input_sanitizer 0.1.10 → 0.4.1

data/lib/input_sanitizer/v2/payload_transform.rb

@@ -0,0 +1,42 @@
+require 'active_support/core_ext/hash/indifferent_access'
+
+class InputSanitizer::V2::PayloadTransform
+  attr_reader :original_payload, :context
+
+  def self.call(original_payload, context = {})
+    new(original_payload, context).call
+  end
+
+  def initialize(original_payload, context = {})
+    fail "#{self.class} is missing #transform method" unless respond_to?(:transform)
+    @original_payload, @context = original_payload, context
+  end
+
+  def call
+    transform
+    payload
+  end
+
+  private
+  def rename(from, to)
+    if has?(from)
+      data = payload.delete(from)
+      payload[to] = data
+    end
+  end
+
+  def merge_in(field, options = {})
+    if source = payload.delete(field)
+      source = options[:using].call(source) if options[:using]
+      payload.merge!(source)
+    end
+  end
+
+  def has?(key)
+    payload.has_key?(key)
+  end
+
+  def payload
+    @payload ||= original_payload.with_indifferent_access
+  end
+end

data/lib/input_sanitizer/v2/query_sanitizer.rb

@@ -0,0 +1,33 @@
+class InputSanitizer::V2::QuerySanitizer < InputSanitizer::V2::PayloadSanitizer
+  def self.converters
+    {
+      :integer => InputSanitizer::V2::Types::CoercingIntegerCheck.new,
+      :float => InputSanitizer::V2::Types::CoercingFloatCheck.new,
+      :string => InputSanitizer::V2::Types::StringCheck.new,
+      :boolean => InputSanitizer::V2::Types::CoercingBooleanCheck.new,
+      :datetime => InputSanitizer::V2::Types::DatetimeCheck.new,
+      :date => InputSanitizer::V2::Types::DatetimeCheck.new(:check_date => true),
+      :url => InputSanitizer::V2::Types::URLCheck.new,
+    }
+  end
+  initialize_types_dsl
+
+  def self.sort_by(allowed_values, options = {})
+    set_keys_to_converter([:sort_by, { :allow => allowed_values }.merge(options)], InputSanitizer::V2::Types::SortByCheck.new)
+  end
+
+  # allow underscore cache buster by default
+  string :_
+
+  private
+  def perform_clean
+    super
+    @errors.each do |error|
+      error.field = error.field[1..-1] if error.field.start_with?('/')
+    end
+  end
+
+  def sanitizer_type
+    :query
+  end
+end

