apicasso 0.4.11 → 0.5.0

data/app/controllers/apicasso/application_controller.rb

@@ -7,9 +7,14 @@ module Apicasso
   class ApplicationController < ActionController::API
     include ActionController::HttpAuthentication::Token::ControllerMethods
     prepend_before_action :restrict_access, unless: -> { preflight? }
+    prepend_before_action :klasses_allowed
     before_action :set_access_control_headers
+    before_action :set_root_resource
+    before_action :bad_request?
     after_action :register_api_request
 
+    include SqlSecurity
+
     # Sets the authorization scope for the current API key, it's a getter
     # to make scoping easier
     def current_ability
@@ -65,6 +70,21 @@ module Apicasso
       }
     end
 
+    # Common setup to stablish which model is the resource of this request
+    def set_root_resource
+      @root_resource = params[:resource].classify.constantize
+    end
+
+    # Setup to stablish the nested model to be queried
+    def set_nested_resource
+      @nested_resource = @object.send(params[:nested].underscore.pluralize)
+    end
+
+    # Reutrns root_resource if nested_resource is not set scoped by permissions
+    def resource
+      (@nested_resource || @root_resource)
+    end
+
     # A method to extract all assosciations available
     def associations_array
       resource.reflect_on_all_associations.map { |association| association.name.to_s }
@@ -107,7 +127,7 @@ module Apicasso
     # insertion point for a change on splitting method.
     def parsed_select
       params[:select].split(',').map do |field|
-        field if @records.column_names.include?(field)
+        field if resource.column_names.include?(field)
       end
     rescue NoMethodError
       []
@@ -143,6 +163,25 @@ module Apicasso
       uri.to_s
     end
 
+    # Check for a bad request to be more secure
+    def klasses_allowed
+      raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless descendants_included?
+    end
+
+    # Check if it's a descendant model allowed
+    def descendants_included?
+      DESCENDANTS_UNDERSCORED.include?(param_attribute.to_s.underscore)
+    end
+
+    # Get param to be compared
+    def param_attribute
+      representative_resource.singularize
+    end
+
+    def representative_resource
+      (params[:nested] || params[:resource] || controller_name)
+    end
+
     # Receives a `:action, :resource, :object` hash to validate authorization
     # Example:
     #   > authorize_for action: :read, resource: :object_class, object: :object
@@ -151,6 +190,12 @@ module Apicasso
       authorize! opts[:action], opts[:object] if opts[:object].present?
     end
 
+    # Check for SQL injection before requests and
+    # raise a exception when find
+    def bad_request?
+      raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless sql_injection(resource)
+    end
+
     # @TODO
     # Remove this in favor of a more controllable aproach of CORS
     def set_access_control_headers

data/app/controllers/apicasso/crud_controller.rb

@@ -3,10 +3,9 @@
 module Apicasso
   # Controller to consume read-only data to be used on client's frontend
   class CrudController < Apicasso::ApplicationController
-    before_action :set_root_resource
     before_action :set_object, except: %i[index create schema]
     before_action :set_nested_resource, only: %i[nested_index]
-    before_action :set_records, only: %i[index nested_index]
+    before_action :set_records, only: %i[index]
     include Orderable
     # GET /:resource
     # Returns a paginated, ordered and filtered query based response.
@@ -81,11 +80,6 @@ module Apicasso
 
     private
 
-    # Common setup to stablish which model is the resource of this request
-    def set_root_resource
-      @root_resource = params[:resource].classify.constantize
-    end
-
     # Common setup to stablish which object this request is querying
     def set_object
       id = params[:id]
@@ -93,17 +87,7 @@ module Apicasso
     rescue NoMethodError
       @object = resource.find(id)
     ensure
-      authorize! :read, @object
-    end
-
-    # Setup to stablish the nested model to be queried
-    def set_nested_resource
-      @nested_resource = @object.send(params[:nested].underscore.pluralize)
-    end
-
-    # Reutrns root_resource if nested_resource is not set scoped by permissions
-    def resource
-      (@nested_resource || @root_resource)
+      authorize! action_name.to_sym, @object
     end
 
     # Used to setup the resource's schema, mapping attributes and it's types
@@ -148,8 +132,8 @@ module Apicasso
       @records = @records.accessible_by(current_ability).unscope(:order)
     end
 
