cuttable 0.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: eca8816c553f13ebb75009db4f04443d1cf8fe1a7c2a25baae41db357c020636
+  data.tar.gz: 55772b3d1f4b14f79727bc3058066622d14592c43cd1da55fb89869e979427ad
+SHA512:
+  metadata.gz: e86c01b707ea3d5028e70c79a32757bfa632f0d87608e4aa539de86c73b23489f3b616dceeb63134706e16d1282b9fb05f01dfc17a6b68b5e91413173c981cc3
+  data.tar.gz: 4c64d472984dae32d0e80cc95448463b7e2f81a2def9a92854bd8ab7f4379066dd6cecf1e62311996a34e5fceebfe387ad3db300b5586d2cf1a61bab65a689ee

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+gem 'activerecord'
+gem 'activesupport'
+gem 'sqlite3'

data/Gemfile.lock

@@ -0,0 +1,34 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (5.1.4)
+      activesupport (= 5.1.4)
+    activerecord (5.1.4)
+      activemodel (= 5.1.4)
+      activesupport (= 5.1.4)
+      arel (~> 8.0)
+    activesupport (5.1.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (8.0.0)
+    concurrent-ruby (1.0.5)
+    i18n (0.9.1)
+      concurrent-ruby (~> 1.0)
+    minitest (5.10.3)
+    sqlite3 (1.3.13)
+    thread_safe (0.3.6)
+    tzinfo (1.2.4)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord
+  activesupport
+  sqlite3
+
+BUNDLED WITH
+   1.16.1

data/README.md

@@ -0,0 +1,2 @@
+# cuttable
+Escape SQL injection when you order with params

data/cuttable.gemspec

@@ -0,0 +1,12 @@
+Gem::Specification.new do |s|
+  s.name        = 'cuttable'
+  s.version     = '0.0.4'
+  s.date        = '2018-01-11'
+  s.summary     = 'Escape SQL injection when you order with params'
+  s.description = 'Provides method to prevent blind SQL injection'
+  s.authors     = ['Floorplanner']
+  s.email       = 'aidan@floorplanner.com'
+  s.files       = `git ls-files`.split("\n")
+  s.homepage    = 'http://github.com/rudkovskyi/cuttable'
+  s.license     = 'MIT'
+end

data/lib/cuttable.rb

@@ -0,0 +1,18 @@
+module Cuttable
+  extend ActiveSupport::Concern
+  module ClassMethods
+    def sanitize_order(sql)
+      return order(@@default_order) if sql.to_s.empty?
+      values = (sql || 'id desc').downcase.strip.split(/ |, /)
+      sort_by = values.slice!(-1)
+      return order(@@default_order) unless %w[asc desc].include?(sort_by) &&
+                                    (values - column_names).empty?
+      query = values.join(', ') + " #{sort_by}"
+      order(query)
+    end
+
+    def default_order(query)
+      @@default_order = query
+    end
+  end
+end

data/test/test_cuttable_sqlite3.rb

@@ -0,0 +1,65 @@
+require 'rubygems'
+require 'sqlite3'
+require 'active_record'
+require './lib/cuttable'
+require 'byebug'
+require 'minitest/autorun'
+
+ActiveRecord::Base.logger = Logger.new(STDERR)
+
+ActiveRecord::Base.establish_connection(
+  adapter: 'sqlite3',
+  database: ':memory:'
+)
+
+ActiveRecord::Schema.define do
+  create_table :users do |table|
+    table.integer :postcode
+  end
+end
+
+class User < ActiveRecord::Base
+  include Cuttable
+  default_order 'id desc'
+end
+
+class TestCuttableSqlite < MiniTest::Unit::TestCase
+  def setup
+    5.times do |i|
+      User.create(postcode: i)
+    end
+  end
+
+  def test_nil
+    assert_equal(User.last.id, User.sanitize_order(nil).first.id)
+  end
+
+  def test_multiple_columns
+    sql = "SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY postcode, id desc"
+    assert_equal(sql, User.sanitize_order('postcode, id DESC').to_sql)
+  end
+
+  def test_single_column
+    assert_equal(default_sql_query, User.sanitize_order('id DESC').to_sql)
+  end
+
+  def test_blind_sql_injection
+    assert_equal(default_sql_query, User.sanitize_order('id, (select sleep(2000) from dual where database() like database())#').to_sql)
+  end
+
+  def test_cuts_off_other_than_the_real_column
+    assert_equal(default_sql_query, User.sanitize_order('id, something desc').to_sql)
+  end
+
+  def test_sets_default_value_for_sort_by
+    assert_equal(default_sql_query, User.sanitize_order('id, something').to_sql)
+  end
+
+  def default_sql_query
+    "SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY id desc"
+  end
+
+  def teardown
+    User.delete_all
+  end
+end

metadata

@@ -0,0 +1,50 @@
+--- !ruby/object:Gem::Specification
+name: cuttable
+version: !ruby/object:Gem::Version
+  version: 0.0.4
+platform: ruby
+authors:
+- Floorplanner
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-01-11 00:00:00.000000000 Z
+dependencies: []
+description: Provides method to prevent blind SQL injection
+email: aidan@floorplanner.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- README.md
+- cuttable.gems
+- cuttable.gemspec
+- lib/cuttable.rb
+- test/test_cuttable_sqlite3.rb
+homepage: http://github.com/rudkovskyi/cuttable
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.3
+signing_key: 
+specification_version: 4
+summary: Escape SQL injection when you order with params
+test_files: []