data/lib/input_sanitizer/v2/types.rb

@@ -0,0 +1,227 @@
+require 'active_support/core_ext/object/blank'
+
+module InputSanitizer::V2::Types
+  class IntegerCheck
+    def call(value, options = {})
+      if value == nil && (options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil
+        value
+      else
+        Integer(value).tap do |integer|
+          raise InputSanitizer::TypeMismatchError.new(value, :integer) unless integer == value
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && integer < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && integer > options[:maximum]
+        end
+      end
+    rescue ArgumentError, TypeError
+      raise InputSanitizer::TypeMismatchError.new(value, :integer)
+    end
+  end
+
+  class CoercingIntegerCheck
+    def call(value, options = {})
+      if value == nil || value == 'null'
+        if options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true
+          raise InputSanitizer::BlankValueError
+        else
+          nil
+        end
+      else
+        Integer(value).tap do |integer|
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && integer < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && integer > options[:maximum]
+        end
+      end
+    rescue ArgumentError
+      raise InputSanitizer::TypeMismatchError.new(value, :integer)
+    end
+  end
+
+  class FloatCheck
+    def call(value, options = {})
+      if value == nil && (options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil
+        value
+      else
+        Float(value).tap do |float|
+          raise InputSanitizer::TypeMismatchError.new(value, :float) unless float == value
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && float < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && float > options[:maximum]
+        end
+      end
+    rescue ArgumentError, TypeError
+      raise InputSanitizer::TypeMismatchError.new(value, :float)
+    end
+  end
+
+  class CoercingFloatCheck
+    def call(value, options = {})
+      if value == nil || value == 'null'
+        if options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true
+          raise InputSanitizer::BlankValueError
+        else
+          nil
+        end
+      else
+        Float(value).tap do |float|
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && float < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && float > options[:maximum]
+        end
+      end
+    rescue ArgumentError
+      raise InputSanitizer::TypeMismatchError.new(value, :float)
+    end
+  end
+
+  class StringCheck
+    def call(value, options = {})
+      if options[:allow] && !options[:allow].include?(value)
+        raise InputSanitizer::ValueNotAllowedError.new(value)
+      elsif value.blank? && (options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif options[:regexp] && options[:regexp].match(value).nil?
+        raise InputSanitizer::RegexpMismatchError.new
+      elsif value == nil && options[:allow_nil] == false
+        raise InputSanitizer::BlankValueError
+      elsif value.blank?
+        value
+      else
+        value.to_s.tap do |string|
+          raise InputSanitizer::TypeMismatchError.new(value, :string) unless string == value
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && string.length < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && string.length > options[:maximum]
+        end
+
+        if options[:strip_4byte_chars] && !options[:already_stripped]
+          value_without_4byte_chars = strip_4byte_chars(value)
+          updated_options = options.merge(:already_stripped => true) # to prevent infinite loop
+          call(value_without_4byte_chars, updated_options) # run checks once again to ensure string is still valid after stripping 4-byte chars
+        else
+          value
+        end
+      end
+    end
+
+    private
+
+    def strip_4byte_chars(string)
+      string.each_char.with_object(String.new) { |char, output| output << char if char.bytesize < 4 }
+    end
+  end
+
+  class BooleanCheck
+    def call(value, options = {})
+      if value == nil
+        raise InputSanitizer::BlankValueError
+      elsif [true, false].include?(value)
+        value
+      else
+        raise InputSanitizer::TypeMismatchError.new(value, :boolean)
+      end
+    end
+  end
+
+  class CoercingBooleanCheck
+    def call(value, options = {})
+      if [true, 'true'].include?(value)
+        true
+      elsif [false, 'false'].include?(value)
+        false
+      else
+        raise InputSanitizer::TypeMismatchError.new(value, :boolean)
+      end
+    end
+  end
+
+  class DatetimeCheck
+    def initialize(options = {})
+      @check_date = options && options[:check_date]
+      @klass = @check_date ? Date : DateTime
+    end
+
+    def call(value, options = {})
+      raise InputSanitizer::TypeMismatchError.new(value, @check_date ? :date : :datetime) unless value == nil || value.is_a?(String)
+
+      if value.blank? && (options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil && options[:allow_nil] == false
+        raise InputSanitizer::BlankValueError
+      elsif value.blank?
+        value
+      else
+        @klass.parse(value).tap do |datetime|
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && datetime < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && datetime > options[:maximum]
+        end
+      end
+    rescue ArgumentError, TypeError
+      raise InputSanitizer::TypeMismatchError.new(value, @check_date ? :date : :datetime)
+    end
+  end
+
+  class URLCheck
+    def call(value, options = {})
+      if value.blank? && (options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil && options[:allow_nil] == false
+        raise InputSanitizer::BlankValueError
+      elsif value.blank?
+        value
+      else
+        unless /\A#{URI.regexp(%w(http https)).to_s}\z/.match(value)
+          raise InputSanitizer::TypeMismatchError.new(value, :url)
+        end
+        value
+      end
+    end
+  end
+
+  class SortByCheck
+    def call(value, options = {})
+      check_options!(options)
+
+      key, direction = split(value)
+      direction = 'asc' if direction.blank?
+
+      # special case when fallback takes care of separator sanitization e.g. custom fields
+      if options[:fallback] && !allowed_directions.include?(direction)
+        direction = 'asc'
+        key = value
+      end
+
+      unless valid?(key, direction, options)
+        raise InputSanitizer::ValueNotAllowedError.new(value)
+      end
+
+      [key, direction]
+    end
+
+  private
+    def valid?(key, direction, options)
+      allowed_keys = options[:allow]
+      fallback = options[:fallback]
+
+      allowed_directions.include?(direction) &&
+        ((allowed_keys && allowed_keys.include?(key)) ||
+          (fallback && fallback.call(key, direction, options)))
+    end
+
+    def split(value)
+      head, _, tail = value.to_s.rpartition(':')
+      head.empty? ? [tail, head] : [head, tail]
+    end
+
+    def check_options!(options)
+      fallback = options[:fallback]
+      if fallback && !fallback.respond_to?(:call)
+        raise ArgumentError, ":fallback option must respond to method :call (proc, lambda etc)"
+      end
+    end
+
+    def allowed_directions
+      ['asc', 'desc']
+    end
+  end
+end

data/lib/input_sanitizer/version.rb

@@ -1,3 +1,3 @@
 module InputSanitizer
-  VERSION = "0.1.10"
+  VERSION = "0.4.1"
 end