-    # The response for index action, which can be a pagination of a record collection
-    # or a grouped count of attributes
+    # The response for index action, which can be a pagination of a
+    # record collection or a grouped count of attributes
     def index_json
       if params[:group].present?
         @records.group(params[:group][:by].split(','))

data/app/controllers/concerns/orderable.rb

@@ -40,6 +40,6 @@ module Orderable
   end
 
   def model
-    (params[:nested] || params[:resource] || controller_name).classify.constantize
+    representative_resource.classify.constantize
   end
 end

data/app/controllers/concerns/sql_security.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+# This concern is used to check SQL injection
+module SqlSecurity
+  extend ActiveSupport::Concern
+
+  Rails.application.eager_load!
+  DESCENDANTS_UNDERSCORED = ActiveRecord::Base.descendants.map do |descendant|
+    descendant.to_s.underscore
+  end.freeze
+
+  GROUP_CALCULATE = %w[
+    average
+    calculate
+    count
+    ids
+    maximum
+    minimum
+    pluck
+    sum
+  ].freeze
+
+  # Check if request is a sql injection
+  def sql_injection(klass)
+    apicasso_parameters.each do |key, value|
+      if key.to_sym == :group
+        return false unless group_sql_safe?(klass, value)
+      else
+        return false unless parameters_sql_safe?(klass, value)
+      end
+    end
+  end
+
+  private
+
+  # Check if group params is safe for sql injection
+  def group_sql_safe?(klass, value)
+    value.each do |group_key, group_value|
+      if group_key.to_sym == :calculate
+        return false unless GROUP_CALCULATE.include?(group_value)
+      else
+        return false unless safe_for_sql?(klass, group_value)
+      end
+    end
+    true
+  end
+
+  # Check if regular params is safe for sql injection
+  def parameters_sql_safe?(klass, value)
+    value.split(',').each do |param|
+      return false unless safe_for_sql?(klass, param.gsub(/\A[+-]/, ''))
+    end
+    true
+  end
+
+  # Check if value for current class is valid for API consumption
+  def safe_for_sql?(klass, value)
+    klass.column_names.include?(value) ||
+      DESCENDANTS_UNDERSCORED.include?(value) ||
+      klass.new.respond_to?(value) ||
+      klass.reflect_on_all_associations.map(&:name).include?(value)
+  end
+
+  def apicasso_parameters
+    params.to_unsafe_h.slice(:group, :resource, :nested, :sort, :include)
+  end
+end

data/app/models/apicasso/ability.rb

@@ -5,6 +5,9 @@ module Apicasso
   class Ability
     include CanCan::Ability
 
+    # Method that initializes CanCanCan with the scope of
+    # permissions based on current key from request
+    # @param key [Object] a key object by APIcasso to CanCanCan with ability
     def initialize(key)
       key ||= Apicasso::Key.new
       cannot :manage, :all

data/config/routes.rb

@@ -1,5 +1,12 @@
 Apicasso::Engine.routes.draw do
   scope module: :apicasso do
+    # When your application needs some kind of custom interaction that is not covered by
+    # APIcasso's CRUD approach, you can make your own actions using our base classes and
+    # objects to go straight into your logic. If you have built the APIcasso's engine into
+    # a route it is important that your custom action takes precedence over the gem's ones.
+    # Usage:
+    # match ' /: resource /: id / custom-action ' => ' custom # not_a_crud ' , via: :get
+    # mount Apicasso :: Engine , em:  " / api / v1 "
     resources :apidocs, only: [:index]
     get '/:resource/', to: 'crud#index', via: :get
     match '/:resource/', to: 'crud#create', via: :post

data/lib/apicasso/active_record_extension.rb

@@ -8,7 +8,11 @@ module Apicasso
   # own application.
   module ActiveRecordExtension
     extend ActiveSupport::Concern
+    # Module with class methods of Apicasso
     module ClassMethods
+      # Method that map validations for consumption on the Swagger JSON
+      # @param validation [Array] a validator to be checked
+      # @returns [Array] All validated attributes
       def validated_attrs_for(validation)
         if validation.is_a?(String) || validation.is_a?(Symbol)
           klass = 'ActiveRecord::Validations::' \
@@ -25,6 +29,7 @@ module Apicasso
         presence_validators.present?
       end
 
