cuttable 0.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Gemfile +4 -0
- data/Gemfile.lock +34 -0
- data/README.md +2 -0
- data/cuttable.gems +0 -0
- data/cuttable.gemspec +12 -0
- data/lib/cuttable.rb +18 -0
- data/test/test_cuttable_sqlite3.rb +65 -0
- metadata +50 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: eca8816c553f13ebb75009db4f04443d1cf8fe1a7c2a25baae41db357c020636
|
4
|
+
data.tar.gz: 55772b3d1f4b14f79727bc3058066622d14592c43cd1da55fb89869e979427ad
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: e86c01b707ea3d5028e70c79a32757bfa632f0d87608e4aa539de86c73b23489f3b616dceeb63134706e16d1282b9fb05f01dfc17a6b68b5e91413173c981cc3
|
7
|
+
data.tar.gz: 4c64d472984dae32d0e80cc95448463b7e2f81a2def9a92854bd8ab7f4379066dd6cecf1e62311996a34e5fceebfe387ad3db300b5586d2cf1a61bab65a689ee
|
data/Gemfile
ADDED
data/Gemfile.lock
ADDED
@@ -0,0 +1,34 @@
|
|
1
|
+
GEM
|
2
|
+
remote: https://rubygems.org/
|
3
|
+
specs:
|
4
|
+
activemodel (5.1.4)
|
5
|
+
activesupport (= 5.1.4)
|
6
|
+
activerecord (5.1.4)
|
7
|
+
activemodel (= 5.1.4)
|
8
|
+
activesupport (= 5.1.4)
|
9
|
+
arel (~> 8.0)
|
10
|
+
activesupport (5.1.4)
|
11
|
+
concurrent-ruby (~> 1.0, >= 1.0.2)
|
12
|
+
i18n (~> 0.7)
|
13
|
+
minitest (~> 5.1)
|
14
|
+
tzinfo (~> 1.1)
|
15
|
+
arel (8.0.0)
|
16
|
+
concurrent-ruby (1.0.5)
|
17
|
+
i18n (0.9.1)
|
18
|
+
concurrent-ruby (~> 1.0)
|
19
|
+
minitest (5.10.3)
|
20
|
+
sqlite3 (1.3.13)
|
21
|
+
thread_safe (0.3.6)
|
22
|
+
tzinfo (1.2.4)
|
23
|
+
thread_safe (~> 0.1)
|
24
|
+
|
25
|
+
PLATFORMS
|
26
|
+
ruby
|
27
|
+
|
28
|
+
DEPENDENCIES
|
29
|
+
activerecord
|
30
|
+
activesupport
|
31
|
+
sqlite3
|
32
|
+
|
33
|
+
BUNDLED WITH
|
34
|
+
1.16.1
|
data/README.md
ADDED
data/cuttable.gems
ADDED
File without changes
|
data/cuttable.gemspec
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = 'cuttable'
|
3
|
+
s.version = '0.0.4'
|
4
|
+
s.date = '2018-01-11'
|
5
|
+
s.summary = 'Escape SQL injection when you order with params'
|
6
|
+
s.description = 'Provides method to prevent blind SQL injection'
|
7
|
+
s.authors = ['Floorplanner']
|
8
|
+
s.email = 'aidan@floorplanner.com'
|
9
|
+
s.files = `git ls-files`.split("\n")
|
10
|
+
s.homepage = 'http://github.com/rudkovskyi/cuttable'
|
11
|
+
s.license = 'MIT'
|
12
|
+
end
|
data/lib/cuttable.rb
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
module Cuttable
|
2
|
+
extend ActiveSupport::Concern
|
3
|
+
module ClassMethods
|
4
|
+
def sanitize_order(sql)
|
5
|
+
return order(@@default_order) if sql.to_s.empty?
|
6
|
+
values = (sql || 'id desc').downcase.strip.split(/ |, /)
|
7
|
+
sort_by = values.slice!(-1)
|
8
|
+
return order(@@default_order) unless %w[asc desc].include?(sort_by) &&
|
9
|
+
(values - column_names).empty?
