blazer 2.2.2 → 2.2.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of blazer might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +1 -1
- data/app/controllers/blazer/base_controller.rb +16 -2
- data/app/controllers/blazer/dashboards_controller.rb +2 -2
- data/app/controllers/blazer/queries_controller.rb +4 -4
- data/app/mailers/blazer/slack_notifier.rb +3 -0
- data/app/models/blazer/dashboard.rb +4 -0
- data/app/views/blazer/check_mailer/failing_checks.html.erb +1 -0
- data/app/views/blazer/check_mailer/state_change.html.erb +1 -0
- data/app/views/blazer/dashboards/_form.html.erb +1 -1
- data/app/views/blazer/dashboards/show.html.erb +3 -3
- data/app/views/blazer/queries/_form.html.erb +2 -2
- data/app/views/blazer/queries/run.html.erb +2 -2
- data/app/views/blazer/queries/show.html.erb +3 -3
- data/lib/blazer/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e7335b71aeda44ad8482d8950a5539c1fbf1175d5b754be3efa3ebbe03fce736
|
|
4
|
+
data.tar.gz: 80bc04aecc1050cdbd35a37b9d1c52dc26aa3090ca329021859003853cce1af9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0c17945167d21ecf91b67074483678e856ff2fd875bd9b9e5c18b828f1b83e4bf4de253877c0a98e3c97e8bd9d2272372afb5363b55740d9a0b83c3deed141ed
|
|
7
|
+
data.tar.gz: d5690c90d76ac3a947e17e86b3c6da998ac986ea36bc63b1840dd6a0a92ce937539946563b696dfdd72ae903dd3a01974c7da76027c4dad9e34159f2b82990fd
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -86,8 +86,22 @@ module Blazer
|
|
|
86
86
|
[smart_var, error]
|
|
87
87
|
end
|
|
88
88
|
|
|
89
|
-
|
|
90
|
-
|
|
89
|
+
# don't pass to url helpers
|
|
90
|
+
#
|
|
91
|
+
# some are dangerous when passed as symbols
|
|
92
|
+
# root_url({host: "evilsite.com"})
|
|
93
|
+
#
|
|
94
|
+
# certain ones (like host) only affect *_url and not *_path
|
|
95
|
+
#
|
|
96
|
+
# when permitted parameters are passed in Rails 6,
|
|
97
|
+
# they appear to be added as GET parameters
|
|
98
|
+
# root_url(params.permit(:host))
|
|
99
|
+
BLACKLISTED_KEYS = [:controller, :action, :id, :host, :query, :dashboard, :query_id, :query_ids, :table_names, :authenticity_token, :utf8, :_method, :commit, :statement, :data_source, :name, :fork_query_id, :blazer, :run_id, :script_name, :original_script_name]
|
|
100
|
+
|
|
101
|
+
# remove blacklisted keys from both params and permitted keys for better sleep
|
|
102
|
+
def variable_params(resource)
|
|
103
|
+
permitted_keys = resource.variables - BLACKLISTED_KEYS.map(&:to_s)
|
|
104
|
+
params.except(*BLACKLISTED_KEYS).permit(*permitted_keys)
|
|
91
105
|
end
|
|
92
106
|
helper_method :variable_params
|
|
93
107
|
|
|
@@ -43,7 +43,7 @@ module Blazer
|
|
|
43
43
|
|
|
44
44
|
def update
|
|
45
45
|
if update_dashboard(@dashboard)
|
|
46
|
-
redirect_to dashboard_path(@dashboard, variable_params)
|
|
46
|
+
redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
|
|
47
47
|
else
|
|
48
48
|
render_errors @dashboard
|
|
49
49
|
end
|
|
@@ -62,7 +62,7 @@ module Blazer
|
|
|
62
62
|
Blazer.transform_statement.call(data_source, statement) if Blazer.transform_statement
|
|
63
63
|
data_source.clear_cache(statement)
|
|
64
64
|
end
|
|
65
|
-
redirect_to dashboard_path(@dashboard, variable_params)
|
|
65
|
+
redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
private
|
|
@@ -45,7 +45,7 @@ module Blazer
|
|
|
45
45
|
@query.creator = blazer_user if @query.respond_to?(:creator)
|
|
46
46
|
|
|
47
47
|
if @query.save
|
|
48
|
-
redirect_to query_path(@query, variable_params)
|
|
48
|
+
redirect_to query_path(@query, variable_params(@query))
|
|
49
49
|
else
|
|
50
50
|
render_errors @query
|
|
51
51
|
end
|
|
@@ -156,7 +156,7 @@ module Blazer
|
|
|
156
156
|
