RubyGems - input_sanitizer - Versions diffs - 0.1.9 → 0.4.0 - Mend

input_sanitizer 0.1.9 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

checksums.yaml +7 -0
data/.github/workflows/gempush.yml +28 -0
data/.gitignore +2 -1
data/.travis.yml +4 -8
data/CHANGELOG +96 -0
data/LICENSE +201 -22
data/README.md +22 -3
data/input_sanitizer.gemspec +10 -4
data/lib/input_sanitizer.rb +5 -2
data/lib/input_sanitizer/errors.rb +142 -0
data/lib/input_sanitizer/extended_converters.rb +5 -52
data/lib/input_sanitizer/extended_converters/comma_joined_integers_converter.rb +15 -0
data/lib/input_sanitizer/extended_converters/comma_joined_strings_converter.rb +15 -0
data/lib/input_sanitizer/extended_converters/positive_integer_converter.rb +12 -0
data/lib/input_sanitizer/extended_converters/specific_values_converter.rb +19 -0
data/lib/input_sanitizer/restricted_hash.rb +49 -8
data/lib/input_sanitizer/v1.rb +22 -0
data/lib/input_sanitizer/v1/clean_field.rb +38 -0
data/lib/input_sanitizer/{default_converters.rb → v1/default_converters.rb} +30 -13
data/lib/input_sanitizer/v1/sanitizer.rb +166 -0
data/lib/input_sanitizer/v2.rb +13 -0
data/lib/input_sanitizer/v2/clean_field.rb +36 -0
data/lib/input_sanitizer/v2/clean_payload_collection_field.rb +41 -0
data/lib/input_sanitizer/v2/clean_query_collection_field.rb +40 -0
data/lib/input_sanitizer/v2/error_collection.rb +49 -0
data/lib/input_sanitizer/v2/nested_sanitizer_factory.rb +19 -0
data/lib/input_sanitizer/v2/payload_sanitizer.rb +130 -0
data/lib/input_sanitizer/v2/payload_transform.rb +42 -0
data/lib/input_sanitizer/v2/query_sanitizer.rb +33 -0
data/lib/input_sanitizer/v2/types.rb +213 -0
data/lib/input_sanitizer/version.rb +1 -1
data/spec/extended_converters/comma_joined_integers_converter_spec.rb +18 -0
data/spec/extended_converters/comma_joined_strings_converter_spec.rb +18 -0
data/spec/extended_converters/positive_integer_converter_spec.rb +18 -0
data/spec/extended_converters/specific_values_converter_spec.rb +27 -0
data/spec/restricted_hash_spec.rb +37 -7
data/spec/sanitizer_spec.rb +129 -26
data/spec/spec_helper.rb +17 -2
data/spec/v1/default_converters_spec.rb +141 -0
data/spec/v2/converters_spec.rb +174 -0
data/spec/v2/payload_sanitizer_spec.rb +460 -0
data/spec/v2/payload_transform_spec.rb +98 -0
data/spec/v2/query_sanitizer_spec.rb +300 -0
data/v2.md +52 -0
metadata +105 -40
data/lib/input_sanitizer/sanitizer.rb +0 -152
data/spec/default_converters_spec.rb +0 -101
data/spec/extended_converters_spec.rb +0 -62

