dotted_hash 0.8 → 0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 442525c1060bd5bbfcbd29eab42eacd400bcd21a
-  data.tar.gz: 64330ffcb55a2db31f48dad429ecc329bd086a74
+  metadata.gz: 13450c3abde2a7100248385cefbafd3a41260c76
+  data.tar.gz: 21ccd452b4ca350acecbf2209dcdc8723ccac4ac
 SHA512:
-  metadata.gz: eb8fdb956dcbfc3b5687e50250554a037ea9228803e4068bb20d174d3704e511eab959aa986f00c4b4fc6937c54bcfa77a777fc96601541e4ba8ec1b1e1dc8a7
-  data.tar.gz: 37d877e03ad53c404f82b5d5f7fe0fdb432ad8d7d4da174bb37a86a70a05c567d3a34d7c0d73dc6018906051f4745c2e8c37aa2dad6abf89bd4d61e8a7461b76
+  metadata.gz: 163655b8c528a56443d47af75813d1e15aca9617154707bcff3ce6262f95ec78d32a6372cc8c5c7a8c9d5a54031360e6ae2126f046c1ab461490d411bb7fcfba
+  data.tar.gz: 5889f79bf47c38db461b32ef119662ba7695cef4c0d016073d472dfd1fd1dfbc150c4e9d85ced5abf41d084ebd7e54f6a9811efad578b1bf8996f2585de8dc7d

data/.gitignore

@@ -1 +1,2 @@
 Gemfile.lock
+pkg/

data/README.md

@@ -2,7 +2,7 @@
 
 Recursive OpenStruct-like or Hash-like object. Uses ActiveModel.
 
-Based on *Tire::Result::Item* with addition of writing attributes.
+Based on *Tire::Result::Item* with addition of writing attributes and security limits.
 
 ## Installation
 
@@ -70,8 +70,48 @@ recursively (also creates sub-DottedHashes if they don't exist)
     > d.class
     => Cannon
 
+## Set security for structure
+
+- *MAX_DEPTH* for maximal depth of whole tree (keys_depth+1), counted from 0.
+While it is not completely bulletproof, because depth can be set to wrong number if careless, it is enough in most of the time.
+
+- *MAX_ATTRS* to specify maximum count of attributes. Use integer for limit to all levels or use hash like this
+
+    MAX_ATTRS = {1 => 20, 2 => 5, default: 10}
+
+for limits to be applied to certain levels. *Default* is optional, if not present - limit is not set.
+
+- *MAX_SIZE* to limit structure size. Size is computed from JSON representation of *DottedHash*.
+Note that some objects may have much bigger representation in memory than in JSON.
+
+
+## JSON
+
+Because security uses JSON representation of DottedHash, use library like *Oj* or *Yajl* when under heavy load.
+
+DottedHash uses *ActiveSupport* which uses *MultiJson*...
+
+Which backend is used?
+
+    > MultiJson.adapter
+
+or
+
+    > ActiveSupport::JSON.backend
+
+Set backend
+
+    > MultiJson.adapter = :oj
+
+or
+
+    > ActiveSupport::JSON.backend = :yajl
+
+
+
 See source and tests for some more details.
 
+
 ## Contributing
 
 1. Fork it
@@ -86,4 +126,4 @@ Original project: [https://github.com/karmi/tire](https://github.com/karmi/tire)
 
 Author of modificated version: *Ivan Stana*
 
-License: *MIT*
+License: *MIT*

data/dotted_hash.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.version       = DottedHash::VERSION
   spec.authors       = ["Ivan Stana"]
   spec.email         = ["stiipa@centrum.sk"]
-  spec.description   = %q{Recursive OpenStruct-like or Hash-like object. Based on Tire::Result::Item with addition of writing attributes.}
+  spec.description   = %q{Recursive OpenStruct-like or Hash-like object. Based on Tire::Result::Item with addition of writing attributes and security limits.}
   spec.summary       = %q{Recursive OpenStruct-like object.}
   spec.homepage      = "http://github.com/istana/dotted_hash"
   spec.license       = "MIT"

