHANGELOG.md
|
168
|
+
rubygems_mfa_required: 'true'
|
167
169
|
post_install_message:
|
168
170
|
rdoc_options: []
|
169
171
|
require_paths:
|
@@ -172,14 +174,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
172
174
|
requirements:
|
173
175
|
- - ">="
|
174
176
|
- !ruby/object:Gem::Version
|
175
|
-
version: 2.
|
177
|
+
version: 2.7.0
|
176
178
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
177
179
|
requirements:
|
178
180
|
- - ">="
|
179
181
|
- !ruby/object:Gem::Version
|
180
182
|
version: '0'
|
181
183
|
requirements: []
|
182
|
-
rubygems_version: 3.
|
184
|
+
rubygems_version: 3.1.6
|
183
185
|
signing_key:
|
184
186
|
specification_version: 4
|
185
187
|
summary: Verboten Keys is a last line of defense to help prevent you and your team
|