RubyGems - input_sanitizer - Versions diffs - 0.1.10 → 0.4.1 - Mend

input_sanitizer 0.1.10 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

checksums.yaml +7 -0
data/.github/workflows/ci.yaml +26 -0
data/.github/workflows/gempush.yml +28 -0
data/.gitignore +2 -1
data/CHANGELOG +99 -0
data/LICENSE +201 -22
data/README.md +24 -4
data/input_sanitizer.gemspec +10 -4
data/lib/input_sanitizer.rb +5 -2
data/lib/input_sanitizer/errors.rb +142 -0
data/lib/input_sanitizer/extended_converters.rb +5 -42
data/lib/input_sanitizer/extended_converters/comma_joined_integers_converter.rb +15 -0
data/lib/input_sanitizer/extended_converters/comma_joined_strings_converter.rb +15 -0
data/lib/input_sanitizer/extended_converters/positive_integer_converter.rb +12 -0
data/lib/input_sanitizer/extended_converters/specific_values_converter.rb +19 -0
data/lib/input_sanitizer/restricted_hash.rb +49 -8
data/lib/input_sanitizer/v1.rb +22 -0
data/lib/input_sanitizer/v1/clean_field.rb +38 -0
data/lib/input_sanitizer/{default_converters.rb → v1/default_converters.rb} +20 -13
data/lib/input_sanitizer/v1/sanitizer.rb +166 -0
data/lib/input_sanitizer/v2.rb +13 -0
data/lib/input_sanitizer/v2/clean_field.rb +36 -0
data/lib/input_sanitizer/v2/clean_payload_collection_field.rb +41 -0
data/lib/input_sanitizer/v2/clean_query_collection_field.rb +40 -0
data/lib/input_sanitizer/v2/error_collection.rb +49 -0
data/lib/input_sanitizer/v2/nested_sanitizer_factory.rb +19 -0
data/lib/input_sanitizer/v2/payload_sanitizer.rb +130 -0
data/lib/input_sanitizer/v2/payload_transform.rb +42 -0
data/lib/input_sanitizer/v2/query_sanitizer.rb +33 -0
data/lib/input_sanitizer/v2/types.rb +227 -0
data/lib/input_sanitizer/version.rb +1 -1
data/spec/extended_converters/comma_joined_integers_converter_spec.rb +18 -0
data/spec/extended_converters/comma_joined_strings_converter_spec.rb +18 -0
data/spec/extended_converters/positive_integer_converter_spec.rb +18 -0
data/spec/extended_converters/specific_values_converter_spec.rb +27 -0
data/spec/restricted_hash_spec.rb +37 -7
data/spec/sanitizer_spec.rb +129 -26
data/spec/spec_helper.rb +17 -2
data/spec/v1/default_converters_spec.rb +141 -0
data/spec/v2/converters_spec.rb +174 -0
data/spec/v2/payload_sanitizer_spec.rb +534 -0
data/spec/v2/payload_transform_spec.rb +98 -0
data/spec/v2/query_sanitizer_spec.rb +300 -0
data/v2.md +52 -0
metadata +105 -40
data/.travis.yml +0 -12
data/lib/input_sanitizer/sanitizer.rb +0 -140
data/spec/default_converters_spec.rb +0 -101
data/spec/extended_converters_spec.rb +0 -62

data/spec/v2/payload_sanitizer_spec.rb ADDED Viewed

@@ -0,0 +1,534 @@
+require 'spec_helper'
+class AddressSanitizer < InputSanitizer::V2::PayloadSanitizer
+  string :city
+  string :zip
+end
+class TagSanitizer < InputSanitizer::V2::PayloadSanitizer
+  integer :id
+  string :name
+  nested :addresses, :sanitizer => AddressSanitizer, :collection => true
+end
+class TestedPayloadSanitizer < InputSanitizer::V2::PayloadSanitizer
+  integer :array, :collection => true
+  integer :array_nil, :collection => true, :allow_nil => true
+  string :status, :allow => ['current', 'past']
+  string :status_with_empty, :allow => ['', 'current', 'past']
+  string :regexp_string, :regexp => /^#?([a-f0-9]{6}|[a-f0-9]{3})$/
+  string :utf8mb4_string, :strip_4byte_chars => true
+  string :value_restricted_utf8mb4_string, :strip_4byte_chars => true, :allow => ['test']
+  string :non_blank_utf8mb4_string, :strip_4byte_chars => true, :allow_blank => false
+  string :size_restricted_utf8mb4_string, :strip_4byte_chars => true, :minimum => 2, :maximum => 4
+  nested :address, :sanitizer => AddressSanitizer
+  nested :nullable_address, :sanitizer => AddressSanitizer, :allow_nil => true
+  nested :tags, :sanitizer => TagSanitizer, :collection => true
+  float :float_attribute, :minimum => 1, :maximum => 100
+  integer :integer_attribute, :minimum => 1, :maximum => 100
+  string :string_attribute
+  boolean :bool_attribute
+  datetime :datetime_attribute
+  date :date_attribute, :minimum => Date.new(-2015, 01, 01), :maximum => Date.new(2015, 12, 31)