data/lib/dotted_hash/version.rb

@@ -1,3 +1,3 @@
 class DottedHash
-  VERSION = "0.8"
+  VERSION = "0.9"
 end

data/lib/dotted_hash.rb

@@ -9,12 +9,32 @@ class DottedHash
 	extend  ActiveModel::Naming
 	include ActiveModel::Conversion
 	#include ActiveModel::Model
+
+	## Basic security
+
+	# Maximum depth of whole tree, not keys (keys depth+1)
+	# Counted from 0
+	# Not fully bulletproof, depth may be set to wrong number if careless
+	MAX_DEPTH = 10
+
+	# Maximum count of attributes
+	# Use hash like this to specify each level
+	# MAX_ATTRS = {1 => 20, 2 => 5, default: 10}
+	MAX_ATTRS = 10
+
+	# Maximum size of document, counted from JSON result of document
+	# It is not bulletproof, but if using simple structures, it is enough
+	# Other structures may have much bigger representation in memory than in JSON
+	MAX_SIZE = 16384
+
 	# Create new instance, recursively converting all Hashes to Item
 	# and leaving everything else alone.
 	#
-	# TODO: track depth
-	def initialize(args={})
+	def initialize(args={}, level=0)
 		raise ArgumentError, "Please pass a Hash-like object" unless args.respond_to?(:each_pair)
+		raise RuntimeError, "Maximal depth reached" if level > MAX_DEPTH
+
+		@depth = level
 		@attributes = {}
 		args.each_pair do |key, value|
 			assign_value(key, value)
@@ -22,12 +42,26 @@ class DottedHash
 	end
 
 	def assign_value(key, value)
+		max_attrs = if MAX_ATTRS.is_a?(Fixnum)
+									MAX_ATTRS
+								elsif MAX_ATTRS.respond_to?(:[])
+									MAX_ATTRS[@depth] || MAX_ATTRS[:default]
+								end
+
+		if max_attrs
+			attrs = @attributes.size + (@attributes.include?(key.to_sym) ? 0 : 1)
+			raise RuntimeError, "Maximum number of attributes reached" if attrs > max_attrs
+		end
+
+		raise RuntimeError, "Maximal size of document reached" if self.to_json.size+value.to_json.size > MAX_SIZE
+
 		if value.is_a?(Array)
-			@attributes[key.to_sym] = value.map { |item| @attributes[key.to_sym] = item.is_a?(Hash) ? DottedHash.new(item.to_hash) : item }
+			@attributes[key.to_sym] = value.map { |item| @attributes[key.to_sym] = item.is_a?(Hash) ? DottedHash.new(item.to_hash, @depth+1) : item }
 		else
-			@attributes[key.to_sym] = value.is_a?(Hash) ? DottedHash.new(value.to_hash) : value
+			@attributes[key.to_sym] = value.is_a?(Hash) ? DottedHash.new(value.to_hash, @depth+1) : value
 		end
 	end
+
 	private :assign_value
 
 	# Delegate method to a key in underlying hash, if present, otherwise return +nil+.
@@ -57,13 +91,13 @@ class DottedHash
 		if keys.size > 1
 			key = keys.shift.to_sym
 
-			if !self.send(key)
-				self.send("#{key}=", DottedHash.new)
+			if !@attributes[key]
+				assign_value(key, DottedHash.new({}, @depth+1))
 			end
-			sub = self.send(key)
+			sub = @attributes[key]
 			sub.send(:recursive_assign, keys.join('.'), value)
 		elsif keys.size == 1
-			self.send("#{keys.shift}=", value)
+			assign_value(keys.shift, value)
 		end
 	end
 

data/test/dotted_hash_spec.rb

@@ -17,7 +17,7 @@ describe DottedHash do
 			expect{ DottedHash.new(id: 1) }.not_to raise_error
 			DottedHash.new(id: 1).should_be_instance_of :N
 			expect(DottedHash.new(id: 1)).to be_instance_of(DottedHash)
-			
+
 			expect do
 				class AlmostHash < Hash; end
 				DottedHash.new(AlmostHash.new(id: 1))
@@ -191,6 +191,77 @@ describe DottedHash do
 			end
 		end
 
