arsi 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 96250290ae58d2100a2c289b457c91606ff9838e
+  data.tar.gz: ae74117e3ce3ae1dd1aa1a3b01a940969bf90e4e
+SHA512:
+  metadata.gz: 9823fe65e3ccdda88e3eeaad33e2abe8ac2990af40e88339e15430b75ab0f2784c651e5e36b1c892dd323982b833ff3970e07f44187a7c4b43692d8ba6aebb5c
+  data.tar.gz: cc2326555d8bac5e1af14d03ab8052acd30b41a9532c4d73d400305e04dda7280147e5860a94405f320a4e4750cb9e355aadf26758b54daa0f300cb3c6fcefa6

data/README.md

@@ -0,0 +1,52 @@
+# ARSI - ActiveRecord SQL Inspector
+
+[![Build Status](https://magnum.travis-ci.com/zendesk/arsi.svg?token=MsU5XFxeU3atFLQoVGDv&branch=master)](https://magnum.travis-ci.com/zendesk/arsi)
+
+Block sql statements that are not scoped by id in `.update_all` and `.delete_all`.
+
+ID Columns:
+
+- *_id
+- id
+- guid
+- uuid
+- uid
+
+Operators:
+
+- =
+- <>
+- IN
+- IS
+
+Triggers the `Arsi.violation_callback` with SQL and relation object.By default raise `Arsi::UnscopedSQL`.
+
+## Disabling
+
+via `.without_arsi`
+
+```ruby
+User.where(active: false).without_arsi.delete_all # I know what I'm doing...
+
+```
+
+via `ARSI.disable`
+
+```ruby
+class ApplicationController < ActionController::Base
+  around_filter :without_arsi
+  def without_arsi(&block)
+    Arsi.disable(&block)
+  end
+end
+
+Arsi.disable do
+  User.update_all name: "Pete" # will be ignored
+end
+```
+
+
+## Limitations
+
+ - MySQL
+ - uses regexs on SQL, false negatives with specially crafted SQL statements can occur

data/lib/arsi.rb

@@ -0,0 +1,68 @@
+require 'arsi/arel_tree_manager'
+require 'arsi/mysql2_adapter'
+require 'arsi/relation'
+require 'arsi/table'
+require 'active_record'
+require 'active_record/connection_adapters/mysql2_adapter'
+
+module Arsi
+  class UnscopedSQL < StandardError; end
+  Arel::TreeManager.send(:include, ArelTreeManager)
+  ActiveRecord::ConnectionAdapters::Mysql2Adapter.send(:prepend, Mysql2Adapter)
+  ActiveRecord::Relation.send(:prepend, Relation)
+  ActiveRecord::Querying.delegate(:without_arsi, :to => :relation)
+  Arel::Table.send(:prepend, Table) if ActiveRecord::VERSION::MAJOR >= 4
+
+  @enabled = true
+
+  ID_MATCH = "(gu|uu|u)?id"
+  SCOPEABLE_REGEX = /(^|_)#{ID_MATCH}$/i               # http://rubular.com/r/hPVpG9jyoC
+  SQL_MATCHER = /[\s_`(]#{ID_MATCH}`?\s+(=|<>|IN|IS)/i # http://rubular.com/r/7xuhnBiOgs
+  DEFAULT_CALLBACK = lambda do |sql, relation|
+    raise UnscopedSQL, "Missing ID in the where sql:\n#{sql}\nAdd id or use without_arsi"
+  end
+
+  class << self
+    attr_accessor :violation_callback
+
+    def sql_check!(sql, relation)
+      return if !@enabled || relation.try(:without_arsi?)
+      return if sql =~ SQL_MATCHER
+      report_violation(sql, relation)
+    end
+
+    def arel_check!(arel, relation)
+      sql = arel.respond_to?(:ast) ? arel.where_sql : arel.to_s
+      sql_check!(sql, relation)
+    end
+
+    def disable!
+      @enabled = false
+    end
+
+    def enable!
+      @enabled = true
+    end
+
+    def disable(&block)
+      run_with_arsi(false, &block)
+    end
+
+    def enable(&block)
+      run_with_arsi(true, &block)
+    end
+
+    private
+
+    def run_with_arsi(with_arsi)
+      previous, @enabled = @enabled, with_arsi
+      yield
+    ensure
+      @enabled = previous
+    end
+
+    def report_violation(sql, relation)
+      (violation_callback || DEFAULT_CALLBACK).call(sql, relation)
+    end
+  end
+end

