RubyGems - input_sanitizer - Versions diffs - 0.1.10 → 0.4.1 - Mend

input_sanitizer 0.1.10 → 0.4.1

Files changed (49) hide show

checksums.yaml +7 -0
data/.github/workflows/ci.yaml +26 -0
data/.github/workflows/gempush.yml +28 -0
data/.gitignore +2 -1
data/CHANGELOG +99 -0
data/LICENSE +201 -22
data/README.md +24 -4
data/input_sanitizer.gemspec +10 -4
data/lib/input_sanitizer.rb +5 -2
data/lib/input_sanitizer/errors.rb +142 -0
data/lib/input_sanitizer/extended_converters.rb +5 -42
data/lib/input_sanitizer/extended_converters/comma_joined_integers_converter.rb +15 -0
data/lib/input_sanitizer/extended_converters/comma_joined_strings_converter.rb +15 -0
data/lib/input_sanitizer/extended_converters/positive_integer_converter.rb +12 -0
data/lib/input_sanitizer/extended_converters/specific_values_converter.rb +19 -0
data/lib/input_sanitizer/restricted_hash.rb +49 -8
data/lib/input_sanitizer/v1.rb +22 -0
data/lib/input_sanitizer/v1/clean_field.rb +38 -0
data/lib/input_sanitizer/{default_converters.rb → v1/default_converters.rb} +20 -13
data/lib/input_sanitizer/v1/sanitizer.rb +166 -0
data/lib/input_sanitizer/v2.rb +13 -0
data/lib/input_sanitizer/v2/clean_field.rb +36 -0
data/lib/input_sanitizer/v2/clean_payload_collection_field.rb +41 -0
data/lib/input_sanitizer/v2/clean_query_collection_field.rb +40 -0
data/lib/input_sanitizer/v2/error_collection.rb +49 -0
data/lib/input_sanitizer/v2/nested_sanitizer_factory.rb +19 -0
data/lib/input_sanitizer/v2/payload_sanitizer.rb +130 -0
data/lib/input_sanitizer/v2/payload_transform.rb +42 -0
data/lib/input_sanitizer/v2/query_sanitizer.rb +33 -0
data/lib/input_sanitizer/v2/types.rb +227 -0
data/lib/input_sanitizer/version.rb +1 -1
data/spec/extended_converters/comma_joined_integers_converter_spec.rb +18 -0
data/spec/extended_converters/comma_joined_strings_converter_spec.rb +18 -0
data/spec/extended_converters/positive_integer_converter_spec.rb +18 -0
data/spec/extended_converters/specific_values_converter_spec.rb +27 -0
data/spec/restricted_hash_spec.rb +37 -7
data/spec/sanitizer_spec.rb +129 -26
data/spec/spec_helper.rb +17 -2
data/spec/v1/default_converters_spec.rb +141 -0
data/spec/v2/converters_spec.rb +174 -0
data/spec/v2/payload_sanitizer_spec.rb +534 -0
data/spec/v2/payload_transform_spec.rb +98 -0
data/spec/v2/query_sanitizer_spec.rb +300 -0
data/v2.md +52 -0
metadata +105 -40
data/.travis.yml +0 -12
data/lib/input_sanitizer/sanitizer.rb +0 -140
data/spec/default_converters_spec.rb +0 -101
data/spec/extended_converters_spec.rb +0 -62

data/spec/v2/payload_sanitizer_spec.rb ADDED Viewed

@@ -0,0 +1,534 @@
+require 'spec_helper'
+class AddressSanitizer < InputSanitizer::V2::PayloadSanitizer
+  string :city
+  string :zip
+end
+class TagSanitizer < InputSanitizer::V2::PayloadSanitizer
+  integer :id
+  string :name
+  nested :addresses, :sanitizer => AddressSanitizer, :collection => true
+end
+class TestedPayloadSanitizer < InputSanitizer::V2::PayloadSanitizer
+  integer :array, :collection => true
+  integer :array_nil, :collection => true, :allow_nil => true
+  string :status, :allow => ['current', 'past']
+  string :status_with_empty, :allow => ['', 'current', 'past']
+  string :regexp_string, :regexp => /^#?([a-f0-9]{6}|[a-f0-9]{3})$/
+  string :utf8mb4_string, :strip_4byte_chars => true
+  string :value_restricted_utf8mb4_string, :strip_4byte_chars => true, :allow => ['test']
+  string :non_blank_utf8mb4_string, :strip_4byte_chars => true, :allow_blank => false
+  string :size_restricted_utf8mb4_string, :strip_4byte_chars => true, :minimum => 2, :maximum => 4
+  nested :address, :sanitizer => AddressSanitizer
+  nested :nullable_address, :sanitizer => AddressSanitizer, :allow_nil => true
+  nested :tags, :sanitizer => TagSanitizer, :collection => true
+  float :float_attribute, :minimum => 1, :maximum => 100
+  integer :integer_attribute, :minimum => 1, :maximum => 100
+  string :string_attribute
+  boolean :bool_attribute
+  datetime :datetime_attribute
+  date :date_attribute, :minimum => Date.new(-2015, 01, 01), :maximum => Date.new(2015, 12, 31)
