apicasso 0.6.0 → 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/apicasso/apidocs_controller.rb +1 -1
- data/app/controllers/apicasso/application_controller.rb +0 -13
- data/app/controllers/apicasso/crud_controller.rb +13 -0
- data/lib/apicasso/version.rb +1 -1
- data/spec/dummy/log/test.log +2050 -0
- data/spec/requests/plurarized/bad_requests_with_plurarize_spec.rb +51 -0
- data/spec/requests/plurarized/requests_with_plurarize_spec.rb +337 -0
- data/spec/requests/{bad_requests_spec.rb → singularized/bad_requests_spec.rb} +0 -0
- data/spec/requests/{requests_spec.rb → singularized/requests_spec.rb} +13 -22
- data/spec/token/token_spec.rb +18 -0
- metadata +12 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9f97d82fa4adce27dc1554104e77c6b6feef8b18278ff7d0b4976ab50b3d41b5
|
|
4
|
+
data.tar.gz: dc5780ab2577de9344c1c108101184c38f58ac6a1c85213eae437287f9aadc92
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b0fe68e61a194f736b710fc8ed39194520f2e8d515937886f085fa4eb4c50ca96d699001d894db8c2e8df039611b18cec7faa3900040c7b99dec61a250890615
|
|
7
|
+
data.tar.gz: b8a454334bbf8825563d2f1c81aab99d971b1cab0d840a70dc1c99ac59579342eca245e47182f193446979f3a76e0d9d745dabcb3bd67617bb019ba3c8f5cb47
|
|
@@ -4,7 +4,7 @@ module Apicasso
|
|
|
4
4
|
# Controller used to generate an application Swagger JSON, used by
|
|
5
5
|
# SwaggerUI to generate beautiful API documentation
|
|
6
6
|
class ApidocsController < Apicasso::ApplicationController
|
|
7
|
-
skip_before_action :restrict_access
|
|
7
|
+
skip_before_action :restrict_access, :klasses_allowed, :set_root_resource
|
|
8
8
|
|
|
9
9
|
include Swagger::Blocks
|
|
10
10
|
# Default application settings for documentation generation.
|
|
@@ -7,9 +7,7 @@ module Apicasso
|
|
|
7
7
|
class ApplicationController < ActionController::API
|
|
8
8
|
include ActionController::HttpAuthentication::Token::ControllerMethods
|
|
9
9
|
prepend_before_action :restrict_access
|
|
10
|
-
prepend_before_action :klasses_allowed
|
|
11
10
|
before_action :set_root_resource
|
|
12
|
-
before_action :bad_request?
|
|
13
11
|
after_action :register_api_request
|
|
14
12
|
|
|
15
13
|
include SqlSecurity
|
|
@@ -162,11 +160,6 @@ module Apicasso
|
|
|
162
160
|
uri.to_s
|
|
163
161
|
end
|
|
164
162
|
|
|
165
|
-
# Check for a bad request to be more secure
|
|
166
|
-
def klasses_allowed
|
|
167
|
-
raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless descendants_included?
|
|
168
|
-
end
|
|
169
|
-
|
|
170
163
|
# Check if it's a descendant model allowed
|
|
171
164
|
def descendants_included?
|
|
172
165
|
DESCENDANTS_UNDERSCORED.include?(param_attribute.to_s.underscore)
|
|
@@ -188,11 +181,5 @@ module Apicasso
|
|
|
188
181
|
authorize! opts[:action], opts[:resource] if opts[:resource].present?
|
|
189
182
|
authorize! opts[:action], opts[:object] if opts[:object].present?
|
|
190
183
|
end
|
|
191
|
-
|
|
192
|
-
# Check for SQL injection before requests and
|
|
193
|
-
# raise a exception when find
|
|
194
|
-
def bad_request?
|
|
195
|
-
raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless sql_injection(resource)
|
|
196
|
-
end
|
|
197
184
|
end
|
|
198
185
|
end
|
|
@@ -3,6 +3,8 @@
|
|
|
3
3
|
module Apicasso
|
|
4
4
|
# Controller to consume read-only data to be used on client's frontend
|
|
5
5
|
class CrudController < Apicasso::ApplicationController
|
|
6
|
+
prepend_before_action :klasses_allowed
|
|
7
|
+
before_action :bad_request?
|
|
6
8
|
before_action :set_object, except: %i[index create schema]
|
|
7
9
|
before_action :set_nested_resource, only: %i[nested_index]
|
|
8
10
|
before_action :set_records, only: %i[index]
|
|
@@ -224,5 +226,16 @@ module Apicasso
|
|
|
224
226
|
end
|
|
225
227
|
end.compact
|
|
226
228
|
end
|
|
229
|
+
|
|
230
|
+
# Check for SQL injection before requests and
|
|
231
|
+
# raise a exception when find
|
|
232
|
+
def bad_request?
|
|
233
|
+
raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless sql_injection(resource)
|
|
234
|
+
end
|
|
235
|
+
|
|
236
|
+
# Check for a bad request to be more secure
|
|
237
|
+
def klasses_allowed
|
|
238
|
+
raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless descendants_included?
|
|
239
|
+
end
|
|
227
240
|
end
|
|
228
241
|
end
|
data/lib/apicasso/version.rb
CHANGED