data/spec/v2/payload_transform_spec.rb ADDED

@@ -0,0 +1,98 @@
+require 'spec_helper'
+class AddressTransform < InputSanitizer::V2::PayloadTransform
+  def transform
+    rename :line1, :street
+  end
+end
+class TestTransform < InputSanitizer::V2::PayloadTransform
+  def transform
+    rename :value, :scope
+    merge_in :address, :using => AddressTransform
+    if has?(:thing)
+      payload[:other_thing] = "123-#{payload.delete(:thing)}"
+    end
+    nil
+  end
+end
+class InvalidTransform < InputSanitizer::V2::PayloadTransform
+  def call
+  end
+end
+describe InputSanitizer::V2::PayloadTransform do
+  let(:payload) do
+    {
+      :name => 'wat',
+      'value' => 1234,
+      :thing => 'zzz',
+      'address' => {
+        :line1 => 'wup wup',
+        :city => 'Krakow'
+      }
+    }
+  end
+  subject { TestTransform.call(payload) }
+  it "returns the transformed payload" do
+    subject[:name].should eq('wat')
+    subject[:scope].should eq(1234)
+    subject[:other_thing].should eq('123-zzz')
+    subject[:street].should eq('wup wup')
+    subject[:city].should eq('Krakow')
+    subject[:value].should be_nil
+    subject[:line1].should be_nil
+    subject[:address].should be_nil
+  end
+  context "when attribute is not present" do
+    let(:payload) { {} }
+    it "the renamed attribute is not present either" do
+      subject.should eq({})
+    end
+  end
+  context "when attribute is nil" do
+    let(:payload) { { :value => nil } }
+    it "renames it correctly" do
+      subject.should eq({ 'scope' => nil })
+    end
+  end
+  context "when there is no data for a nested transform" do
+    let(:payload) { { :name => 'wat' } }
+    it "still successfully transforms data" do
+      subject.should eq({ 'name' => 'wat' })
+      subject[:name].should eq('wat')
+    end
+  end
+  describe "invalid use of the transform class" do
+    subject { InvalidTransform.call(payload) }
+    it "raises an error" do
+      lambda { subject }.should raise_error
+    end
+  end
+  context "when given a frozen InputSanitizer::RestrictedHash" do
+    let(:payload) do
+      InputSanitizer::RestrictedHash.new([:value]).tap do |hash|
+        hash[:value] = 1
+      end.freeze
+    end
+    it "works" do
+      subject.should eq({ 'scope' => 1 })
+    end
+  end
+end