+  url :website
+  string :limited_collection, :collection => { :minimum => 1, :maximum => 2 }, :minimum => 2, :maximum => 12
+  string :allow_collection, :collection => true, :allow => ['yes', 'no']
+end
+class BlankValuesPayloadSanitizer < InputSanitizer::V2::PayloadSanitizer
+  string :required_string, :required => true
+  datetime :non_nil_datetime, :allow_nil => false
+  url :non_blank_url, :allow_blank => false
+end
+class CustomConverterWithProvidedValue < InputSanitizer::V2::PayloadSanitizer
+  integer :from
+  custom :to, :provide => :from, :converter => lambda { |value, options|
+    InputSanitizer::V2::Types::IntegerCheck.new.call(value)
+    raise InputSanitizer::ValueError.new(value, options[:provided][:from], nil) if options[:provided][:from] > value
+    value
+  }
+end
+describe InputSanitizer::V2::PayloadSanitizer do
+  let(:sanitizer) { TestedPayloadSanitizer.new(@params) }
+  let(:cleaned) { sanitizer.cleaned }
+  describe "collections" do
+    it "is invalid if collection is not an array" do
+      @params = { :array => {} }
+      sanitizer.should_not be_valid
+    end
+    it "is valid if collection is an array" do
+      @params = { :array => [] }
+      sanitizer.should be_valid
+    end
+    it "is valid if collection is an nil and allow_nil is passed" do
+      @params = { :array_nil => nil }
+      sanitizer.should be_valid
+    end
+    it "is invalid if there are too few elements" do
+      @params = { :limited_collection => [] }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if there are too many elements" do
+      @params = { :limited_collection => ['bear', 'bear', 'bear'] }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when there are just enough elements" do
+      @params = { :limited_collection => ['goldilocks'] }
+      sanitizer.should be_valid
+    end
+    it "is invalid when any of the elements are too long" do
+      @params = { :limited_collection => ['more_than_the_limit'] }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid when any of the elements are too short" do
+      @params = { :limited_collection => ['a'] }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid when given disallowed value in a collection" do
+      @params = { :allow_collection => ['yes', 'no', 'whoa'] }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when given allowed values in a collection" do
+      @params = { :allow_collection => ['yes', 'no'] }
+      sanitizer.should be_valid
+    end
+  end
+  describe "allow option" do
+    it "is valid when given an allowed string" do
+      @params = { :status => 'past' }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an empty string" do
+      @params = { :status => '' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/status')
+    end
+    it "is valid when given an allowed empty string" do
+      @params = { :status_with_empty => '' }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given a disallowed string" do
+      @params = { :status => 'current bad string' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/status')
+    end
+  end
+  describe "minimum and maximum options" do
+    it "is invalid if integer is lower than the minimum" do
+      @params = { :integer_attribute => 0 }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if integer is greater than the maximum" do
+      @params = { :integer_attribute => 101 }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when integer is within given range" do
+      @params = { :limited_collection => ['goldilocks'] }
+      sanitizer.should be_valid
+    end
+    it "is invalid if float is lower than the minimum" do
+      @params = { :float_attribute => 0.0 }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if float is greater than the maximum" do
+      @params = { :float_attribute => 101.0 }
+      sanitizer.should_not be_valid
+    end
+  end
+  describe "strip_4byte_chars option" do
+    it "is valid when given a string with 4-byte chars" do
+      @params = { :utf8mb4_string => "test \u{1F435} value" }
+      sanitizer.should be_valid
