blazer 2.2.2 → 2.2.7

data/app/controllers/blazer/base_controller.rb

@@ -86,8 +86,22 @@ module Blazer
         [smart_var, error]
       end
 
-      def variable_params
-        params.except(:controller, :action, :id, :host, :query, :dashboard, :query_id, :query_ids, :table_names, :authenticity_token, :utf8, :_method, :commit, :statement, :data_source, :name, :fork_query_id, :blazer, :run_id).permit!
+      # don't pass to url helpers
+      #
+      # some are dangerous when passed as symbols
+      # root_url({host: "evilsite.com"})
+      #
+      # certain ones (like host) only affect *_url and not *_path
+      #
+      # when permitted parameters are passed in Rails 6,
+      # they appear to be added as GET parameters
+      # root_url(params.permit(:host))
+      UNPERMITTED_KEYS = [:controller, :action, :id, :host, :query, :dashboard, :query_id, :query_ids, :table_names, :authenticity_token, :utf8, :_method, :commit, :statement, :data_source, :name, :fork_query_id, :blazer, :run_id, :script_name, :original_script_name]
+
+      # remove unpermitted keys from both params and permitted keys for better sleep
+      def variable_params(resource)
+        permitted_keys = resource.variables - UNPERMITTED_KEYS.map(&:to_s)
+        params.except(*UNPERMITTED_KEYS).slice(*permitted_keys).permit!
       end
       helper_method :variable_params
 

data/app/controllers/blazer/dashboards_controller.rb

@@ -21,8 +21,11 @@ module Blazer
 
     def show
       @queries = @dashboard.dashboard_queries.order(:position).preload(:query).map(&:query)
+      @statements = []
       @queries.each do |query|
-        process_vars(query.statement, query.data_source)
+        statement = query.statement.dup
+        process_vars(statement, query.data_source)
+        @statements << statement
       end
       @bind_vars ||= []
 
@@ -43,7 +46,7 @@ module Blazer
 
     def update
       if update_dashboard(@dashboard)
-        redirect_to dashboard_path(@dashboard, variable_params)
+        redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
       else
         render_errors @dashboard
       end
@@ -62,7 +65,7 @@ module Blazer
         Blazer.transform_statement.call(data_source, statement) if Blazer.transform_statement
         data_source.clear_cache(statement)
       end
-      redirect_to dashboard_path(@dashboard, variable_params)
+      redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
     end
 
     private

data/app/controllers/blazer/queries_controller.rb

@@ -45,7 +45,7 @@ module Blazer
       @query.creator = blazer_user if @query.respond_to?(:creator)
 
       if @query.save
-        redirect_to query_path(@query, variable_params)
+        redirect_to query_path(@query, variable_params(@query))
       else
         render_errors @query
       end
@@ -156,7 +156,7 @@ module Blazer
       process_vars(@statement, @query.data_source)
       Blazer.transform_statement.call(data_source, @statement) if Blazer.transform_statement
       data_source.clear_cache(@statement)
-      redirect_to query_path(@query, variable_params)
+      redirect_to query_path(@query, variable_params(@query))
     end
 
     def update
@@ -168,7 +168,7 @@ module Blazer
         @query.errors.add(:base, "Sorry, permission denied")
       end
       if @query.errors.empty? && @query.update(query_params)
-        redirect_to query_path(@query, variable_params)
+        redirect_to query_path(@query, variable_params(@query))
       else
         render_errors @query
       end
@@ -176,7 +176,7 @@ module Blazer
 
     def destroy
       @query.destroy if @query.editable?(blazer_user)
-      redirect_to root_url
+      redirect_to root_path
     end
 
     def tables
@@ -249,7 +249,9 @@ module Blazer
                 r[lat_index] && r[lon_index]
               end.map do |r|
                 {
-                  title: r.each_with_index.map{ |v, i| i == lat_index || i == lon_index ? nil : "<strong>#{@columns[i]}:</strong> #{v}" }.compact.join("<br />").truncate(140),
+                  # Mapbox.js does sanitization with https://github.com/mapbox/sanitize-caja
+                  # but we should do it here as well
+                  title: r.each_with_index.map { |v, i| i == lat_index || i == lon_index ? nil : "<strong>#{ERB::Util.html_escape(@columns[i])}:</strong> #{ERB::Util.html_escape(v)}" }.compact.join("<br />").truncate(140),
                   latitude: r[lat_index],
                   longitude: r[lon_index]
                 }

data/app/mailers/blazer/slack_notifier.rb

@@ -60,6 +60,9 @@ module Blazer
       ActionController::Base.helpers.pluralize(*args)
     end
 
+    # checks shouldn't have variables, but in any case,
+    # avoid passing variable params to url helpers
+    # (known unsafe parameters are removed, but still not ideal)
     def self.query_url(id)
       Blazer::Engine.routes.url_helpers.query_url(id, ActionMailer::Base.default_url_options)
     end

data/app/models/blazer/dashboard.rb

@@ -6,6 +6,10 @@ module Blazer
 
     validates :name, presence: true
 
+    def variables
+      queries.flat_map { |q| q.variables }.uniq
+    end
+
     def to_param
       [id, name.gsub("'", "").parameterize].join("-")
     end

data/app/views/blazer/_variables.html.erb

@@ -42,6 +42,7 @@
               singleDatePicker: true,
               locale: {format: format},
               autoUpdateInput: false,
+              autoApply: true,
               startDate: input.val().length > 0 ? moment.tz(input.val(), timeZone) : now
             })
             // hack to start with empty date
@@ -95,7 +96,8 @@
             },
             startDate: dateStr(29),
             endDate: dateStr(),
-            opens: "right"
+            opens: "right",
+            alwaysShowCalendars: true
           },
           function(start, end) {
             setTimeInputs(start, end)

data/app/views/blazer/check_mailer/failing_checks.html.erb

@@ -1,5 +1,6 @@
 <ul>
   <% @checks.each do |check| %>
+    <%# check queries shouldn't have variables, but in any case, don't pass them to url helpers %>
     <li><%= link_to check.query.name, query_url(check.query_id) %> <%= check.state %></li>
   <% end %>
 </ul>

data/app/views/blazer/check_mailer/state_change.html.erb

@@ -2,6 +2,7 @@
   <head>
   </head>
   <body style="font-family: 'Helvetica Neue', Arial, Helvetica; font-size: 14px; color: #333;">
+    <%# check queries shouldn't have variables, but in any case, don't pass them to url helpers %>
     <p><%= link_to "View", query_url(@check.query_id) %></p>
     <% if @error %>
       <p><%= @error %></p>

data/app/views/blazer/dashboards/_form.html.erb

@@ -1,4 +1,4 @@
-<%= form_for @dashboard, url: (@dashboard.persisted? ? dashboard_path(@dashboard, variable_params) : dashboards_path(variable_params)), html: {id: "app", class: "small-form"} do |f| %>
+<%= form_for @dashboard, url: (@dashboard.persisted? ? dashboard_path(@dashboard, variable_params(@dashboard)) : dashboards_path(variable_params(@dashboard))), html: {id: "app", class: "small-form"} do |f| %>
   <% if @dashboard.errors.any? %>
     <div class="alert alert-danger"><%= @dashboard.errors.full_messages.first %></div>
   <% end %>

data/app/views/blazer/dashboards/show.html.erb

@@ -10,7 +10,7 @@
         </h3>
       </div>
       <div class="col-sm-3 text-right">
-        <%= link_to "Edit", edit_dashboard_path(@dashboard, variable_params), class: "btn btn-info" %>
+        <%= link_to "Edit", edit_dashboard_path(@dashboard, variable_params(@dashboard)), class: "btn btn-info" %>
       </div>
     </div>
   </div>
@@ -21,7 +21,7 @@
 <% if @data_sources.any? { |ds| ds.cache_mode != "off" } %>
   <p class="text-muted" style="float: right;">
     Some queries may be cached
-    <%= link_to "Refresh", refresh_dashboard_path(@dashboard, variable_params), method: :post %>
+    <%= link_to "Refresh", refresh_dashboard_path(@dashboard, variable_params(@dashboard)), method: :post %>
   </p>
 <% end %>
 