process_vars(@statement, @query.data_source)
|
|
157
157
|
Blazer.transform_statement.call(data_source, @statement) if Blazer.transform_statement
|
|
158
158
|
data_source.clear_cache(@statement)
|
|
159
|
-
redirect_to query_path(@query, variable_params)
|
|
159
|
+
redirect_to query_path(@query, variable_params(@query))
|
|
160
160
|
end
|
|
161
161
|
|
|
162
162
|
def update
|
|
@@ -168,7 +168,7 @@ module Blazer
|
|
|
168
168
|
@query.errors.add(:base, "Sorry, permission denied")
|
|
169
169
|
end
|
|
170
170
|
if @query.errors.empty? && @query.update(query_params)
|
|
171
|
-
redirect_to query_path(@query, variable_params)
|
|
171
|
+
redirect_to query_path(@query, variable_params(@query))
|
|
172
172
|
else
|
|
173
173
|
render_errors @query
|
|
174
174
|
end
|
|
@@ -176,7 +176,7 @@ module Blazer
|
|
|
176
176
|
|
|
177
177
|
def destroy
|
|
178
178
|
@query.destroy if @query.editable?(blazer_user)
|
|
179
|
-
redirect_to
|
|
179
|
+
redirect_to root_path
|
|
180
180
|
end
|
|
181
181
|
|
|
182
182
|
def tables
|
|
@@ -60,6 +60,9 @@ module Blazer
|
|
|
60
60
|
ActionController::Base.helpers.pluralize(*args)
|
|
61
61
|
end
|
|
62
62
|
|
|
63
|
+
# checks shouldn't have variables, but in any case,
|
|
64
|
+
# avoid passing variable params to url helpers
|
|
65
|
+
# (known unsafe parameters are removed, but blacklist isn't ideal)
|
|
63
66
|
def self.query_url(id)
|
|
64
67
|
Blazer::Engine.routes.url_helpers.query_url(id, ActionMailer::Base.default_url_options)
|
|
65
68
|
end
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
<head>
|
|
3
3
|
</head>
|
|
4
4
|
<body style="font-family: 'Helvetica Neue', Arial, Helvetica; font-size: 14px; color: #333;">
|
|
5
|
+
<%# check queries shouldn't have variables, but in any case, don't pass them to url helpers %>
|
|
5
6
|
<p><%= link_to "View", query_url(@check.query_id) %></p>
|
|
6
7
|
<% if @error %>
|
|
7
8
|
<p><%= @error %></p>
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
<%= form_for @dashboard, url: (@dashboard.persisted? ? dashboard_path(@dashboard, variable_params) : dashboards_path(variable_params)), html: {id: "app", class: "small-form"} do |f| %>
|
|
1
|
+
<%= form_for @dashboard, url: (@dashboard.persisted? ? dashboard_path(@dashboard, variable_params(@dashboard)) : dashboards_path(variable_params(@dashboard))), html: {id: "app", class: "small-form"} do |f| %>
|
|
2
2
|
<% if @dashboard.errors.any? %>
|
|
3
3
|
<div class="alert alert-danger"><%= @dashboard.errors.full_messages.first %></div>
|
|
4
4
|
<% end %>
|
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
</h3>
|
|
11
11
|
</div>
|
|
12
12
|
<div class="col-sm-3 text-right">
|
|
13
|
-
<%= link_to "Edit", edit_dashboard_path(@dashboard, variable_params), class: "btn btn-info" %>
|
|
13
|
+
<%= link_to "Edit", edit_dashboard_path(@dashboard, variable_params(@dashboard)), class: "btn btn-info" %>
|
|
14
14
|
</div>
|
|
15
15
|
</div>
|
|
16
16
|
</div>
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
<% if @data_sources.any? { |ds| ds.cache_mode != "off" } %>
|
|
22
22
|
<p class="text-muted" style="float: right;">
|
|
23
23
|
Some queries may be cached
|
|
24
|
-
<%= link_to "Refresh", refresh_dashboard_path(@dashboard, variable_params), method: :post %>
|
|
24
|
+
<%= link_to "Refresh", refresh_dashboard_path(@dashboard, variable_params(@dashboard)), method: :post %>
|
|
25
25
|
</p>
|
|
26
26
|
<% end %>
|
|
27
27
|
|
|
@@ -33,7 +33,7 @@
|
|
|
33
33
|
|
|
34
34
|
<% @queries.each_with_index do |query, i| %>
|
|
35
35
|
<div class="chart-container">
|
|
36
|
-
<h4><%= link_to query.friendly_name, query_path(query, variable_params), target: "_blank" %></h4>
|
|
36
