active_median 0.2.4 → 0.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 86998cba53771c73de5fcc9c5dc8a869a4ff061029828dcf0ce8fab89852e346
-  data.tar.gz: 23482bad0017c7b16422e9be9961783a6674576a65955a6d228db22f556ef84b
+  metadata.gz: cbc48a266db4698647e93b35bdad3e2ed1fc131ec48a2a00e1ac33583f693c4d
+  data.tar.gz: 9e49da11f496e63c1fca879b7f6b509cbc80b6551f22743f9f586dfdf6f3d2f3
 SHA512:
-  metadata.gz: 6c5f02aa5f51169214536006caa8509b4fcc7041d1be680805388019d092f1517c54fbdb0738f4fa80d89609ea959ba1c741a83460c651da62288916c47e1a5e
-  data.tar.gz: d53d94e2835a54521a17977f035c04d40766d958473890cfcacfd4cae5d99d792fdea5c8f18ff975155f0d25d5854134c7770f1d0e578e70d5c4aceddeed115c
+  metadata.gz: 7c37697facc95126f6b11bd29831f0aa685b781242a729c86e938e9f4be0a0b7fbfadbdf8ae246f987f452bb7977de21f2f879860f945f1a7bc9db005f85dc49
+  data.tar.gz: d37c90a02b845b8a2cd8e41ed5109da758ca51c9921675f7f63e30e0921e430eed193d6ae02676e3aa08c5eaf97207d29fd8f50540e1be060924022aa818dc03

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.2.5 (2020-09-07)
+
+- Added warning for non-attribute argument
+
 ## 0.2.4 (2020-03-12)
 
 - Added `percentile` method

data/README.md

@@ -8,6 +8,7 @@ Supports:
 - MariaDB 10.3.3+
 - MySQL and SQL (with extensions)
 - SQL Server 2012+
+- MongoDB 2.1+
 
 :fire: Uses native functions for blazing performance
 
@@ -34,7 +35,7 @@ Item.median(:price)
 Percentile
 
 ```ruby
-Item.percentile(:price, 0.95)
+Request.percentile(:response_time, 0.95)
 ```
 
 Works with grouping, too
@@ -43,6 +44,19 @@ Works with grouping, too
 Order.group(:store_id).median(:total)
 ```
 
+## User Input
+
+If passing user input as the column, be sure to sanitize it first [like you must](https://rails-sqli.org/) with other aggregate methods like `sum`.
+
+```ruby
+column = params[:column]
+
+# check against permitted columns
+raise "Unpermitted column" unless ["column_a", "column_b"].include?(column)
+
+User.median(column)
+```
+
 ## Arrays and Hashes
 
 Median
@@ -54,7 +68,7 @@ Median
 Percentile
 
 ```ruby
-[1, 2, 3].percentile(0.75)
+[1, 2, 3].percentile(0.95)
 ```
 
 You can also pass a block
@@ -63,19 +77,6 @@ You can also pass a block
 {a: 1, b: 2, c: 3}.median { |k, v| v }
 ```
 
-## User Input
-
-If passing user input as the column, be sure to sanitize it first [like you must](https://rails-sqli.org/) with other aggregate methods like `sum`.
-
-```ruby
-column = params[:column]
-
-# check against permitted columns
-raise "Unpermitted column" unless ["column_a", "column_b"].include?(column)
-
-User.median(column)
-```
-
 ## Additional Instructions
 
 ### MySQL

data/lib/active_median/model.rb

@@ -8,6 +8,18 @@ module ActiveMedian
       percentile = percentile.to_f
       raise ArgumentError, "percentile is not between 0 and 1" if percentile < 0 || percentile > 1
 
+      # basic version of Active Record disallow_raw_sql!
+      # symbol = column (safe), Arel node = SQL (safe), other = untrusted
+      # matches table.column and column
+      unless column.is_a?(Symbol) || column.is_a?(Arel::Nodes::SqlLiteral) || /\A\w+(\.\w+)?\z/i.match(column.to_s)
+        warn "[active_median] Non-attribute argument: #{column}. Use Arel.sql() for known-safe values. This will raise an error in ActiveMedian 0.3.0"
+      end
+
+      # column resolution
+      node = relation.send(:arel_columns, [column]).first
+      node = Arel::Nodes::SqlLiteral.new(node) if node.is_a?(String)
+      column = relation.connection.visitor.accept(node, Arel::Collectors::SQLString.new).value
+
       # prevent SQL injection
       percentile = connection.quote(percentile)
 

data/lib/active_median/version.rb

@@ -1,3 +1,3 @@
 module ActiveMedian
-  VERSION = "0.2.4"
+  VERSION = "0.2.5"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: active_median
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.2.5
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-13 00:00:00.000000000 Z
+date: 2020-09-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport