active_median 0.2.4 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 86998cba53771c73de5fcc9c5dc8a869a4ff061029828dcf0ce8fab89852e346
4
- data.tar.gz: 23482bad0017c7b16422e9be9961783a6674576a65955a6d228db22f556ef84b
3
+ metadata.gz: cbc48a266db4698647e93b35bdad3e2ed1fc131ec48a2a00e1ac33583f693c4d
4
+ data.tar.gz: 9e49da11f496e63c1fca879b7f6b509cbc80b6551f22743f9f586dfdf6f3d2f3
5
5
  SHA512:
6
- metadata.gz: 6c5f02aa5f51169214536006caa8509b4fcc7041d1be680805388019d092f1517c54fbdb0738f4fa80d89609ea959ba1c741a83460c651da62288916c47e1a5e
7
- data.tar.gz: d53d94e2835a54521a17977f035c04d40766d958473890cfcacfd4cae5d99d792fdea5c8f18ff975155f0d25d5854134c7770f1d0e578e70d5c4aceddeed115c
6
+ metadata.gz: 7c37697facc95126f6b11bd29831f0aa685b781242a729c86e938e9f4be0a0b7fbfadbdf8ae246f987f452bb7977de21f2f879860f945f1a7bc9db005f85dc49
7
+ data.tar.gz: d37c90a02b845b8a2cd8e41ed5109da758ca51c9921675f7f63e30e0921e430eed193d6ae02676e3aa08c5eaf97207d29fd8f50540e1be060924022aa818dc03
@@ -1,3 +1,7 @@
1
+ ## 0.2.5 (2020-09-07)
2
+
3
+ - Added warning for non-attribute argument
4
+
1
5
  ## 0.2.4 (2020-03-12)
2
6
 
3
7
  - Added `percentile` method
data/README.md CHANGED
@@ -8,6 +8,7 @@ Supports:
8
8
  - MariaDB 10.3.3+
9
9
  - MySQL and SQL (with extensions)
10
10
  - SQL Server 2012+
11
+ - MongoDB 2.1+
11
12
 
12
13
  :fire: Uses native functions for blazing performance
13
14
 
@@ -34,7 +35,7 @@ Item.median(:price)
34
35
  Percentile
35
36
 
36
37
  ```ruby
37
- Item.percentile(:price, 0.95)
38
+ Request.percentile(:response_time, 0.95)
38
39
  ```
39
40
 
40
41
  Works with grouping, too
@@ -43,6 +44,19 @@ Works with grouping, too
43
44
  Order.group(:store_id).median(:total)
44
45
  ```
45
46
 
47
+ ## User Input
48
+
49
+ If passing user input as the column, be sure to sanitize it first [like you must](https://rails-sqli.org/) with other aggregate methods like `sum`.
50
+
51
+ ```ruby
52
+ column = params[:column]
53
+
54
+ # check against permitted columns
55
+ raise "Unpermitted column" unless ["column_a", "column_b"].include?(column)
56
+
57
+ User.median(column)
58
+ ```
59
+
46
60
  ## Arrays and Hashes
47
61
 
48
62
  Median
@@ -54,7 +68,7 @@ Median
54
68
  Percentile
55
69
 
56
70
  ```ruby
57
- [1, 2, 3].percentile(0.75)
71
+ [1, 2, 3].percentile(0.95)
58
72
  ```
59
73
 
60
74
  You can also pass a block
@@ -63,19 +77,6 @@ You can also pass a block
63
77
  {a: 1, b: 2, c: 3}.median { |k, v| v }
64
78
  ```
65
79
 
66
- ## User Input
67
-
68
- If passing user input as the column, be sure to sanitize it first [like you must](https://rails-sqli.org/) with other aggregate methods like `sum`.
69
-
70
- ```ruby
71
- column = params[:column]
72
-
73
- # check against permitted columns
74
- raise "Unpermitted column" unless ["column_a", "column_b"].include?(column)
75
-
76
- User.median(column)
77
- ```
78
-
79
80
  ## Additional Instructions
80
81
 
81
82
  ### MySQL
@@ -8,6 +8,18 @@ module ActiveMedian
8
8
  percentile = percentile.to_f
9
9
  raise ArgumentError, "percentile is not between 0 and 1" if percentile < 0 || percentile > 1
10
10
 
11
+ # basic version of Active Record disallow_raw_sql!
12
+ # symbol = column (safe), Arel node = SQL (safe), other = untrusted
13
+ # matches table.column and column
14
+ unless column.is_a?(Symbol) || column.is_a?(Arel::Nodes::SqlLiteral) || /\A\w+(\.\w+)?\z/i.match(column.to_s)
15
+ warn "[active_median] Non-attribute argument: #{column}. Use Arel.sql() for known-safe values. This will raise an error in ActiveMedian 0.3.0"
16
+ end
17
+
18
+ # column resolution
19
+ node = relation.send(:arel_columns, [column]).first
20
+ node = Arel::Nodes::SqlLiteral.new(node) if node.is_a?(String)
21
+ column = relation.connection.visitor.accept(node, Arel::Collectors::SQLString.new).value
22
+
11
23
  # prevent SQL injection
12
24
  percentile = connection.quote(percentile)
13
25
 
@@ -1,3 +1,3 @@
1
1
  module ActiveMedian
2
- VERSION = "0.2.4"
2
+ VERSION = "0.2.5"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: active_median
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.4
4
+ version: 0.2.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Kane
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-13 00:00:00.000000000 Z
11
+ date: 2020-09-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport