cuttable 0.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/Gemfile +4 -0
- data/Gemfile.lock +34 -0
- data/README.md +2 -0
- data/cuttable.gems +0 -0
- data/cuttable.gemspec +12 -0
- data/lib/cuttable.rb +18 -0
- data/test/test_cuttable_sqlite3.rb +65 -0
- metadata +50 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: eca8816c553f13ebb75009db4f04443d1cf8fe1a7c2a25baae41db357c020636
|
4
|
+
data.tar.gz: 55772b3d1f4b14f79727bc3058066622d14592c43cd1da55fb89869e979427ad
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: e86c01b707ea3d5028e70c79a32757bfa632f0d87608e4aa539de86c73b23489f3b616dceeb63134706e16d1282b9fb05f01dfc17a6b68b5e91413173c981cc3
|
7
|
+
data.tar.gz: 4c64d472984dae32d0e80cc95448463b7e2f81a2def9a92854bd8ab7f4379066dd6cecf1e62311996a34e5fceebfe387ad3db300b5586d2cf1a61bab65a689ee
|
data/Gemfile
ADDED
data/Gemfile.lock
ADDED
@@ -0,0 +1,34 @@
|
|
1
|
+
GEM
|
2
|
+
remote: https://rubygems.org/
|
3
|
+
specs:
|
4
|
+
activemodel (5.1.4)
|
5
|
+
activesupport (= 5.1.4)
|
6
|
+
activerecord (5.1.4)
|
7
|
+
activemodel (= 5.1.4)
|
8
|
+
activesupport (= 5.1.4)
|
9
|
+
arel (~> 8.0)
|
10
|
+
activesupport (5.1.4)
|
11
|
+
concurrent-ruby (~> 1.0, >= 1.0.2)
|
12
|
+
i18n (~> 0.7)
|
13
|
+
minitest (~> 5.1)
|
14
|
+
tzinfo (~> 1.1)
|
15
|
+
arel (8.0.0)
|
16
|
+
concurrent-ruby (1.0.5)
|
17
|
+
i18n (0.9.1)
|
18
|
+
concurrent-ruby (~> 1.0)
|
19
|
+
minitest (5.10.3)
|
20
|
+
sqlite3 (1.3.13)
|
21
|
+
thread_safe (0.3.6)
|
22
|
+
tzinfo (1.2.4)
|
23
|
+
thread_safe (~> 0.1)
|
24
|
+
|
25
|
+
PLATFORMS
|
26
|
+
ruby
|
27
|
+
|
28
|
+
DEPENDENCIES
|
29
|
+
activerecord
|
30
|
+
activesupport
|
31
|
+
sqlite3
|
32
|
+
|
33
|
+
BUNDLED WITH
|
34
|
+
1.16.1
|
data/README.md
ADDED
data/cuttable.gems
ADDED
File without changes
|
data/cuttable.gemspec
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = 'cuttable'
|
3
|
+
s.version = '0.0.4'
|
4
|
+
s.date = '2018-01-11'
|
5
|
+
s.summary = 'Escape SQL injection when you order with params'
|
6
|
+
s.description = 'Provides method to prevent blind SQL injection'
|
7
|
+
s.authors = ['Floorplanner']
|
8
|
+
s.email = 'aidan@floorplanner.com'
|
9
|
+
s.files = `git ls-files`.split("\n")
|
10
|
+
s.homepage = 'http://github.com/rudkovskyi/cuttable'
|
11
|
+
s.license = 'MIT'
|
12
|
+
end
|
data/lib/cuttable.rb
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
module Cuttable
|
2
|
+
extend ActiveSupport::Concern
|
3
|
+
module ClassMethods
|
4
|
+
def sanitize_order(sql)
|
5
|
+
return order(@@default_order) if sql.to_s.empty?
|
6
|
+
values = (sql || 'id desc').downcase.strip.split(/ |, /)
|
7
|
+
sort_by = values.slice!(-1)
|
8
|
+
return order(@@default_order) unless %w[asc desc].include?(sort_by) &&
|
9
|
+
(values - column_names).empty?
|
10
|
+
query = values.join(', ') + " #{sort_by}"
|
11
|
+
order(query)
|
12
|
+
end
|
13
|
+
|
14
|
+
def default_order(query)
|
15
|
+
@@default_order = query
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'sqlite3'
|
3
|
+
require 'active_record'
|
4
|
+
require './lib/cuttable'
|
5
|
+
require 'byebug'
|
6
|
+
require 'minitest/autorun'
|
7
|
+
|
8
|
+
ActiveRecord::Base.logger = Logger.new(STDERR)
|
9
|
+
|
10
|
+
ActiveRecord::Base.establish_connection(
|
11
|
+
adapter: 'sqlite3',
|
12
|
+
database: ':memory:'
|
13
|
+
)
|
14
|
+
|
15
|
+
ActiveRecord::Schema.define do
|
16
|
+
create_table :users do |table|
|
17
|
+
table.integer :postcode
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
class User < ActiveRecord::Base
|
22
|
+
include Cuttable
|
23
|
+
default_order 'id desc'
|
24
|
+
end
|
25
|
+
|
26
|
+
class TestCuttableSqlite < MiniTest::Unit::TestCase
|
27
|
+
def setup
|
28
|
+
5.times do |i|
|
29
|
+
User.create(postcode: i)
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def test_nil
|
34
|
+
assert_equal(User.last.id, User.sanitize_order(nil).first.id)
|
35
|
+
end
|
36
|
+
|
37
|
+
def test_multiple_columns
|
38
|
+
sql = "SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY postcode, id desc"
|
39
|
+
assert_equal(sql, User.sanitize_order('postcode, id DESC').to_sql)
|
40
|
+
end
|
41
|
+
|
42
|
+
def test_single_column
|
43
|
+
assert_equal(default_sql_query, User.sanitize_order('id DESC').to_sql)
|
44
|
+
end
|
45
|
+
|
46
|
+
def test_blind_sql_injection
|
47
|
+
assert_equal(default_sql_query, User.sanitize_order('id, (select sleep(2000) from dual where database() like database())#').to_sql)
|
48
|
+
end
|
49
|
+
|
50
|
+
def test_cuts_off_other_than_the_real_column
|
51
|
+
assert_equal(default_sql_query, User.sanitize_order('id, something desc').to_sql)
|
52
|
+
end
|
53
|
+
|
54
|
+
def test_sets_default_value_for_sort_by
|
55
|
+
assert_equal(default_sql_query, User.sanitize_order('id, something').to_sql)
|
56
|
+
end
|
57
|
+
|
58
|
+
def default_sql_query
|
59
|
+
"SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY id desc"
|
60
|
+
end
|
61
|
+
|
62
|
+
def teardown
|
63
|
+
User.delete_all
|
64
|
+
end
|
65
|
+
end
|
metadata
ADDED
@@ -0,0 +1,50 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: cuttable
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.4
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Floorplanner
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2018-01-11 00:00:00.000000000 Z
|
12
|
+
dependencies: []
|
13
|
+
description: Provides method to prevent blind SQL injection
|
14
|
+
email: aidan@floorplanner.com
|
15
|
+
executables: []
|
16
|
+
extensions: []
|
17
|
+
extra_rdoc_files: []
|
18
|
+
files:
|
19
|
+
- Gemfile
|
20
|
+
- Gemfile.lock
|
21
|
+
- README.md
|
22
|
+
- cuttable.gems
|
23
|
+
- cuttable.gemspec
|
24
|
+
- lib/cuttable.rb
|
25
|
+
- test/test_cuttable_sqlite3.rb
|
26
|
+
homepage: http://github.com/rudkovskyi/cuttable
|
27
|
+
licenses:
|
28
|
+
- MIT
|
29
|
+
metadata: {}
|
30
|
+
post_install_message:
|
31
|
+
rdoc_options: []
|
32
|
+
require_paths:
|
33
|
+
- lib
|
34
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
35
|
+
requirements:
|
36
|
+
- - ">="
|
37
|
+
- !ruby/object:Gem::Version
|
38
|
+
version: '0'
|
39
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
40
|
+
requirements:
|
41
|
+
- - ">="
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
version: '0'
|
44
|
+
requirements: []
|
45
|
+
rubyforge_project:
|
46
|
+
rubygems_version: 2.7.3
|
47
|
+
signing_key:
|
48
|
+
specification_version: 4
|
49
|
+
summary: Escape SQL injection when you order with params
|
50
|
+
test_files: []
|