+		context "Security" do
+			describe "MAX_DEPTH" do
+				it "has good depth" do
+					hash = {}
+					ptr = hash
+					for i in (0..DottedHash::MAX_DEPTH-1) do
+						ptr.merge!({i.to_s => {}})
+						ptr = ptr[i.to_s]
+					end
+
+					expect{ DottedHash.new(hash) }.not_to raise_error
+				end
+
+				it "is too deep" do
+					hash = {}
+					ptr = hash
+					for i in (0..DottedHash::MAX_DEPTH) do
+						ptr.merge!({i.to_s => {}})
+						ptr = ptr[i.to_s]
+					end
+
+					expect{ DottedHash.new(hash)}.to raise_error(RuntimeError, /depth/)
+				end
+			end
+
+			describe "MAX_ATTRS" do
+				context "Integer value" do
+					it "is in limit" do
+						stub_const("DottedHash::MAX_ATTRS", 3)
+						expect{ DottedHash.new(a: 1, b: 2, c: 3) }.not_to raise_error
+					end
+
+					it "is not in limit" do
+						stub_const("DottedHash::MAX_ATTRS", 3)
+						expect{ DottedHash.new(a: 1, b: 2, c: 3, d: 4) }.to raise_error(RuntimeError, /attribu/)
+					end
+				end
+
+				context "Depths specified" do
+					it "is set with key 'default'" do
+						stub_const("DottedHash::MAX_ATTRS", {1 => 3, default: 2})
+
+						expect{ DottedHash.new(a: 1, b: 2) }.not_to raise_error
+						expect{ DottedHash.new(a: 1, b: 2, c: 3) }.to raise_error(RuntimeError, /attribu/)
+
+						expect{ DottedHash.new(a: 1, b: {one: 1, two: 2, three: 3}) }.not_to raise_error
+						expect{ DottedHash.new(a: 1, b: {one: 1, two: 2, three: 3, four: 4}) }.to raise_error(RuntimeError, /attribu/)
+					end
+
+					it "is not set with key 'default'" do
+						stub_const("DottedHash::MAX_ATTRS", {0 => 3})
+
+						expect{ DottedHash.new(a: 1, b: 2, c: 3) }.not_to raise_error
+						expect{ DottedHash.new(a: 1, b: 2, c: 3, d: 4) }.to raise_error(RuntimeError, /attribu/)
+
+						expect{ DottedHash.new(a: 1, b: 2, c: {one: 1, two: 2, three: 3, four: 4, five: 5}) }.not_to raise_error
+						expect{ DottedHash.new(a: 1, b: 2, c: 3, d: {one: 1, two: 2, three: 3, four: 4, five: 5}) }.to raise_error(RuntimeError, /attribu/)
+					end
+				end
+			end
+
+			it "tests MAX_SIZE" do
+				stub_const("DottedHash::MAX_SIZE", 10)
+
+				expect{ DottedHash.new(a: "short") }.not_to raise_error
+				expect{ DottedHash.new(a: "najnevypocitavatelnejsi") }.to raise_error(/size/) 
+				expect{ DottedHash.new(a: "short", b: "short") }.to raise_error(/size/)
+				expect{ DottedHash.new(a: {b: "x", c: {d: "xxx"}}) }.to raise_error(/size/)
+			end
+		end
+
 	end
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dotted_hash
 version: !ruby/object:Gem::Version
-  version: '0.8'
+  version: '0.9'
 platform: ruby
 authors:
 - Ivan Stana
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-01 00:00:00.000000000 Z
+date: 2013-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -95,7 +95,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.13'
 description: Recursive OpenStruct-like or Hash-like object. Based on Tire::Result::Item
-  with addition of writing attributes.
+  with addition of writing attributes and security limits.
 email:
 - stiipa@centrum.sk
 executables: []