+    end
+    it "returns sanitized string without 4-byte chars" do
+      @params = { :utf8mb4_string => "test\u{1F435}" }
+      sanitizer[:utf8mb4_string].should eq "test"
+    end
+    it "properly handles string with 4-byte char at the beginning" do
+      @params = { :utf8mb4_string => "\u{1F435} 4-byte char at the beginning" }
+      sanitizer[:utf8mb4_string].should eq ' 4-byte char at the beginning'
+    end
+    it "properly handles string with 4-byte char in the middle" do
+      @params = { :utf8mb4_string => "4-byte char\u{1F435} in the middle" }
+      sanitizer[:utf8mb4_string].should eq '4-byte char in the middle'
+    end
+    it "properly handles string with 4-byte char at the end" do
+      @params = { :utf8mb4_string => "4-byte char at the end \u{1F435}" }
+      sanitizer[:utf8mb4_string].should eq '4-byte char at the end '
+    end
+    it "does not strip 3-byte chars" do
+      @params = { :utf8mb4_string => "Test \u{270A}" }
+      sanitizer[:utf8mb4_string].should eq "Test \u{270A}"
+    end
+    describe "when used with other options" do
+      describe "allow" do
+        it "is valid when string matches any value in allowlist before stripping 4-byte chars" do
+          @params = { :value_restricted_utf8mb4_string => "test" }
+          sanitizer.should be_valid
+        end
+        it "is invalid when string doesn't match any value in allowlist before stripping 4-byte chars" do
+          @params = { :value_restricted_utf8mb4_string => "test\u{1F435}" }
+          sanitizer.should_not be_valid
+        end
+      end
+      describe "allow_blank=false" do
+        it "is invalid when string is already blank before stripping 4-byte chars" do
+          @params = { :non_blank_utf8mb4_string => " " }
+          sanitizer.should_not be_valid
+        end
+        it "is invalid when string becomes blank as a result of stripping 4-byte chars" do
+          @params = { :non_blank_utf8mb4_string => " \u{1F435} " }
+          sanitizer.should_not be_valid
+        end
+      end
+      describe "minimum and maximum" do
+        it "is invalid when string is already too long before stripping 4-byte chars" do
+          @params = { :size_restricted_utf8mb4_string => "1234\u{1F435}" }
+          sanitizer.should_not be_valid
+        end
+        it "is invalid when string becomes too short as a result of stripping 4-byte chars" do
+          @params = { :size_restricted_utf8mb4_string => "1\u{1F435}" }
+          sanitizer.should_not be_valid
+        end
+      end
+    end
+  end
+  describe "strict param checking" do
+    it "is invalid when given extra params" do
+      @params = { :extra => 'test', :extra2 => 1 }
+      sanitizer.should_not be_valid
+      sanitizer.errors.count.should eq(2)
+    end
+    it "is invalid when given extra params in a nested sanitizer" do
+      @params = { :address => { :extra => 0 }, :tags => [ { :extra2 => 1 } ] }
+      sanitizer.should_not be_valid
+      sanitizer.errors.map(&:field).should contain_exactly('/address/extra', '/tags/0/extra2')
+    end
+  end
+  describe "converters with provided values" do
+    let(:sanitizer) { CustomConverterWithProvidedValue.new(@params) }
+    it "is valid when converter passes check with provided value" do
+      @params = {from: 1, to: 3}
+      sanitizer.should be_valid
+    end
+    it "is invalid when converter does not pass check with provided value" do
+      @params = {from: 3, to: 1}
+      sanitizer.should_not be_valid
+    end
+  end
+  describe "strict type checking" do
+    it "is invalid when given string instead of integer" do
+      @params = { :integer_attribute => '1' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/integer_attribute')
+    end
+    it "is valid when given an integer" do
+      @params = { :integer_attribute => 50 }
+      sanitizer.should be_valid
+      sanitizer[:integer_attribute].should eq(50)
+    end
+    it "is invalid when given a float" do
+      @params = { :integer_attribute => 50.99 }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when given nil for an integer" do