@@ -33,13 +33,13 @@
 
 <% @queries.each_with_index do |query, i| %>
   <div class="chart-container">
-    <h4><%= link_to query.friendly_name, query_path(query, variable_params), target: "_blank" %></h4>
+    <h4><%= link_to query.friendly_name, query_path(query, variable_params(query)), target: "_blank" %></h4>
     <div id="chart-<%= i %>" class="chart">
       <p class="text-muted">Loading...</p>
     </div>
   </div>
   <script>
-    <%= blazer_js_var "data", {statement: query.statement, query_id: query.id, data_source: query.data_source, only_chart: true} %>
+    <%= blazer_js_var "data", {statement: @statements[i], query_id: query.id, data_source: query.data_source, only_chart: true} %>
 
     runQuery(data, function (data) {
       $("#chart-<%= i %>").html(data)

data/app/views/blazer/queries/_form.html.erb

@@ -3,7 +3,7 @@
 <% end %>
 
 <div id="app" v-cloak>
-  <%= form_for @query, url: (@query.persisted? ? query_path(@query, variable_params) : queries_path(variable_params)), html: {autocomplete: "off"} do |f| %>
+  <%= form_for @query, url: (@query.persisted? ? query_path(@query, variable_params(@query)) : queries_path(variable_params(@query))), html: {autocomplete: "off"} do |f| %>
     <div class="row">
       <div id="statement-box" class="col-xs-8">
         <div class= "form-group">
@@ -67,7 +67,7 @@
 </div>
 
 <script>
-  <%= blazer_js_var "params", variable_params %>
+  <%= blazer_js_var "params", variable_params(@query) %>
   <%= blazer_js_var "previewStatement", Hash[Blazer.data_sources.map { |k, v| [k, (v.preview_statement rescue "")] }] %>
 
   var app = new Vue({

data/app/views/blazer/queries/run.html.erb

@@ -20,7 +20,7 @@
         <% end %>
 
         <% if @query && params[:query_id] %>
-          <%= link_to "Refresh", refresh_query_path(@query, variable_params), method: :post %>
+          <%= link_to "Refresh", refresh_query_path(@query, variable_params(@query)), method: :post %>
         <% end %>
       </p>
     <% end %>
@@ -36,7 +36,7 @@
 