+  url :website
+  string :limited_collection, :collection => { :minimum => 1, :maximum => 2 }, :minimum => 2, :maximum => 12
+  string :allow_collection, :collection => true, :allow => ['yes', 'no']
+end
+class BlankValuesPayloadSanitizer < InputSanitizer::V2::PayloadSanitizer
+  string :required_string, :required => true
+  datetime :non_nil_datetime, :allow_nil => false
+  url :non_blank_url, :allow_blank => false
+end
+class CustomConverterWithProvidedValue < InputSanitizer::V2::PayloadSanitizer
+  integer :from
+  custom :to, :provide => :from, :converter => lambda { |value, options|
+    InputSanitizer::V2::Types::IntegerCheck.new.call(value)
+    raise InputSanitizer::ValueError.new(value, options[:provided][:from], nil) if options[:provided][:from] > value
+    value
+  }
+end
+describe InputSanitizer::V2::PayloadSanitizer do
+  let(:sanitizer) { TestedPayloadSanitizer.new(@params) }
+  let(:cleaned) { sanitizer.cleaned }
+  describe "collections" do
+    it "is invalid if collection is not an array" do
+      @params = { :array => {} }
+      sanitizer.should_not be_valid
+    end
+    it "is valid if collection is an array" do
+      @params = { :array => [] }
+      sanitizer.should be_valid
+    end
+    it "is valid if collection is an nil and allow_nil is passed" do
+      @params = { :array_nil => nil }
+      sanitizer.should be_valid
+    end
+    it "is invalid if there are too few elements" do
+      @params = { :limited_collection => [] }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if there are too many elements" do
+      @params = { :limited_collection => ['bear', 'bear', 'bear'] }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when there are just enough elements" do
+      @params = { :limited_collection => ['goldilocks'] }
+      sanitizer.should be_valid
+    end
+    it "is invalid when any of the elements are too long" do
+      @params = { :limited_collection => ['more_than_the_limit'] }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid when any of the elements are too short" do
+      @params = { :limited_collection => ['a'] }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid when given disallowed value in a collection" do
+      @params = { :allow_collection => ['yes', 'no', 'whoa'] }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when given allowed values in a collection" do
+      @params = { :allow_collection => ['yes', 'no'] }
+      sanitizer.should be_valid
+    end
+  end
+  describe "allow option" do
+    it "is valid when given an allowed string" do
+      @params = { :status => 'past' }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an empty string" do
+      @params = { :status => '' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/status')
+    end
+    it "is valid when given an allowed empty string" do
+      @params = { :status_with_empty => '' }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given a disallowed string" do
+      @params = { :status => 'current bad string' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/status')
+    end
+  end
+  describe "minimum and maximum options" do
+    it "is invalid if integer is lower than the minimum" do
+      @params = { :integer_attribute => 0 }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if integer is greater than the maximum" do
+      @params = { :integer_attribute => 101 }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when integer is within given range" do
+      @params = { :limited_collection => ['goldilocks'] }
+      sanitizer.should be_valid
+    end
+    it "is invalid if float is lower than the minimum" do
+      @params = { :float_attribute => 0.0 }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if float is greater than the maximum" do
+      @params = { :float_attribute => 101.0 }
+      sanitizer.should_not be_valid
+    end
+  end
+  describe "strip_4byte_chars option" do
+    it "is valid when given a string with 4-byte chars" do
