cuttable 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: eca8816c553f13ebb75009db4f04443d1cf8fe1a7c2a25baae41db357c020636
4
+ data.tar.gz: 55772b3d1f4b14f79727bc3058066622d14592c43cd1da55fb89869e979427ad
5
+ SHA512:
6
+ metadata.gz: e86c01b707ea3d5028e70c79a32757bfa632f0d87608e4aa539de86c73b23489f3b616dceeb63134706e16d1282b9fb05f01dfc17a6b68b5e91413173c981cc3
7
+ data.tar.gz: 4c64d472984dae32d0e80cc95448463b7e2f81a2def9a92854bd8ab7f4379066dd6cecf1e62311996a34e5fceebfe387ad3db300b5586d2cf1a61bab65a689ee
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+ gem 'activerecord'
3
+ gem 'activesupport'
4
+ gem 'sqlite3'
data/Gemfile.lock ADDED
@@ -0,0 +1,34 @@
1
+ GEM
2
+ remote: https://rubygems.org/
3
+ specs:
4
+ activemodel (5.1.4)
5
+ activesupport (= 5.1.4)
6
+ activerecord (5.1.4)
7
+ activemodel (= 5.1.4)
8
+ activesupport (= 5.1.4)
9
+ arel (~> 8.0)
10
+ activesupport (5.1.4)
11
+ concurrent-ruby (~> 1.0, >= 1.0.2)
12
+ i18n (~> 0.7)
13
+ minitest (~> 5.1)
14
+ tzinfo (~> 1.1)
15
+ arel (8.0.0)
16
+ concurrent-ruby (1.0.5)
17
+ i18n (0.9.1)
18
+ concurrent-ruby (~> 1.0)
19
+ minitest (5.10.3)
20
+ sqlite3 (1.3.13)
21
+ thread_safe (0.3.6)
22
+ tzinfo (1.2.4)
23
+ thread_safe (~> 0.1)
24
+
25
+ PLATFORMS
26
+ ruby
27
+
28
+ DEPENDENCIES
29
+ activerecord
30
+ activesupport
31
+ sqlite3
32
+
33
+ BUNDLED WITH
34
+ 1.16.1
data/README.md ADDED
@@ -0,0 +1,2 @@
1
+ # cuttable
2
+ Escape SQL injection when you order with params
data/cuttable.gems ADDED
File without changes
data/cuttable.gemspec ADDED
@@ -0,0 +1,12 @@
1
+ Gem::Specification.new do |s|
2
+ s.name = 'cuttable'
3
+ s.version = '0.0.4'
4
+ s.date = '2018-01-11'
5
+ s.summary = 'Escape SQL injection when you order with params'
6
+ s.description = 'Provides method to prevent blind SQL injection'
7
+ s.authors = ['Floorplanner']
8
+ s.email = 'aidan@floorplanner.com'
9
+ s.files = `git ls-files`.split("\n")
10
+ s.homepage = 'http://github.com/rudkovskyi/cuttable'
11
+ s.license = 'MIT'
12
+ end
data/lib/cuttable.rb ADDED
@@ -0,0 +1,18 @@
1
+ module Cuttable
2
+ extend ActiveSupport::Concern
3
+ module ClassMethods
4
+ def sanitize_order(sql)
5
+ return order(@@default_order) if sql.to_s.empty?
6
+ values = (sql || 'id desc').downcase.strip.split(/ |, /)
7
+ sort_by = values.slice!(-1)
8
+ return order(@@default_order) unless %w[asc desc].include?(sort_by) &&
9
+ (values - column_names).empty?
10
+ query = values.join(', ') + " #{sort_by}"
11
+ order(query)
12
+ end
13
+
14
+ def default_order(query)
15
+ @@default_order = query
16
+ end
17
+ end
18
+ end
@@ -0,0 +1,65 @@
1
+ require 'rubygems'
2
+ require 'sqlite3'
3
+ require 'active_record'
4
+ require './lib/cuttable'
5
+ require 'byebug'
6
+ require 'minitest/autorun'
7
+
8
+ ActiveRecord::Base.logger = Logger.new(STDERR)
9
+
10
+ ActiveRecord::Base.establish_connection(
11
+ adapter: 'sqlite3',
12
+ database: ':memory:'
13
+ )
14
+
15
+ ActiveRecord::Schema.define do
16
+ create_table :users do |table|
17
+ table.integer :postcode
18
+ end
19
+ end
20
+
21
+ class User < ActiveRecord::Base
22
+ include Cuttable
23
+ default_order 'id desc'
24
+ end
25
+
26
+ class TestCuttableSqlite < MiniTest::Unit::TestCase
27
+ def setup
28
+ 5.times do |i|
29
+ User.create(postcode: i)
30
+ end
31
+ end
32
+
33
+ def test_nil
34
+ assert_equal(User.last.id, User.sanitize_order(nil).first.id)
35
+ end
36
+
37
+ def test_multiple_columns
38
+ sql = "SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY postcode, id desc"
39
+ assert_equal(sql, User.sanitize_order('postcode, id DESC').to_sql)
40
+ end
41
+
42
+ def test_single_column
43
+ assert_equal(default_sql_query, User.sanitize_order('id DESC').to_sql)
44
+ end
45
+
46
+ def test_blind_sql_injection
47
+ assert_equal(default_sql_query, User.sanitize_order('id, (select sleep(2000) from dual where database() like database())#').to_sql)
48
+ end
49
+
50
+ def test_cuts_off_other_than_the_real_column
51
+ assert_equal(default_sql_query, User.sanitize_order('id, something desc').to_sql)
52
+ end
53
+
54
+ def test_sets_default_value_for_sort_by
55
+ assert_equal(default_sql_query, User.sanitize_order('id, something').to_sql)
56
+ end
57
+
58
+ def default_sql_query
59
+ "SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY id desc"
60
+ end
61
+
62
+ def teardown
63
+ User.delete_all
64
+ end
65
+ end
metadata ADDED
@@ -0,0 +1,50 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: cuttable
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.4
5
+ platform: ruby
6
+ authors:
7
+ - Floorplanner
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2018-01-11 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: Provides method to prevent blind SQL injection
14
+ email: aidan@floorplanner.com
15
+ executables: []
16
+ extensions: []
17
+ extra_rdoc_files: []
18
+ files:
19
+ - Gemfile
20
+ - Gemfile.lock
21
+ - README.md
22
+ - cuttable.gems
23
+ - cuttable.gemspec
24
+ - lib/cuttable.rb
25
+ - test/test_cuttable_sqlite3.rb
26
+ homepage: http://github.com/rudkovskyi/cuttable
27
+ licenses:
28
+ - MIT
29
+ metadata: {}
30
+ post_install_message:
31
+ rdoc_options: []
32
+ require_paths:
33
+ - lib
34
+ required_ruby_version: !ruby/object:Gem::Requirement
35
+ requirements:
36
+ - - ">="
37
+ - !ruby/object:Gem::Version
38
+ version: '0'
39
+ required_rubygems_version: !ruby/object:Gem::Requirement
40
+ requirements:
41
+ - - ">="
42
+ - !ruby/object:Gem::Version
43
+ version: '0'
44
+ requirements: []
45
+ rubyforge_project:
46
+ rubygems_version: 2.7.3
47
+ signing_key:
48
+ specification_version: 4
49
+ summary: Escape SQL injection when you order with params
50
+ test_files: []