Fix security findings from gem audit#1
Merged
Conversation
- Validate pagination cursors (reject nested objects, arrays, invalid keys) - Remove arbitrary file require from model_loader (use safe_constantize) - Filter assign_attributes to declared model attributes only - Add jitter to exponential backoff in batch operations - Replace Object.const_get with safe_constantize in composed_of - Add security specs covering all fixes - Bump version to 0.0.2
…findings-activeitem-gem
Mass assignment filtering was redundant — attribute_names derives from setter methods (attr_accessor), so respond_to?(setter) already prevents setting undeclared attributes. DynamoDB models intentionally remain flexible about which attributes they accept. Also fixes spec setup to use DynamoDB local helper from merged master.
- Add parallel_tests gem dependency
- Make table names worker-aware via TEST_ENV_NUMBER env var
- Each parallel worker gets isolated DynamoDB tables (test{N}-dev-*)
- Configure ActiveItem with worker-aware prefix in before(:suite)
- All 124 specs pass in both serial and parallel (16 processes)
- truncate_table: rescue ResourceNotFoundException (prevents cascading failures when tables don't exist) - delete_table: also rescue NetworkingError for clean shutdown - Add verify_connectivity! check in before(:suite) — aborts early with a clear error message if DynamoDB Local isn't running
activeitem_spec.rb sets table_prefix='myapp' and environment='test' without restoring them. When parallel_tests groups this file with another spec in the same worker process, subsequent specs get the wrong config and can't find their tables. Added after hook to restore worker-aware config.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the code-level security findings from the activeitem gem audit (Fizzy #849).
Critical fixes
decode_cursornow validates that decoded JSON is a flat hash with alphanumeric keys and string/numeric values only. Prevents partition traversal via crafted Base64 payloads.requirefromsafe_constantize_model. Now validates class name format and usessafe_constantizeonly.Medium fixes
assign_attributesnow filters to declaredattribute_namesonly, ignoring unknown keys that could invoke arbitrary setters.0.5 + rand * 0.5multiplier) to exponential backoff inbatch_get_itemandbatch_write_itemretry loops.Low fixes
Object.const_getin composed_of — Replaced withsafe_constantizeto prevent traversal of the full Ruby constant hierarchy.Not addressed in this PR (require repo/infra changes)
Testing
Fizzy: https://app.fizzy.do/6098707/cards/849