+      @params = { :utf8mb4_string => "test \u{1F435} value" }
+      sanitizer.should be_valid
+    end
+    it "returns sanitized string without 4-byte chars" do
+      @params = { :utf8mb4_string => "test\u{1F435}" }
+      sanitizer[:utf8mb4_string].should eq "test"
+    end
+    it "properly handles string with 4-byte char at the beginning" do
+      @params = { :utf8mb4_string => "\u{1F435} 4-byte char at the beginning" }
+      sanitizer[:utf8mb4_string].should eq ' 4-byte char at the beginning'
+    end
+    it "properly handles string with 4-byte char in the middle" do
+      @params = { :utf8mb4_string => "4-byte char\u{1F435} in the middle" }
+      sanitizer[:utf8mb4_string].should eq '4-byte char in the middle'
+    end
+    it "properly handles string with 4-byte char at the end" do
+      @params = { :utf8mb4_string => "4-byte char at the end \u{1F435}" }
+      sanitizer[:utf8mb4_string].should eq '4-byte char at the end '
+    end
+    it "does not strip 3-byte chars" do
+      @params = { :utf8mb4_string => "Test \u{270A}" }
+      sanitizer[:utf8mb4_string].should eq "Test \u{270A}"
+    end
+    describe "when used with other options" do
+      describe "allow" do
+        it "is valid when string matches any value in allowlist before stripping 4-byte chars" do
+          @params = { :value_restricted_utf8mb4_string => "test" }
+          sanitizer.should be_valid
+        end
+        it "is invalid when string doesn't match any value in allowlist before stripping 4-byte chars" do
+          @params = { :value_restricted_utf8mb4_string => "test\u{1F435}" }
+          sanitizer.should_not be_valid
+        end
+      end
+      describe "allow_blank=false" do
+        it "is invalid when string is already blank before stripping 4-byte chars" do
+          @params = { :non_blank_utf8mb4_string => " " }
+          sanitizer.should_not be_valid
+        end
+        it "is invalid when string becomes blank as a result of stripping 4-byte chars" do
+          @params = { :non_blank_utf8mb4_string => " \u{1F435} " }
+          sanitizer.should_not be_valid
+        end
+      end
+      describe "minimum and maximum" do
+        it "is invalid when string is already too long before stripping 4-byte chars" do
+          @params = { :size_restricted_utf8mb4_string => "1234\u{1F435}" }
+          sanitizer.should_not be_valid
+        end
+        it "is invalid when string becomes too short as a result of stripping 4-byte chars" do
+          @params = { :size_restricted_utf8mb4_string => "1\u{1F435}" }
+          sanitizer.should_not be_valid
+        end
+      end
+    end
+  end
+  describe "strict param checking" do
+    it "is invalid when given extra params" do
+      @params = { :extra => 'test', :extra2 => 1 }
+      sanitizer.should_not be_valid
+      sanitizer.errors.count.should eq(2)
+    end
+    it "is invalid when given extra params in a nested sanitizer" do
+      @params = { :address => { :extra => 0 }, :tags => [ { :extra2 => 1 } ] }
+      sanitizer.should_not be_valid
+      sanitizer.errors.map(&:field).should contain_exactly('/address/extra', '/tags/0/extra2')
+    end
+  end
+  describe "converters with provided values" do
+    let(:sanitizer) { CustomConverterWithProvidedValue.new(@params) }
+    it "is valid when converter passes check with provided value" do
+      @params = {from: 1, to: 3}
+      sanitizer.should be_valid
+    end
+    it "is invalid when converter does not pass check with provided value" do
+      @params = {from: 3, to: 1}
+      sanitizer.should_not be_valid
+    end
+  end
+  describe "strict type checking" do
+    it "is invalid when given string instead of integer" do
+      @params = { :integer_attribute => '1' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/integer_attribute')
+    end
+    it "is valid when given an integer" do
+      @params = { :integer_attribute => 50 }
+      sanitizer.should be_valid
+      sanitizer[:integer_attribute].should eq(50)
+    end
+    it "is invalid when given a float" do