data/spec/v2/query_sanitizer_spec.rb ADDED

@@ -0,0 +1,300 @@
+require 'spec_helper'
+class CustomFieldsSortByQueryFallback
+  def self.call(key, direction, context)
+    filterable_keys = %w(slt number)
+    _, field = key.split(':', 2)
+    filterable_keys.include?(field)
+  end
+end
+class TestedQuerySanitizer < InputSanitizer::V2::QuerySanitizer
+  string :status, :allow => ['', 'current', 'past']
+  float :float_attribute, :minimum => 1, :maximum => 100, :default => 2.7182
+  integer :integer_attribute, :minimum => 1, :maximum => 100, :default => 2
+  string :string_attribute
+  boolean :bool_attribute
+  datetime :datetime_attribute
+  url :website
+  integer :ids, :collection => true
+  string :tags, :collection => true
+  sort_by %w(name updated_at created_at), :default => 'name:asc', :fallback => CustomFieldsSortByQueryFallback
+end
+class ContextQuerySanitizer < InputSanitizer::V2::QuerySanitizer
+  sort_by %w(id created_at updated_at), :fallback => Proc.new { |key, _, context|
+    context && context[:allowed] && context[:allowed].include?(key)
+  }
+end
+class ContextForwardingSanitizer < InputSanitizer::V2::PayloadSanitizer
+  nested :nested1, :sanitizer => ContextQuerySanitizer
+end
+describe InputSanitizer::V2::QuerySanitizer do
+  let(:sanitizer) { TestedQuerySanitizer.new(@params) }
+  describe 'default value' do
+    it 'integer uses a default value if not provided in params' do
+      @params = {}
+      sanitizer.should be_valid
+      sanitizer[:integer_attribute].should eq(2)
+    end
+    it 'float uses a default value if not provided in params' do
+      @params = {}
+      sanitizer.should be_valid
+      sanitizer[:float_attribute].should eq(2.7182)
+    end
+  end
+  describe 'type strictness' do
+    it 'is valid if given an integer as a string' do
+      @params = { :integer_attribute => '22' }
+      sanitizer.should be_valid
+      sanitizer[:integer_attribute].should eq(22)
+    end
+    it 'is valid if given a float as a string' do
+      @params = { :float_attribute => '3.1415' }
+      sanitizer.should be_valid
+      sanitizer[:float_attribute].should eq(3.1415)
+    end
+    it 'is valid if given a float as a string without decimals' do
+      @params = { :float_attribute => '3' }
+      sanitizer.should be_valid
+      sanitizer[:float_attribute].should eq(3.0)
+    end
+    it 'is valid if given a "true" boolean as a string' do
+      @params = { :bool_attribute => 'true' }
+      sanitizer.should be_valid
+      sanitizer[:bool_attribute].should eq(true)
+    end
+    it 'is valid if given a "false" boolean as a string' do
+      @params = { :bool_attribute => 'false' }
+      sanitizer.should be_valid
+      sanitizer[:bool_attribute].should eq(false)
+    end
+  end
+  describe "minimum and maximum options" do
+    it "is invalid if integer is lower than the minimum" do
+      @params = { :integer_attribute => 0 }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if integer is greater than the maximum" do
+      @params = { :integer_attribute => 101 }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when integer is within given range" do
+      @params = { :integer_attribute => 2 }
+      sanitizer.should be_valid
+    end
+    it "is invalid if float is lower than the minimum" do
+      @params = { :float_attribute => 0.0 }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid if float is greater than the maximum" do
+      @params = { :float_attribute => 101.0 }
+      sanitizer.should_not be_valid
+    end
+    it "is valid when float is within given range" do
+      @params = { :float_attribute => 2.0 }
+      sanitizer.should be_valid
+    end
+  end
+  describe "allow option" do
+    it "is valid when given an allowed string" do
+      @params = { :status => 'past' }
+      sanitizer.should be_valid
+    end
+    it "is valid when given an allowed empty string" do
+      @params = { :status => '' }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given a disallowed string" do
+      @params = { :status => 'current bad string' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('status')
+    end
+  end
+  describe "strict param checking" do
+    it "is invalid when given extra params" do
+      @params = { :extra => 'test', :extra2 => 1 }
+      sanitizer.should_not be_valid
+      sanitizer.errors.count.should eq(2)
+    end
+    it "is valid when given an underscore cache buster" do
+      @params = { :_ => '1234567890' }
+      sanitizer.should be_valid
+    end
+  end
+  describe "strict type checking" do
+    it "is valid when given an integer" do
+      @params = { :integer_attribute => 50 }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a a float" do
+      @params = { :float_attribute => 3.1415 }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a string" do
+      @params = { :string_attribute => '#@!#%#$@#ad' }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given 'yes' as a bool" do
+      @params = { :bool_attribute => 'yes' }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('bool_attribute')
+    end
+    it "is valid when given true as a bool" do
+      @params = { :bool_attribute => true }
+      sanitizer.should be_valid
+    end
+    it "is valid when given false as a bool" do
+      @params = { :bool_attribute => false }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an incorrect datetime" do
+      @params = { :datetime_attribute => "2014-08-2716:32:56Z" }
+      sanitizer.should_not be_valid
+      sanitizer.errors[0].field.should eq('datetime_attribute')
+    end
+    it "is valid when given a correct datetime" do
+      @params = { :datetime_attribute => "2014-08-27T16:32:56Z" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a 'forever' timestamp" do
+      @params = { :datetime_attribute => "9999-12-31T00:00:00Z" }
+      sanitizer.should be_valid
+    end
+    it "is valid when given a correct URL" do
+      @params = { :website => "https://google.com" }
+      sanitizer.should be_valid
+    end
+    it "is invalid when given an invalid URL" do
+      @params = { :website => "ht:/google.com" }
+      sanitizer.should_not be_valid
+    end
+    it "is invalid when given an invalid URL that contains a valid URL" do
+      @params = { :website => "watwat http://google.com wat" }
+      sanitizer.should_not be_valid
+    end
+  end
+  describe "collections" do
+    it "supports comma separated integers" do
+      @params = { :ids => "1,2,3" }
+      sanitizer.should be_valid
+      sanitizer[:ids].should eq([1, 2, 3])
+    end
+    it "supports comma separated strings" do
+      @params = { :tags => "one,two,three" }
+      sanitizer.should be_valid
+      sanitizer[:tags].should eq(["one", "two", "three"])
+    end
+  end
+  describe "sort_by" do
+    it "considers default" do
+      @params = { }
+      sanitizer.should be_valid
+      sanitizer[:sort_by].should eq(["name", "asc"])
+    end
+    it "accepts correct sorting format" do
+      @params = { :sort_by => "updated_at:desc" }
+      sanitizer.should be_valid
+      sanitizer[:sort_by].should eq(["updated_at", "desc"])
+    end
+    it "assumes ascending order by default" do
+      @params = { :sort_by => "name" }
+      sanitizer.should be_valid
+      sanitizer[:sort_by].should eq(["name", "asc"])
+    end
+    it "bails to fallback" do
+      @params  = { :sort_by => 'custom_field:slt:asc' }
+      sanitizer.should be_valid
+      sanitizer[:sort_by].should eq(["custom_field:slt", "asc"])
+    end
+    [
+      ['name', true, ["name", "asc"]],
+      ['name:asc', true, ["name", "asc"]],
+      ['name:desc', true, ["name", "desc"]],
+      ['name:', true, ["name", "asc"]],
+      ['custom_field:slt', true, ['custom_field:slt', 'asc']],
+      ['custom_field:slt:', true, ['custom_field:slt', 'asc']],
+      ['custom_field:slt:asc', true, ['custom_field:slt', 'asc']],
+      ['custom_field:slt:desc', true, ['custom_field:slt', 'desc']],
+      ['unknown', false, nil],
+      ['name:invalid', false, nil],
+      ['custom_field', false, nil],
+      ['custom_field:', false, nil],
+      ['custom_field:invalid', false, nil],
+      ['custom_field:invalid:asc', false, nil],
+      ['custom_field:invalid:desc', false, nil],
+      ['custom_field2', false, nil]
+    ].each do |sort_param, valid, expectation|
+      it "sort by #{sort_param} and returns #{valid}" do
+        @params  = { :sort_by => sort_param }
+        sanitizer.valid?.should eq(valid)
+        sanitizer[:sort_by].should eq(expectation)
+      end
+    end
+  end
+  describe 'validation context' do
+    let(:sanitizer) { ContextQuerySanitizer.new(@params, @context) }
+    describe 'sort_by' do
+      it 'passes context to :fallback' do
+        @params  = { :sort_by => 'custom_field.external_id' }
+        @context = { :allowed => ['custom_field.external_id'] }
+        sanitizer.should be_valid
+        sanitizer[:sort_by].should eq(["custom_field.external_id", "asc"])
+      end
+    end
+    describe 'forwarding to nested sanitizers' do
+      it 'passes context down' do
+        params  = { :nested1 => { :sort_by => 'custom_field.external_id' } }
+        context = { :allowed => ['custom_field.external_id'] }
+        sanitizer = ContextForwardingSanitizer.new(params, context)
+        sanitizer.should be_valid
+        sanitizer[:nested1].should eq(:sort_by => ["custom_field.external_id", "asc"])
+      end
+    end
+  end
+end

