apicasso 0.7.0 → 0.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/apicasso/crud_controller.rb +2 -2
- data/app/controllers/concerns/sql_security.rb +11 -6
- data/lib/apicasso/version.rb +1 -1
- data/spec/dummy/log/test.log +0 -0
- data/spec/requests/batch_spec.rb +1 -0
- data/spec/requests/plurarized/requests_with_plurarize_spec.rb +1 -1
- data/spec/requests/singularized/requests_spec.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 810b5957d80a9681e838d2e7efcc9d02ff0bc4c91ed0ad6156f58517aac54139
|
|
4
|
+
data.tar.gz: 34a5aeb6ede33634cf03155ab61ed849e39d12e09be73cc3594b6226f554d144
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a94dee1047d8ddd8d5af90d6232de8d56e6724aeb2fc156fc7e4479e99251a9fbf54618812f5147cb832ee40b3a006add80b47ceeb2937f9c82cce0d167504b3
|
|
7
|
+
data.tar.gz: 83ecc747872fcf84f21835ad586b8140a6b7898bda2ae988792d1382c77b7a49fc255f0a765e7b2712ed55da1428d50ed4701f637021b9674de821ce1fa3358b
|
|
@@ -31,8 +31,8 @@ module SqlSecurity
|
|
|
31
31
|
].freeze
|
|
32
32
|
|
|
33
33
|
# Check if request is a SQL injection
|
|
34
|
-
def sql_injection(klass)
|
|
35
|
-
apicasso_parameters.each do |name, value|
|
|
34
|
+
def sql_injection(klass, hash = nil)
|
|
35
|
+
apicasso_parameters(hash).each do |name, value|
|
|
36
36
|
next unless Array.wrap(klass).any? do |klass|
|
|
37
37
|
!safe_parameter?(klass, name, value)
|
|
38
38
|
end
|
|
@@ -47,8 +47,13 @@ module SqlSecurity
|
|
|
47
47
|
def safe_parameter?(klass, name, value)
|
|
48
48
|
if name.to_sym == :group
|
|
49
49
|
group_sql_safe?(klass, value)
|
|
50
|
-
elsif
|
|
51
|
-
|
|
50
|
+
elsif name.to_sym == :batch
|
|
51
|
+
value.each do |name, val|
|
|
52
|
+
parameters_sql_safe?(klass.name.singularize.constantize, name)
|
|
53
|
+
Array.wrap(value).each do |inner_val|
|
|
54
|
+
sql_injection(klass, inner_val)
|
|
55
|
+
end
|
|
56
|
+
end
|
|
52
57
|
else
|
|
53
58
|
parameters_sql_safe?(klass, value)
|
|
54
59
|
end
|
|
@@ -120,7 +125,7 @@ module SqlSecurity
|
|
|
120
125
|
|
|
121
126
|
# Parameters used on the APIcasso that should be checked against
|
|
122
127
|
# security measures
|
|
123
|
-
def apicasso_parameters
|
|
124
|
-
params.to_unsafe_h.slice(:group, :resource, :nested, :sort, :include, :
|
|
128
|
+
def apicasso_parameters(hash = nil)
|
|
129
|
+
(hash || params.to_unsafe_h).slice(:group, :resource, :nested, :sort, :include, :batch)
|
|
125
130
|
end
|
|
126
131
|
end
|
data/lib/apicasso/version.rb
CHANGED
data/spec/dummy/log/test.log
CHANGED
|
Binary file
|
data/spec/requests/batch_spec.rb
CHANGED
|
@@ -13,6 +13,7 @@ RSpec.describe 'Batch requests', type: :request do
|
|
|
13
13
|
@used_model = create(:used_model)
|
|
14
14
|
@another_used_model = create(:used_model)
|
|
15
15
|
while @another_used_model.send(@attribute) == @used_model.send(@attribute)
|
|
16
|
+
@attribute = UsedModel.column_names.sample
|
|
16
17
|
@another_used_model = create(:used_model)
|
|
17
18
|
end
|
|
18
19
|
post '/api/v1/ql/', params: { used_models: { "#{@attribute}_eq": @used_model.send(@attribute) } }.to_json, headers: access_token
|
|
@@ -100,7 +100,7 @@ RSpec.describe 'Used Model requests', type: :request do
|
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
it 'returns all records sorted queried' do
|
|
103
|
-
used_model_sorted = UsedModel.order(:
|
|
103
|
+
used_model_sorted = UsedModel.unscope(:order).order(brand: :asc, model: :asc).map(&:id)
|
|
104
104
|
entries = JSON.parse(response.body)['entries'].map { |model| model['id'] }
|
|
105
105
|
expect(entries).to eq(used_model_sorted)
|
|
106
106
|
end
|
|
@@ -100,7 +100,7 @@ RSpec.describe 'Used Model requests', type: :request do
|
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
it 'returns all records sorted queried' do
|
|
103
|
-
used_model_sorted = UsedModel.order(:
|
|
103
|
+
used_model_sorted = UsedModel.unscope(:order).order(brand: :asc, model: :asc).map(&:id)
|
|
104
104
|
entries = JSON.parse(response.body)['entries'].map { |model| model['id'] }
|
|
105
105
|
expect(entries).to eq(used_model_sorted)
|
|
106
106
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: apicasso
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.7.
|
|
4
|
+
version: 0.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Fernando Bellincanta
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-04-
|
|
11
|
+
date: 2019-04-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -168,16 +168,16 @@ dependencies:
|
|
|
168
168
|
name: rails
|
|
169
169
|
requirement: !ruby/object:Gem::Requirement
|
|
170
170
|
requirements:
|
|
171
|
-
- - "
|
|
171
|
+
- - ">"
|
|
172
172
|
- !ruby/object:Gem::Version
|
|
173
|
-
version: '5
|
|
173
|
+
version: '5'
|
|
174
174
|
type: :runtime
|
|
175
175
|
prerelease: false
|
|
176
176
|
version_requirements: !ruby/object:Gem::Requirement
|
|
177
177
|
requirements:
|
|
178
|
-
- - "
|
|
178
|
+
- - ">"
|
|
179
179
|
- !ruby/object:Gem::Version
|
|
180
|
-
version: '5
|
|
180
|
+
version: '5'
|
|
181
181
|
- !ruby/object:Gem::Dependency
|
|
182
182
|
name: ransack
|
|
183
183
|
requirement: !ruby/object:Gem::Requirement
|