       <% if @query && @result.forecastable? && !params[:forecast] %>
         &middot;
-        <%= link_to "Forecast", query_path(@query, {forecast: "t"}.merge(variable_params)) %>
+        <%= link_to "Forecast", query_path(@query, {forecast: "t"}.merge(variable_params(@query))) %>
       <% end %>
     </p>
   <% end %>
@@ -80,7 +80,8 @@
         <%= blazer_js_var "mapboxAccessToken", Blazer.mapbox_access_token %>
         <%= blazer_js_var "markers", @markers %>
         L.mapbox.accessToken = mapboxAccessToken;
-        var map = L.mapbox.map('map', 'mapbox.streets');
+        var map = L.mapbox.map('map')
+          .addLayer(L.mapbox.styleLayer('mapbox://styles/mapbox/streets-v11'));
         var featureLayer = L.mapbox.featureLayer().addTo(map);
         var geojson = [];
         for (var i = 0; i < markers.length; i++) {
@@ -106,13 +107,13 @@
       </script>
     <% elsif chart_type == "line" %>
       <% chart_data = @columns[1..-1].each_with_index.map{ |k, i| {name: blazer_series_name(k), data: @rows.map{ |r| [r[0], r[i + 1]] }, library: series_library[i]} } %>
-      <%= line_chart chart_data, chart_options %>
+      <%= line_chart chart_data, **chart_options %>
     <% elsif chart_type == "line2" %>
-      <%= line_chart @rows.group_by { |r| v = r[1]; (@boom[@columns[1]] || {})[v.to_s] || v }.each_with_index.map { |(name, v), i| {name: blazer_series_name(name), data: v.map { |v2| [v2[0], v2[2]] }, library: series_library[i]} }, chart_options %>
+      <%= line_chart @rows.group_by { |r| v = r[1]; (@boom[@columns[1]] || {})[v.to_s] || v }.each_with_index.map { |(name, v), i| {name: blazer_series_name(name), data: v.map { |v2| [v2[0], v2[2]] }, library: series_library[i]} }, **chart_options %>
     <% elsif chart_type == "pie" %>
-      <%= pie_chart @rows.map { |r| [(@boom[@columns[0]] || {})[r[0].to_s] || r[0], r[1]] }, chart_options %>
+      <%= pie_chart @rows.map { |r| [(@boom[@columns[0]] || {})[r[0].to_s] || r[0], r[1]] }, **chart_options %>
     <% elsif chart_type == "bar" %>
-      <%= column_chart (values.size - 1).times.map { |i| name = @columns[i + 1]; {name: blazer_series_name(name), data: @rows.first(20).map { |r| [(@boom[@columns[0]] || {})[r[0].to_s] || r[0], r[i + 1]] } } }, chart_options %>
+      <%= column_chart (values.size - 1).times.map { |i| name = @columns[i + 1]; {name: blazer_series_name(name), data: @rows.first(20).map { |r| [(@boom[@columns[0]] || {})[r[0].to_s] || r[0], r[i + 1]] } } }, **chart_options %>
     <% elsif chart_type == "bar2" %>
       <% first_20 = @rows.group_by { |r| r[0] }.values.first(20).flatten(1) %>
       <% labels = first_20.map { |r| r[0] }.uniq %>
@@ -122,7 +123,7 @@
           <% first_20 << [l, s, 0] unless first_20.find { |r| r[0] == l && r[1] == s } %>
         <% end %>
       <% end %>
-      <%= column_chart first_20.group_by { |r| v = r[1]; (@boom[@columns[1]] || {})[v.to_s] || v }.each_with_index.map { |(name, v), i| {name: blazer_series_name(name), data: v.sort_by { |r2| labels.index(r2[0]) }.map { |v2| v3 = v2[0]; [(@boom[@columns[0]] || {})[v3.to_s] || v3, v2[2]] }} }, chart_options %>
+      <%= column_chart first_20.group_by { |r| v = r[1]; (@boom[@columns[1]] || {})[v.to_s] || v }.each_with_index.map { |(name, v), i| {name: blazer_series_name(name), data: v.sort_by { |r2| labels.index(r2[0]) }.map { |v2| v3 = v2[0]; [(@boom[@columns[0]] || {})[v3.to_s] || v3, v2[2]] }} }, **chart_options %>
     <% elsif chart_type == "scatter" %>
       <%= scatter_chart @rows, xtitle: @columns[0], ytitle: @columns[1], **chart_options %>
     <% elsif @only_chart %>

data/app/views/blazer/queries/show.html.erb

@@ -10,8 +10,8 @@
         </h3>
       </div>
       <div class="col-sm-3 text-right">
-        <%= link_to "Edit", edit_query_path(@query, variable_params), class: "btn btn-default", disabled: !@query.editable?(blazer_user) %>
-        <%= link_to "Fork", new_query_path(variable_params.merge(fork_query_id: @query.id, data_source: @query.data_source, name: @query.name)), class: "btn btn-info" %>
+        <%= link_to "Edit", edit_query_path(@query, variable_params(@query)), class: "btn btn-default", disabled: !@query.editable?(blazer_user) %>
+        <%= link_to "Fork", new_query_path(variable_params(@query).merge(fork_query_id: @query.id, data_source: @query.data_source, name: @query.name)), class: "btn btn-info" %>
 