data/v2.md ADDED

@@ -0,0 +1,52 @@
+# InputSanitizer::V2::PayloadSanitizer
+Usage example:
+```ruby
+class ContactPayload < InputSanitizer::V2::PayloadSanitizer
+  string :status, allow: ['', 'current', 'past']
+  integer :ids, collection: true, minimum: 1
+  string :tags, collection: { minimum: 1, maximum: 4 }
+  boolean :admin_flag
+  datetime :launch_at
+  url :website
+  nested :address, sanitizer: AddressSanitizer
+end
+class AddressSanitizer < InputSanitizer::V2::PayloadSanitizer
+  string :city
+end
+```
+# InputSanitizer::V2::QuerySanitizer
+Example:
+```ruby
+class IndexParams < InputSanitizer::V2::QuerySanitizer
+  string :name
+  integer :ids, collection: true
+  sort_by %w(name updated_at created_at)
+end
+```
+# InputSanitizer::V2::PayloadTransform
+Example:
+```ruby
+class AddressTransform < InputSanitizer::V2::PayloadTransform
+  def transform
+    rename :line1, :street
+  end
+end
+class ContactPayloadTransform < InputSanitizer::V2::PayloadTransform
+  def transform
+    rename :value, :scope
+    merge_in :address, using: AddressTransform
+    payload[:other_thing] = payload.delete(:thing) * 2
+  end
+end
+```