+      @params = { :integer_attribute => nil }
+      sanitizer.should be_valid
+      sanitizer[:integer_attribute].should be_nil
+    end
+    it "is invalid when given string instead of float" do
+      @params = { :float_attribute => '1' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/float_attribute')
+    end
+    it "is valid when given a float" do
+      @params = { :float_attribute => 50.0 }
+      sanitizer.should be_valid
+      sanitizer[:float_attribute].should eq(50.0)
+    end
+    it "is valid when given nil for a float" do
+      @params = { :float_attribute => nil }
+      sanitizer.should be_valid
+      sanitizer[:float_attribute].should be_nil
+    end
+    it "is valid when given string is matching regexp" do
+      @params = { :regexp_string => "#8bd635" }
+      sanitizer.should be_valid
+      sanitizer[:regexp_string].should eq('#8bd635')
+    end
+    it "is invalid when given string is not matching regexp" do
+      @params = { :regexp_string => "not a hex value" }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/regexp_string')
+    end
+    it "is invalid when given integer instead of string" do
+      @params = { :string_attribute => 0 }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/string_attribute')
+    end
+    it "is invalid when given float instead of string" do
+      @params = { :string_attribute => 3.1415 }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/string_attribute')
+    end
+    it "is valid when given a string" do
+      @params = { :string_attribute => '#@!#%#$@#ad' }
+      sanitizer.should be_valid
+      sanitizer[:string_attribute].should eq('#@!#%#$@#ad')
+    end
+    it "is invalid when given 'yes' as a bool" do
+      @params = { :bool_attribute => 'yes' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/bool_attribute')
+    end
+    it "is valid when given true as a bool" do
+      @params = { :bool_attribute => true }
+      sanitizer.should be_valid
+    end
+    it "is valid when given false as a bool" do
+      @params = { :bool_attribute => false }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an incorrect datetime" do
+      @params = { :datetime_attribute => "2014-08-2716:32:56Z" }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/datetime_attribute')
+    end
+    it "is valid when given a correct datetime" do
+      @params = { :datetime_attribute => "2014-08-27T16:32:56Z" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a 'forever' timestamp" do
+      @params = { :datetime_attribute => "9999-12-31T00:00:00Z" }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an incorrect date" do
+      @params = { :date_attribute => "invalid" }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('/date_attribute')
+    end
+    it "is valid when given a correct date" do
+      @params = { :date_attribute => "2015-08-27" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a correct negative date" do
+      @params = { :date_attribute => "-2014-08-27" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a correct URL" do
+      @params = { :website => "https://google.com" }
+      sanitizer.should be_valid
+      sanitizer[:website].should eq("https://google.com")
+    end
+    it "is invalid when given an invalid URL" do
+      @params = { :website => "ht:/google.com" }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid when given an invalid URL that contains a valid URL" do
+      @params = { :website => "watwat http://google.com wat" }
+      sanitizer.should_not be_valid
+    end
+    describe "blank and required values" do
+      let(:sanitizer) { BlankValuesPayloadSanitizer.new(@params) }
+      let(:defaults) { { :required_string => 'zz' } }
+      it "is invalid if required string is missing" do
+        @params = {}
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::ValueMissingError)
+        sanitizer.errors[0].field.should eq('/required_string')
+      end
+      it "is invalid if required string is nil" do
+        @params = { :required_string => nil }
