apicasso 0.7.0 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/apicasso/crud_controller.rb +2 -2
- data/app/controllers/concerns/sql_security.rb +11 -6
- data/lib/apicasso/version.rb +1 -1
- data/spec/dummy/log/test.log +0 -0
- data/spec/requests/batch_spec.rb +1 -0
- data/spec/requests/plurarized/requests_with_plurarize_spec.rb +1 -1
- data/spec/requests/singularized/requests_spec.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 810b5957d80a9681e838d2e7efcc9d02ff0bc4c91ed0ad6156f58517aac54139
|
|
4
|
+
data.tar.gz: 34a5aeb6ede33634cf03155ab61ed849e39d12e09be73cc3594b6226f554d144
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a94dee1047d8ddd8d5af90d6232de8d56e6724aeb2fc156fc7e4479e99251a9fbf54618812f5147cb832ee40b3a006add80b47ceeb2937f9c82cce0d167504b3
|
|
7
|
+
data.tar.gz: 83ecc747872fcf84f21835ad586b8140a6b7898bda2ae988792d1382c77b7a49fc255f0a765e7b2712ed55da1428d50ed4701f637021b9674de821ce1fa3358b
|
|
@@ -31,8 +31,8 @@ module SqlSecurity
|
|
|
31
31
|
].freeze
|
|
32
32
|
|
|
33
33
|
# Check if request is a SQL injection
|
|
34
|
-
def sql_injection(klass)
|
|
35
|
-
apicasso_parameters.each do |name, value|
|
|
34
|
+
def sql_injection(klass, hash = nil)
|
|
35
|
+
apicasso_parameters(hash).each do |name, value|
|
|
36
36
|
next unless Array.wrap(klass).any? do |klass|
|
|
37
37
|
!safe_parameter?(klass, name, value)
|
|
38
38
|
end
|
|
@@ -47,8 +47,13 @@ module SqlSecurity
|
|
|
47
47
|
def safe_parameter?(klass, name, value)
|
|
48
48
|
if name.to_sym == :group
|
|
49
49
|
group_sql_safe?(klass, value)
|
|
50
|
-
elsif
|
|
51
|
-
|
|
50
|
+
elsif name.to_sym == :batch
|
|
51
|
+
value.each do |name, val|
|
|
52
|
+
parameters_sql_safe?(klass.name.singularize.constantize, name)
|
|
53
|
+
Array.wrap(value).each do |inner_val|
|
|
54
|
+
sql_injection(klass, inner_val)
|
|
55
|
+
end
|
|
56
|
+
end
|
|
52
57
|
else
|
|
53
58
|
parameters_sql_safe?(klass, value)
|
|
54
59
|
end
|
|
@@ -120,7 +125,7 @@ module SqlSecurity
|
|
|
120
125
|
|
|
121
126
|
# Parameters used on the APIcasso that should be checked against
|
|
122
127
|
# security measures
|
|
123
|
-
def apicasso_parameters
|
|
124
|
-
params.to_unsafe_h.slice(:group, :resource, :nested, :sort, :include, :
|
|
128
|
+
def apicasso_parameters(hash = nil)
|
|
129
|
+
(hash || params.to_unsafe_h).slice(:group, :resource, :nested, :sort, :include, :batch)
|
|
125
130
|
end
|
|
126
131
|
end
|
data/lib/apicasso/version.rb
CHANGED
data/spec/dummy/log/test.log
CHANGED
|
Binary file
|
data/spec/requests/batch_spec.rb
CHANGED
|
@@ -13,6 +13,7 @@ RSpec.describe 'Batch requests', type: :request do
|
|
|
13
13
|
@used_model = create(:used_model)
|
|
14
14
|
@another_used_model = create(:used_model)
|
|
15
15
|
while @another_used_model.send(@attribute) == @used_model.send(@attribute)
|
|
16
|
+
@attribute = UsedModel.column_names.sample
|
|
16
17
|
@another_used_model = create(:used_model)
|
|
17
18
|
end
|
|
18
19
|
post '/api/v1/ql/', params: { used_models: { "#{@attribute}_eq": @used_model.send(@attribute) } }.to_json, headers: access_token
|
|
@@ -100,7 +100,7 @@ RSpec.describe 'Used Model requests', type: :request do
|
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
it 'returns all records sorted queried' do
|
|
103
|
-
used_model_sorted = UsedModel.order(:
|
|
103
|
+
used_model_sorted = UsedModel.unscope(:order).order(brand: :asc, model: :asc).map(&:id)
|
|
104
104
|
entries = JSON.parse(response.body)['entries'].map { |model| model['id'] }
|
|
105
105
|
expect(entries).to eq(used_model_sorted)
|
|
106
106
|
end
|
|
@@ -100,7 +100,7 @@ RSpec.describe 'Used Model requests', type: :request do
|
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
it 'returns all records sorted queried' do
|
|
103
|
-
used_model_sorted = UsedModel.order(:
|
|
103
|
+
used_model_sorted = UsedModel.unscope(:order).order(brand: :asc, model: :asc).map(&:id)
|
|
104
104
|
entries = JSON.parse(response.body)['entries'].map { |model| model['id'] }
|
|
105
105
|
expect(entries).to eq(used_model_sorted)
|
|
106
106
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: apicasso
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.7.
|
|
4
|
+
version: 0.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Fernando Bellincanta
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-04-
|
|
11
|
+
date: 2019-04-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -168,16 +168,16 @@ dependencies:
|
|
|
168
168
|
name: rails
|
|
169
169
|
requirement: !ruby/object:Gem::Requirement
|
|
170
170
|
requirements:
|
|
171
|
-
- - "
|
|
171
|
+
- - ">"
|
|
172
172
|
- !ruby/object:Gem::Version
|
|
173
|
-
version: '5
|
|
173
|
+
version: '5'
|
|
174
174
|
type: :runtime
|
|
175
175
|
prerelease: false
|
|
176
176
|
version_requirements: !ruby/object:Gem::Requirement
|
|
177
177
|
requirements:
|
|
178
|
-
- - "
|
|
178
|
+
- - ">"
|
|
179
179
|
- !ruby/object:Gem::Version
|
|
180
|
-
version: '5
|
|
180
|
+
version: '5'
|
|
181
181
|
- !ruby/object:Gem::Dependency
|
|
182
182
|
name: ransack
|
|
183
183
|
requirement: !ruby/object:Gem::Requirement
|