+      @params = { :integer_attribute => 50.99 }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when given nil for an integer" do
+      @params = { :integer_attribute => nil }
+      sanitizer.should be_valid
+      sanitizer[:integer_attribute].should be_nil
+    end
+    it "is invalid when given string instead of float" do
+      @params = { :float_attribute => '1' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/float_attribute')
+    end
+    it "is valid when given a float" do
+      @params = { :float_attribute => 50.0 }
+      sanitizer.should be_valid
+      sanitizer[:float_attribute].should eq(50.0)
+    end
+    it "is valid when given nil for a float" do
+      @params = { :float_attribute => nil }
+      sanitizer.should be_valid
+      sanitizer[:float_attribute].should be_nil
+    end
+    it "is valid when given string is matching regexp" do
+      @params = { :regexp_string => "#8bd635" }
+      sanitizer.should be_valid
+      sanitizer[:regexp_string].should eq('#8bd635')
+    end
+    it "is invalid when given string is not matching regexp" do
+      @params = { :regexp_string => "not a hex value" }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/regexp_string')
+    end
+    it "is invalid when given integer instead of string" do
+      @params = { :string_attribute => 0 }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/string_attribute')
+    end
+    it "is invalid when given float instead of string" do
+      @params = { :string_attribute => 3.1415 }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/string_attribute')
+    end
+    it "is valid when given a string" do
+      @params = { :string_attribute => '#@!#%#$@#ad' }
+      sanitizer.should be_valid
+      sanitizer[:string_attribute].should eq('#@!#%#$@#ad')
+    end
+    it "is invalid when given 'yes' as a bool" do
+      @params = { :bool_attribute => 'yes' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/bool_attribute')
+    end
+    it "is valid when given true as a bool" do
+      @params = { :bool_attribute => true }
+      sanitizer.should be_valid
+    end
+    it "is valid when given false as a bool" do
+      @params = { :bool_attribute => false }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an incorrect datetime" do
+      @params = { :datetime_attribute => "2014-08-2716:32:56Z" }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/datetime_attribute')
+    end
+    it "is valid when given a correct datetime" do
+      @params = { :datetime_attribute => "2014-08-27T16:32:56Z" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a 'forever' timestamp" do
+      @params = { :datetime_attribute => "9999-12-31T00:00:00Z" }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an incorrect date" do
+      @params = { :date_attribute => "invalid" }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/date_attribute')
+    end
+    it "is valid when given a correct date" do
+      @params = { :date_attribute => "2015-08-27" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a correct negative date" do
+      @params = { :date_attribute => "-2014-08-27" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a correct URL" do
+      @params = { :website => "https://google.com" }
+      sanitizer.should be_valid
+      sanitizer[:website].should eq("https://google.com")
+    end
+    it "is invalid when given an invalid URL" do
+      @params = { :website => "ht:/google.com" }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid when given an invalid URL that contains a valid URL" do
+      @params = { :website => "watwat http://google.com wat" }
+      sanitizer.should_not be_valid
+    end
+    describe "blank and required values" do
+      let(:sanitizer) { BlankValuesPayloadSanitizer.new(@params) }
+      let(:defaults) { { :required_string => 'zz' } }
+      it "is invalid if required string is missing" do
+        @params = {}
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::ValueMissingError)
+        sanitizer.errors[0].field.should eq('/required_string')
