Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
A bit of history: this gem was inspired by digging deeper into Draper with an eye on refactoring.
A common task for an application is to match its parts against each other, be it inferring a default model class for a controller, or looking up a decorator for a model, or whatever else.
Modern frameworks tend to use naming conventions over configuration to achieve that. Unfortunately, every one has to implement them on its own struggling through numerous bugs. Moreover, inconsistencies across these implementations lead to misunderstanding and endless tickets when actual behavior fails to meet user expectations based on other frameworks.
So, meet
It’s meant to be The One to Rule Them All — the library to provide a generic name-based lookup for a plenty of cases.
Install the gem and add to the application's Gemfile by executing:
$ bundle add magic-lookup
If bundler is not being used to manage dependencies, install the gem by executing:
$ gem install magic-lookup
These are the steps to set up an automatic class inference:
Magic::Lookup
..name_for
method for that class implementing your lookup logic.class Scope
extend Magic::Lookup
def self.name_for object_class
object_class.name
.delete_suffix('Model')
.concat('Scope')
end
end
class MyScope < Scope
end
Scope.for MyModel # => MyScope
Scope.for OtherModel # => nil
When no class is found, nil
is returned. If you need to raise an exception in this case, you can use Magic::Lookup::Error
like this:
scope_class = Scope.for(object.class) or
raise Magic::Lookup::Error.for(object, Scope)
Magic::Lookup::Error
is never raised internally and is meant to be used in your code that implements the lookup logic.
Lookup is provided not only for the class itself, but to any of its ancestors as well.
Both of matching classes — the target and its match — may be namespaced independently.
One can specify a namespace to look in:
Scope.for MyModel # => MyScope
Scope.for MyModel, MyNamespace # => MyNamespace::MyScope
Multiple default lookup namespaces may be set for the base class:
Scope.namespaces << MyNamespace # => [nil, MyNamespace]
Scope.for MyModel # => MyNamespace::MyScope
[!TIP] Until a comprehensive documentation on all the use cases is released, the spec is recommended as further reading. One can access it by running
rake
in the gem directory. The output is quite descriptive to get familiar with the use cases.
After checking out the repo, run bin/setup
to install dependencies. Then, run rake spec
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
.
Bug reports and pull requests are welcome on GitHub at https://github.com/Alexander-Senko/magic-lookup. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.
The gem is available as open source under the terms of the MIT License.
Everyone interacting in the Magic Lookup project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.
FAQs
Unknown package
We found that magic-lookup demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.