|
+
<h4><%= link_to query.friendly_name, query_path(query, variable_params(query)), target: "_blank" %></h4>
|
|
37
37
|
<div id="chart-<%= i %>" class="chart">
|
|
38
38
|
<p class="text-muted">Loading...</p>
|
|
39
39
|
</div>
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
<% end %>
|
|
4
4
|
|
|
5
5
|
<div id="app" v-cloak>
|
|
6
|
-
<%= form_for @query, url: (@query.persisted? ? query_path(@query, variable_params) : queries_path(variable_params)), html: {autocomplete: "off"} do |f| %>
|
|
6
|
+
<%= form_for @query, url: (@query.persisted? ? query_path(@query, variable_params(@query)) : queries_path(variable_params(@query))), html: {autocomplete: "off"} do |f| %>
|
|
7
7
|
<div class="row">
|
|
8
8
|
<div id="statement-box" class="col-xs-8">
|
|
9
9
|
<div class= "form-group">
|
|
@@ -67,7 +67,7 @@
|
|
|
67
67
|
</div>
|
|
68
68
|
|
|
69
69
|
<script>
|
|
70
|
-
<%= blazer_js_var "params", variable_params %>
|
|
70
|
+
<%= blazer_js_var "params", variable_params(@query) %>
|
|
71
71
|
<%= blazer_js_var "previewStatement", Hash[Blazer.data_sources.map { |k, v| [k, (v.preview_statement rescue "")] }] %>
|
|
72
72
|
|
|
73
73
|
var app = new Vue({
|
|
@@ -20,7 +20,7 @@
|
|
|
20
20
|
<% end %>
|
|
21
21
|
|
|
22
22
|
<% if @query && params[:query_id] %>
|
|
23
|
-
<%= link_to "Refresh", refresh_query_path(@query, variable_params), method: :post %>
|
|
23
|
+
<%= link_to "Refresh", refresh_query_path(@query, variable_params(@query)), method: :post %>
|
|
24
24
|
<% end %>
|
|
25
25
|
</p>
|
|
26
26
|
<% end %>
|
|
@@ -36,7 +36,7 @@
|
|
|
36
36
|
|
|
37
37
|
<% if @query && @result.forecastable? && !params[:forecast] %>
|
|
38
38
|
·
|
|
39
|
-
<%= link_to "Forecast", query_path(@query, {forecast: "t"}.merge(variable_params)) %>
|
|
39
|
+
<%= link_to "Forecast", query_path(@query, {forecast: "t"}.merge(variable_params(@query))) %>
|
|
40
40
|
<% end %>
|
|
41
41
|
</p>
|
|
42
42
|
<% end %>
|
|
@@ -10,8 +10,8 @@
|
|
|
10
10
|
</h3>
|
|
11
11
|
</div>
|
|
12
12
|
<div class="col-sm-3 text-right">
|
|
13
|
-
<%= link_to "Edit", edit_query_path(@query, variable_params), class: "btn btn-default", disabled: !@query.editable?(blazer_user) %>
|
|
14
|
-
<%= link_to "Fork", new_query_path(variable_params.merge(fork_query_id: @query.id, data_source: @query.data_source, name: @query.name)), class: "btn btn-info" %>
|
|
13
|
+
<%= link_to "Edit", edit_query_path(@query, variable_params(@query)), class: "btn btn-default", disabled: !@query.editable?(blazer_user) %>
|
|
14
|
+
<%= link_to "Fork", new_query_path(variable_params(@query).merge(fork_query_id: @query.id, data_source: @query.data_source, name: @query.name)), class: "btn btn-info" %>
|
|
15
15
|
|
|
16
16
|
<% if !@error && @success %>
|
|
17
17
|
<%= button_to "Download", run_queries_path(query_id: @query.id, format: "csv", forecast: params[:forecast]), params: {statement: @statement}, class: "btn btn-primary" %>
|
|
@@ -56,7 +56,7 @@
|
|
|
56
56
|
$("#results").addClass("query-error").html(message)
|
|
57
57
|
}
|
|
58
58
|
|
|
59
|
-
<%= blazer_js_var "data", variable_params.merge(statement: @statement, query_id: @query.id, data_source: @query.data_source) %>
|
|
59
|
+
<%= blazer_js_var "data", variable_params(@query).merge(statement: @statement, query_id: @query.id, data_source: @query.data_source) %>
|
|
60
60
|
|
|
61
61
|
runQuery(data, showRun, showError)
|
|
62
62
|
</script>
|
data/lib/blazer/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: blazer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Kane
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-05-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: railties
|