         <% if !@error && @success %>
           <%= button_to "Download", run_queries_path(query_id: @query.id, format: "csv", forecast: params[:forecast]), params: {statement: @statement}, class: "btn btn-primary" %>
@@ -56,7 +56,9 @@
       $("#results").addClass("query-error").html(message)
     }
 
-    <%= blazer_js_var "data", variable_params.merge(statement: @statement, query_id: @query.id, data_source: @query.data_source) %>
+    <% data = variable_params(@query).merge(statement: @statement, query_id: @query.id, data_source: @query.data_source) %>
+    <% data.merge!(forecast: "t") if params[:forecast] %>
+    <%= blazer_js_var "data", data %>
 
     runQuery(data, showRun, showError)
   </script>

data/app/views/layouts/blazer/application.html.erb

@@ -11,8 +11,8 @@
       <%= blazer_js_var "rootPath", root_path %>
     </script>
     <% if blazer_maps? %>
-      <%= stylesheet_link_tag "https://api.mapbox.com/mapbox.js/v3.2.1/mapbox.css", integrity: "sha384-vxzdEt+wZRPNQbhChjmiaFMLWg86IGuq1NGDehJHsD2mphYkxXll/eSs16WWi6Dq", crossorigin: "anonymous" %>
-      <%= javascript_include_tag "https://api.mapbox.com/mapbox.js/v3.2.1/mapbox.js", integrity: "sha384-dRMjy8ZlKk6czEwpaK3yySKItGPpGOplDM1+osgTwGhmxeTPpjB4kmRbDr2Y7lfQ", crossorigin: "anonymous" %>
+      <%= stylesheet_link_tag "https://api.mapbox.com/mapbox.js/v3.3.1/mapbox.css", integrity: "sha384-vxzdEt+wZRPNQbhChjmiaFMLWg86IGuq1NGDehJHsD2mphYkxXll/eSs16WWi6Dq", crossorigin: "anonymous" %>
+      <%= javascript_include_tag "https://api.mapbox.com/mapbox.js/v3.3.1/mapbox.js", integrity: "sha384-CTBEiDLiZJ8gkAQ3fYGoeiRp81/ecNiBkGz11jXFALOZ6++rbnqmdo6OImkmr1MO", crossorigin: "anonymous" %>
     <% end %>
     <%= csrf_meta_tags %>
   </head>

data/lib/blazer.rb

@@ -18,6 +18,7 @@ require "blazer/adapters/cassandra_adapter"
 require "blazer/adapters/drill_adapter"
 require "blazer/adapters/druid_adapter"
 require "blazer/adapters/elasticsearch_adapter"
+require "blazer/adapters/influxdb_adapter"
 require "blazer/adapters/mongodb_adapter"
 require "blazer/adapters/neo4j_adapter"
 require "blazer/adapters/presto_adapter"
@@ -119,7 +120,7 @@ module Blazer
   def self.extract_vars(statement)
     # strip commented out lines
     # and regex {1} or {1,2}
-    statement.gsub(/\-\-.+/, "").gsub(/\/\*.+\*\//m, "").scan(/\{\w*?\}/i).map { |v| v[1...-1] }.reject { |v| /\A\d+(\,\d+)?\z/.match(v) || v.empty? }.uniq
+    statement.to_s.gsub(/\-\-.+/, "").gsub(/\/\*.+\*\//m, "").scan(/\{\w*?\}/i).map { |v| v[1...-1] }.reject { |v| /\A\d+(\,\d+)?\z/.match(v) || v.empty? }.uniq
   end
 