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/required_string')
+      end
+      it "is invalid if required string is blank" do
+        @params = { :required_string => ' ' }
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/required_string')
+      end
+      it "is invalid if non-nil datetime is null" do
+        @params = defaults.merge({ :non_nil_datetime => nil })
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/non_nil_datetime')
+      end
+      it "is valid if non-nil datetime is blank" do
+        @params = defaults.merge({ :non_nil_datetime => '' })
+        sanitizer.should be_valid
+      end
+      it "is invalid if non-blank url is nil" do
+        @params = defaults.merge({ :non_blank_url => nil })
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/non_blank_url')
+      end
+      it "is invalid if non-blank url is blank" do
+        @params = defaults.merge({ :non_blank_url => '' })
+        sanitizer.should_not be_valid
+        sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError)
+        sanitizer.errors[0].field.should eq('/non_blank_url')
+      end
+    end
+    describe "nested checking" do
+      describe "simple array" do
+        it "returns JSON pointer for invalid fields" do
+          @params = { :array => [1, 'z', '3', 4] }
+          sanitizer.errors.length.should eq(2)
+          sanitizer.errors.map(&:field).should contain_exactly('/array/1', '/array/2')
+        end
+      end
+      describe "nested object" do
+        it "returns an error when given a nil for a nested value" do
+          @params = { :address => nil }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given a string for a nested value" do
+          @params = { :address => 'nope' }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given an array for a nested value" do
+          @params = { :address => ['a'] }
+          sanitizer.should_not be_valid
+        end
+        it "returns JSON pointer for invalid fields" do
+          @params = { :address => { :city => 0, :zip => 1 } }
+          sanitizer.errors.length.should eq(2)
+          sanitizer.errors.map(&:field).should contain_exactly('/address/city', '/address/zip')
+        end
+        it "allows nil with `allow_nil` flag" do
+          @params = { :nullable_address => nil }
+          sanitizer.should be_valid
+          sanitizer.cleaned.fetch(:nullable_address).should eq(nil)
+        end
+      end
+      describe "array of nested objects" do
+        it "returns an error when given a nil for a collection" do
+          @params = { :tags => nil }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given a string for a collection" do
+          @params = { :tags => 'nope' }
+          sanitizer.should_not be_valid
+        end
+        it "returns an error when given a hash for a collection" do
+          @params = { :tags => { :a => 1 } }
+          sanitizer.should_not be_valid
+        end
+        it "returns JSON pointer for invalid fields" do
+          @params = { :tags => [ { :id => 'n', :name => 1 }, { :id => 10, :name => 2 } ] }
+          sanitizer.errors.length.should eq(3)
+          sanitizer.errors.map(&:field).should contain_exactly(
+            '/tags/0/id',
+            '/tags/0/name',
+            '/tags/1/name'
+          )
+        end
+      end
+      describe "array of nested objects that have array of nested objects" do
+        it "returns JSON pointer for invalid fields" do
+          @params = { :tags => [
+            { :id => 'n', :addresses => [ { :city => 0 }, { :city => 1 } ] },
+            { :name => 2, :addresses => [ { :city => 3 } ] },
+          ] }
+          sanitizer.errors.length.should eq(5)
+          sanitizer.errors.map(&:field).should contain_exactly(
+            '/tags/0/id',
+            '/tags/0/addresses/0/city',
+            '/tags/0/addresses/1/city',
+            '/tags/1/name',
+            '/tags/1/addresses/0/city'
+          )
+          ec = sanitizer.error_collection
+          ec.length.should eq(5)
+        end
+      end
+    end
+  end
+end