+      # Method that lists all presence validators
       def presence_validators
         validated_attrs_for(:presence)
       end

data/lib/apicasso/version.rb

@@ -1,3 +1,3 @@
 module Apicasso
-  VERSION = '0.4.11'.freeze
+  VERSION = '0.5.0'.freeze
 end

data/lib/generators/apicasso/install/install_generator.rb

@@ -2,11 +2,15 @@ require 'rails/generators/migration'
 
 module Apicasso
   module Generators
+    # Class used to install Apicasso engine into a project
     class InstallGenerator < ::Rails::Generators::Base
       include Rails::Generators::Migration
       source_root File.expand_path('../templates', __FILE__)
       desc 'Add the required migrations to run APIcasso'
 
+      # Method generates the next migration number
+      # @param path [String] the path to migration directory
+      # @returns [String] the next migration number
       def self.next_migration_number(path)
         if @prev_migration_nr
           @prev_migration_nr += 1
@@ -16,6 +20,8 @@ module Apicasso
         @prev_migration_nr.to_s
       end
 
+      # Create a migration to setup database tables used by the
+      # engine to implement authentication, authorization and auditability
       def copy_migrations
         migration_template 'create_apicasso_tables.rb',
                            'db/migrate/create_apicasso_tables.rb'

data/lib/generators/apicasso/install/templates/create_apicasso_tables.rb

@@ -1,8 +1,13 @@
+# Migration from APIcasso tables
 class CreateApicassoTables < ActiveRecord::Migration[5.0]
+  # Method that generates migration apicasso_keys and apicasso_keys tables
   def change
     execute <<-SQL
       CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
     SQL
+    # The apicasso_keys schema to creates the table
+    # Models will are exposed based on definitions setted in :scope
+    # The objects will are manageable through :token
     create_table :apicasso_keys, id: :uuid do |t|
       t.json :scope
       t.integer :scope_type
@@ -11,6 +16,9 @@ class CreateApicassoTables < ActiveRecord::Migration[5.0]
       t.datetime :deleted_at
       t.timestamps null: false
     end
+    # The apicasso_requests schema to creates the table
+    # All requests will be saved into this table
+    # Thus, available for use in an audit
     create_table :apicasso_requests, id: :uuid do |t|
       t.text :api_key_id
       t.json :object

data/spec/requests/bad_requests_spec.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+RSpec.describe 'Used Model bad requests', type: :request do
+  token = Apicasso::Key.create(scope: { manage: { used_model: true } }).token
+  access_token = { 'AUTHORIZATION' => "Token token=#{token}" }
+
+  context 'raise a bad request when using SQL injection' do
+    it 'for grouping in fields' do
+      expect {
+        get '/api/v1/used_model', params: {
+          'group[by]': 'brand',
+          'group[calculate]': 'count',
+          'group[fields]': "'OR 1=1;"
+        }, headers: access_token
+      }.to raise_exception(ActionController::BadRequest)
+    end
+
+    it 'for sorting' do
+      expect {
+        get '/api/v1/used_model', params: { 'per_page': -1, 'sort': "'OR 1=1;" }, headers: access_token
+      }.to raise_exception(ActionController::BadRequest)
+    end
+
+    it 'for include' do
+      expect {
+        get '/api/v1/used_model', params: { 'include': "'OR 1=1;" }, headers: access_token
+      }.to raise_exception(ActionController::BadRequest)
+    end
+  end
+
+  context 'raise a bad request when using invalid resources' do
+    it 'for root resource' do
+      expect {
+        get '/api/v1/admins', headers: access_token
+      }.to raise_exception(ActionController::BadRequest)
+    end
+
+    it 'for nested resource' do
+      expect {
+        get '/api/v1/used_model/1/admins', headers: access_token
+      }.to raise_exception(ActionController::BadRequest)
+    end
+
+    it 'for include' do
+      expect {
+        get '/api/v1/used_model', params: { 'include': 'admins' }, headers: access_token
+      }.to raise_exception(ActionController::BadRequest)
+    end
+  end
+end