   def self.run_checks(schedule: nil)
@@ -220,6 +221,7 @@ Blazer.register_adapter "cassandra", Blazer::Adapters::CassandraAdapter
 Blazer.register_adapter "drill", Blazer::Adapters::DrillAdapter
 Blazer.register_adapter "druid", Blazer::Adapters::DruidAdapter
 Blazer.register_adapter "elasticsearch", Blazer::Adapters::ElasticsearchAdapter
+Blazer.register_adapter "influxdb", Blazer::Adapters::InfluxdbAdapter
 Blazer.register_adapter "neo4j", Blazer::Adapters::Neo4jAdapter
 Blazer.register_adapter "presto", Blazer::Adapters::PrestoAdapter
 Blazer.register_adapter "mongodb", Blazer::Adapters::MongodbAdapter

data/lib/blazer/adapters/influxdb_adapter.rb

@@ -0,0 +1,45 @@
+module Blazer
+  module Adapters
+    class InfluxdbAdapter < BaseAdapter
+      def run_statement(statement, comment)
+        columns = []
+        rows = []
+        error = nil
+
+        begin
+          result = client.query(statement, denormalize: false).first
+          columns = result["columns"]
+          rows = result["values"]
+
+          # parse time columns
+          # current approach isn't ideal, but result doesn't include types
+          # another approach would be to check the format
+          time_index = columns.index("time")
+          if time_index
+            rows.each do |row|
+              row[time_index] = Time.parse(row[time_index]) if row[time_index]
+            end
+          end
+        rescue => e
+          error = e.message
+        end
+
+        [columns, rows, error]
+      end
+
+      def tables
+        client.list_series
+      end
+
+      def preview_statement
+        "SELECT * FROM {table} LIMIT 10"
+      end
+
+      protected
+
+      def client
+        @client ||= InfluxDB::Client.new(url: settings["url"])
+      end
+    end
+  end
+end

data/lib/blazer/result.rb

@@ -94,29 +94,10 @@ module Blazer
       case Blazer.forecasting
       when "prophet"
         require "prophet"
-
-        df =
-          Daru::DataFrame.new(
-            "ds" => @rows.map { |r| r[0] },
-            "y" => @rows.map { |r| r[1] }
-          )
-
-        # TODO determine frequency
-        freq = "D"
-
-        m = Prophet.new
-        m.fit(df)
-        future = m.make_future_dataframe(periods: count, freq: freq, include_history: false)
-        fcst = m.predict(future)
-        ds = fcst["ds"]
-        if @rows[0][0].is_a?(Date)
-          ds = ds.map { |v| v.to_date }
-        end
-        forecast = ds.zip(fcst["yhat"]).to_h
+        forecast = Prophet.forecast(@rows.to_h, count: count)
       else
         require "trend"
-
-        forecast = Trend.forecast(Hash[@rows], count: count)
+        forecast = Trend.forecast(@rows.to_h, count: count)
       end
 
       # round integers

data/lib/blazer/version.rb

@@ -1,3 +1,3 @@
 module Blazer
-  VERSION = "2.2.2"
+  VERSION = "2.2.7"
 end

data/lib/generators/blazer/templates/install.rb.tt

@@ -14,12 +14,12 @@ class <%= migration_class_name %> < ActiveRecord::Migration<%= migration_version
       t.references :query
       t.text :statement
       t.string :data_source
-      t.timestamp :created_at
+      t.datetime :created_at
     end
 
     create_table :blazer_dashboards do |t|
       t.references :creator
-      t.text :name
+      t.string :name
       t.timestamps null: false
     end
 
@@ -39,7 +39,7 @@ class <%= migration_class_name %> < ActiveRecord::Migration<%= migration_version
       t.text :slack_channels
       t.string :check_type
       t.text :message
-      t.timestamp :last_run_at
+      t.datetime :last_run_at
       t.timestamps null: false
     end
   end

data/licenses/LICENSE-ace.txt

@@ -0,0 +1,24 @@
+Copyright (c) 2010, Ajax.org B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of Ajax.org B.V. nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL AJAX.ORG B.V. BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.