+      end
+      it "is invalid if required string is nil" do
+        @params = { :required_string => nil }
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/required_string')
+      end
+      it "is invalid if required string is blank" do
+        @params = { :required_string => ' ' }
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/required_string')
+      end
+      it "is invalid if non-nil datetime is null" do
+        @params = defaults.merge({ :non_nil_datetime => nil })
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/non_nil_datetime')
+      end
+      it "is valid if non-nil datetime is blank" do
+        @params = defaults.merge({ :non_nil_datetime => '' })
+        sanitizer.should be_valid
+      end
+      it "is invalid if non-blank url is nil" do
+        @params = defaults.merge({ :non_blank_url => nil })
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/non_blank_url')
+      end
+      it "is invalid if non-blank url is blank" do
+        @params = defaults.merge({ :non_blank_url => '' })
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/non_blank_url')
+      end
+    end
+    describe "nested checking" do
+      describe "simple array" do
+        it "returns JSON pointer for invalid fields" do
+          @params = { :array => [1, 'z', '3', 4] }
+          sanitizer.errors.length.should eq(2)
+          sanitizer.errors.map(&:field).should contain_exactly('/array/1', '/array/2')
+        end
+      end
+      describe "nested object" do
+        it "returns an error when given a nil for a nested value" do
+          @params = { :address => nil }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given a string for a nested value" do
+          @params = { :address => 'nope' }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given an array for a nested value" do
+          @params = { :address => ['a'] }
+          sanitizer.should_not be_valid
+        end
+        it "returns JSON pointer for invalid fields" do
+          @params = { :address => { :city => 0, :zip => 1 } }
+          sanitizer.errors.length.should eq(2)
+          sanitizer.errors.map(&:field).should contain_exactly('/address/city', '/address/zip')
+        end
+        it "allows nil with `allow_nil` flag" do
+          @params = { :nullable_address => nil }
+          sanitizer.should be_valid
+          sanitizer.cleaned.fetch(:nullable_address).should eq(nil)
+        end
+      end
+      describe "array of nested objects" do
+        it "returns an error when given a nil for a collection" do
+          @params = { :tags => nil }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given a string for a collection" do
+          @params = { :tags => 'nope' }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given a hash for a collection" do
+          @params = { :tags => { :a => 1 } }
+          sanitizer.should_not be_valid
+        end
+        it "returns JSON pointer for invalid fields" do
+          @params = { :tags => [ { :id => 'n', :name => 1 }, { :id => 10, :name => 2 } ] }
+          sanitizer.errors.length.should eq(3)
+          sanitizer.errors.map(&:field).should contain_exactly(
+            '/tags/0/id',
+            '/tags/0/name',
+            '/tags/1/name'
+          )
+        end
+      end
+      describe "array of nested objects that have array of nested objects" do
+        it "returns JSON pointer for invalid fields" do
+          @params = { :tags => [
+            { :id => 'n', :addresses => [ { :city => 0 }, { :city => 1 } ] },
+            { :name => 2, :addresses => [ { :city => 3 } ] },
+          ] }
+          sanitizer.errors.length.should eq(5)
+          sanitizer.errors.map(&:field).should contain_exactly(
+            '/tags/0/id',
+            '/tags/0/addresses/0/city',
+            '/tags/0/addresses/1/city',
+            '/tags/1/name',
+            '/tags/1/addresses/0/city'
+          )
+          ec = sanitizer.error_collection
+          ec.length.should eq(5)
+        end
+      end
+    end
+  end
+end