data/spec/extended_converters/comma_joined_integers_converter_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+require 'input_sanitizer/extended_converters/comma_joined_integers_converter'
+
+describe InputSanitizer::CommaJoinedIntegersConverter do
+  let(:converter) { described_class.new }
+
+  it "parses to array of ids" do
+    converter.call("1,2,3,5").should eq([1, 2, 3, 5])
+  end
+
+  it "converts to array if given an integer" do
+    converter.call(7).should eq([7])
+  end
+
+  it "raises on invalid character" do
+    lambda { converter.call(":") }.should raise_error(InputSanitizer::ConversionError)
+  end
+end

data/spec/extended_converters/comma_joined_strings_converter_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+require 'input_sanitizer/extended_converters/comma_joined_strings_converter'
+
+describe InputSanitizer::CommaJoinedStringsConverter do
+  let(:converter) { described_class.new }
+
+  it "parses to array of ids" do
+    converter.call("input,Sanitizer,ROCKS").should eq(["input", "Sanitizer", "ROCKS"])
+  end
+
+  it "allows underscores" do
+    converter.call("input_sanitizer,rocks").should eq(["input_sanitizer", "rocks"])
+  end
+
+  it "raises on invalid character" do
+    lambda { converter.call(":") }.should raise_error(InputSanitizer::ConversionError)
+  end
+end

data/spec/extended_converters/positive_integer_converter_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+require 'input_sanitizer/extended_converters/positive_integer_converter'
+
+describe InputSanitizer::PositiveIntegerConverter do
+  let(:converter) { described_class.new }
+
+  it "casts string to integer" do
+    converter.call("3").should == 3
+  end
+
+  it "raises error if integer less than zero" do
+    lambda { converter.call("-3") }.should raise_error(InputSanitizer::ConversionError)
+  end
+
+  it "raises error if integer equals zero" do
+    lambda { converter.call("0") }.should raise_error(InputSanitizer::ConversionError)
+  end
+end

data/spec/extended_converters/specific_values_converter_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+require 'input_sanitizer/extended_converters/specific_values_converter'
+
+describe InputSanitizer::SpecificValuesConverter do
+  let(:converter) { described_class.new(values) }
+  let(:values) { [:a, :b] }
+
+  it "converts valid value to symbol" do
+    converter.call("b").should eq(:b)
+  end
+
+  it "raises on invalid value" do
+    lambda { converter.call("c") }.should raise_error(InputSanitizer::ConversionError)
+  end
+
+  it "raises on nil value" do
+    lambda { converter.call(nil) }.should raise_error(InputSanitizer::ConversionError)
+  end
+
+  context "when specific values are strings" do
+    let(:values) { ["a", "b"] }
+
+    it "keeps given value as string" do
+      converter.call("a").should eq("a")
+    end
+  end
+end

data/spec/restricted_hash_spec.rb

@@ -1,19 +1,49 @@
-require "spec_helper"
+require 'spec_helper'
 
 describe InputSanitizer::RestrictedHash do
-  let(:hash) { InputSanitizer::RestrictedHash.new([:a, :b]) }
-  subject { hash }
+  let(:hash) { InputSanitizer::RestrictedHash.new([:a]) }
 
-  it "does not allow bad keys" do
-    lambda{hash[:c]}.should raise_error(InputSanitizer::KeyNotAllowedError)
+  it 'does not allow bad keys' do
+    lambda{ hash[:b] }.should raise_error(InputSanitizer::KeyNotAllowedError)
   end
 
-  it "does allow correct keys" do
+  it 'does allow correct keys' do
     hash[:a].should be_nil
   end
 
-  it "returns value for correct key" do
+  it 'returns value for correct key' do
     hash[:a] = 'stuff'
     hash[:a].should == 'stuff'
   end
+
+  it 'allows to set value for a new key' do
+    hash[:b] = 'other stuff'
+    hash[:b].should == 'other stuff'
+    hash.key_allowed?(:b).should be_truthy
+  end
+
+  it 'adds new allowed keys after `transform_keys` is done' do
+    hash[:a] = 'stuff'
+    hash.transform_keys! { |key| key.to_s }
+    hash['a'].should == 'stuff'
+    hash.key_allowed?('a').should be_truthy
+  end
+
+  it 'removes previous allowed keys after `transform_keys` is done' do
+    hash[:a] = 'stuff'
+    hash.transform_keys! { |key| key.to_s }
+    lambda{ hash[:a] }.should raise_error(InputSanitizer::KeyNotAllowedError)
+  end
+
+  it 'updates allowed keys on merge!' do
+    merge_hash = { merged: '1' }
+    hash.merge!(merge_hash)
+    hash.key_allowed?(:merged).should be_truthy
+  end
+
+  it 'updates allowed keys on merge' do
+    merge_hash = { merged: '1' }
+    new_hash = hash.merge(some_key: merge_hash)
+    new_hash.key_allowed?(:some_key).should be_truthy
+  end
 end