|
10
|
+
query = values.join(', ') + " #{sort_by}"
|
11
|
+
order(query)
|
12
|
+
end
|
13
|
+
|
14
|
+
def default_order(query)
|
15
|
+
@@default_order = query
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'sqlite3'
|
3
|
+
require 'active_record'
|
4
|
+
require './lib/cuttable'
|
5
|
+
require 'byebug'
|
6
|
+
require 'minitest/autorun'
|
7
|
+
|
8
|
+
ActiveRecord::Base.logger = Logger.new(STDERR)
|
9
|
+
|
10
|
+
ActiveRecord::Base.establish_connection(
|
11
|
+
adapter: 'sqlite3',
|
12
|
+
database: ':memory:'
|
13
|
+
)
|
14
|
+
|
15
|
+
ActiveRecord::Schema.define do
|
16
|
+
create_table :users do |table|
|
17
|
+
table.integer :postcode
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
class User < ActiveRecord::Base
|
22
|
+
include Cuttable
|
23
|
+
default_order 'id desc'
|
24
|
+
end
|
25
|
+
|
26
|
+
class TestCuttableSqlite < MiniTest::Unit::TestCase
|
27
|
+
def setup
|
28
|
+
5.times do |i|
|
29
|
+
User.create(postcode: i)
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def test_nil
|
34
|
+
assert_equal(User.last.id, User.sanitize_order(nil).first.id)
|
35
|
+
end
|
36
|
+
|
37
|
+
def test_multiple_columns
|
38
|
+
sql = "SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY postcode, id desc"
|
39
|
+
assert_equal(sql, User.sanitize_order('postcode, id DESC').to_sql)
|
40
|
+
end
|
41
|
+
|
42
|
+
def test_single_column
|
43
|
+
assert_equal(default_sql_query, User.sanitize_order('id DESC').to_sql)
|
44
|
+
end
|
45
|
+
|
46
|
+
def test_blind_sql_injection
|
47
|
+
assert_equal(default_sql_query, User.sanitize_order('id, (select sleep(2000) from dual where database() like database())#').to_sql)
|
48
|
+
end
|
49
|
+
|
50
|
+
def test_cuts_off_other_than_the_real_column
|
51
|
+
assert_equal(default_sql_query, User.sanitize_order('id, something desc').to_sql)
|
52
|
+
end
|
53
|
+
|
54
|
+
def test_sets_default_value_for_sort_by
|
55
|
+
assert_equal(default_sql_query, User.sanitize_order('id, something').to_sql)
|
56
|
+
end
|
57
|
+
|
58
|
+
def default_sql_query
|
59
|
+
"SELECT \"#{User.table_name}\".* FROM \"#{User.table_name}\" ORDER BY id desc"
|
60
|
+
end
|
61
|
+
|
62
|
+
def teardown
|
63
|
+
User.delete_all
|
64
|
+
end
|
65
|
+
end
|
metadata
ADDED
@@ -0,0 +1,50 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: cuttable
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.4
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Floorplanner
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2018-01-11 00:00:00.000000000 Z
|
12
|
+
dependencies: []
|
13
|
+
description: Provides method to prevent blind SQL injection
|
14
|
+
email: aidan@floorplanner.com
|
15
|
+
executables: []
|
16
|
+
extensions: []
|
17
|
+
extra_rdoc_files: []
|
18
|
+
files:
|
19
|
+
- Gemfile
|
20
|
+
- Gemfile.lock
|
21
|
+
- README.md
|
22
|
+
- cuttable.gems
|
23
|
+
- cuttable.gemspec
|
24
|
+
- lib/cuttable.rb
|
25
|
+
- test/test_cuttable_sqlite3.rb
|
26
|
+
homepage: http://github.com/rudkovskyi/cuttable
|
27
|
+
licenses:
|
28
|
+
- MIT
|
29
|
+
metadata: {}
|
30
|
+
post_install_message:
|
31
|
+
rdoc_options: []
|
32
|
+
require_paths:
|
33
|
+
- lib
|
34
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
35
|
+
requirements:
|
36
|
+
- - ">="
|
37
|
+
- !ruby/object:Gem::Version
|
38
|
+
version: '0'
|
39
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
40
|
+
requirements:
|
41
|
+
- - ">="
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
version: '0'
|
44
|
+
requirements: []
|
45
|
+
rubyforge_project:
|
46
|
+
rubygems_version: 2.7.3
|
47
|
+
signing_key:
|
48
|
+
specification_version: 4
|
49
|
+
summary: Escape SQL injection when you order with params
|
50
|
+
test_files: []
|