data/lib/arsi/arel_tree_manager.rb

@@ -0,0 +1,21 @@
+require 'arel'
+
+module Arsi
+  module ArelTreeManager
+    # This is from Arel::SelectManager which inherits from Arel::TreeManager.
+    # We need where_sql on both Arel::UpdateManager and Arel::DeleteManager so we add it to the parent class.
+    if ::Arel::VERSION.start_with?('6')
+      def where_sql
+        return if @ctx.wheres.empty?
+        viz = ::Arel::Visitors::WhereSql.new @engine.connection
+        ::Arel::Nodes::SqlLiteral.new viz.accept(@ctx, ::Arel::Collectors::SQLString.new).value
+      end
+    else
+      def where_sql
+        return if @ctx.wheres.empty?
+        viz = ::Arel::Visitors::WhereSql.new @engine.connection
+        ::Arel::Nodes::SqlLiteral.new viz.accept @ctx
+      end
+    end
+  end
+end

data/lib/arsi/mysql2_adapter.rb

@@ -0,0 +1,15 @@
+module Arsi
+  module Mysql2Adapter
+    attr_accessor :arsi_relation
+
+    def delete(arel, *)
+      Arsi.arel_check!(arel, arsi_relation)
+      super
+    end
+
+    def update(arel, *)
+      Arsi.arel_check!(arel, arsi_relation)
+      super
+    end
+  end
+end

data/lib/arsi/relation.rb

@@ -0,0 +1,46 @@
+module Arsi
+  module Relation
+    attr_accessor :without_arsi
+
+    def without_arsi
+      if block_given?
+        raise "Use without_arsi in a chain. Don't pass it a block"
+      end
+      dup.tap(&:without_arsi!)
+    end
+
+    def without_arsi!
+      @without_arsi = true
+    end
+
+    def without_arsi?
+      @without_arsi || !arsi_scopeable?
+    end
+
+    def delete_all(*)
+      with_relation_in_connection { super }
+    end
+
+    def self.prepended(base)
+      base.class_eval do
+        alias_method :update_all_without_arsi, :update_all
+        def update_all(*args)
+          with_relation_in_connection { update_all_without_arsi(*args) }
+        end
+      end
+    end
+
+    private
+
+    def arsi_scopeable?
+      table.columns.map(&:name).any? { |c| c =~ Arsi::SCOPEABLE_REGEX }
+    end
+
+    def with_relation_in_connection
+      @klass.connection.arsi_relation = self
+      yield
+    ensure
+      @klass.connection.arsi_relation = nil
+    end
+  end
+end

data/lib/arsi/table.rb

@@ -0,0 +1,5 @@
+module Arsi::Table
+  def columns
+    @columns ||= attributes_for @engine.connection.columns(@name)
+  end
+end

data/lib/arsi/version.rb

@@ -0,0 +1,3 @@
+module Arsi
+  VERSION = '0.2.0'
+end

metadata

@@ -0,0 +1,211 @@
+--- !ruby/object:Gem::Specification
+name: arsi
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Christopher Kintner
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-08-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: arel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mysql2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 3.2.15
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 3.2.15
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.3.0
+- !ruby/object:Gem::Dependency
+  name: bump
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-rg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: wwtd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Puts your SQL under a microscope
+email:
+- ckintner@zendesk.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/arsi.rb
+- lib/arsi/arel_tree_manager.rb
+- lib/arsi/mysql2_adapter.rb
+- lib/arsi/relation.rb
+- lib/arsi/table.rb
+- lib/arsi/version.rb
+homepage: https://github.com/zendesk/arsi
+licenses:
+- Apache License Version 2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: ActiveRecord SQL Inspector
+test_files: []