input_sanitizer 0.2.2 → 0.3.33

data/lib/input_sanitizer/v1.rb

@@ -0,0 +1,22 @@
+module InputSanitizer::V1
+end
+
+dir = File.dirname(__FILE__)
+require File.join(dir, 'errors')
+require File.join(dir, 'restricted_hash')
+require File.join(dir, 'v1', 'default_converters')
+require File.join(dir, 'v1', 'clean_field')
+require File.join(dir, 'v1', 'sanitizer')
+require File.join(dir, 'extended_converters')
+
+# Backward compatibility
+module InputSanitizer
+  Sanitizer = V1::Sanitizer
+
+  IntegerConverter = V1::IntegerConverter
+  StringConverter = V1::StringConverter
+  DateConverter = V1::DateConverter
+  TimeConverter = V1::TimeConverter
+  BooleanConverter = V1::BooleanConverter
+  AllowNil = V1::AllowNil
+end

data/lib/input_sanitizer/v2/clean_field.rb

@@ -0,0 +1,36 @@
+class InputSanitizer::V2::CleanField < MethodStruct.new(:data, :has_key, :default, :collection, :type, :converter, :options)
+  def call
+    if has_key
+      convert
+    elsif default
+      converter.call(default, options)
+    elsif options[:required]
+      raise InputSanitizer::ValueMissingError
+    else
+      raise InputSanitizer::OptionalValueOmitted
+    end
+  end
+
+  private
+  def convert
+    if collection
+      collection_clean.call(
+        :data => data,
+        :collection => collection,
+        :converter => converter,
+        :options => options
+      )
+    else
+      converter.call(data, options)
+    end
+  end
+
+  def collection_clean
+    case type
+    when :payload
+      InputSanitizer::V2::CleanPayloadCollectionField
+    when :query
+      InputSanitizer::V2::CleanQueryCollectionField
+    end
+  end
+end

data/lib/input_sanitizer/v2/clean_payload_collection_field.rb

@@ -0,0 +1,41 @@
+class InputSanitizer::V2::CleanPayloadCollectionField < MethodStruct.new(:data, :converter, :collection, :options)
+  def call
+    return nil if options[:allow_nil] && data == nil
+
+    validate_type
+    validate_size
+
+    result, errors = [], {}
+
+    data.each_with_index do |value, idx|
+      begin
+        result << converter.call(value, options)
+      rescue InputSanitizer::ValidationError => e
+        errors[idx] = e
+      end
+    end
+
+    if errors.any?
+      raise InputSanitizer::CollectionError.new(errors)
+    else
+      result
+    end
+  end
+
+  private
+  def validate_type
+    unless data.respond_to?(:to_ary)
+      raise InputSanitizer::TypeMismatchError.new(data, :array)
+    end
+  end
+
+  def validate_size
+    if collection.respond_to?(:fetch)
+      if collection[:minimum] && data.length < collection[:minimum]
+        raise InputSanitizer::CollectionLengthError.new(data.length, collection[:minimum], collection[:maximum])
+      elsif collection[:maximum] && data.length > collection[:maximum]
+        raise InputSanitizer::CollectionLengthError.new(data.length, collection[:minimum], collection[:maximum])
+      end
+    end
+  end
+end

data/lib/input_sanitizer/v2/clean_query_collection_field.rb

@@ -0,0 +1,40 @@
+class InputSanitizer::V2::CleanQueryCollectionField < MethodStruct.new(:data, :converter, :collection, :options)
+  def call
+    validate_type
+    validate_size
+
+    result, errors = [], {}
+    items.each_with_index do |value, idx|
+      begin
+        result << converter.call(value, options)
+      rescue InputSanitizer::ValidationError => e
+        errors[idx] = e
+      end
+    end
+
+    if errors.any?
+      raise InputSanitizer::CollectionError.new(errors)
+    else
+      result
+    end
+  end
+
+  private
+  def items
+    @items ||= data.to_s.split(',')
+  end
+
+  def validate_type
+    InputSanitizer::V2::Types::StringCheck.new.call(data)
+  end
+
+  def validate_size
+    if collection.respond_to?(:fetch)
+      if collection[:minimum] && items.length < collection[:minimum]
+        raise InputSanitizer::CollectionLengthError.new(items.length, collection[:minimum], collection[:maximum])
+      elsif collection[:maximum] && items.length > collection[:maximum]
+        raise InputSanitizer::CollectionLengthError.new(items.length, collection[:minimum], collection[:maximum])
+      end
+    end
+  end
+end

data/lib/input_sanitizer/v2/error_collection.rb

@@ -0,0 +1,49 @@
+class InputSanitizer::V2::ErrorCollection
+  include Enumerable
+
+  attr_reader :error_codes, :messages
+
+  def initialize(errors)
+    @error_codes = {}
+    @messages = {}
+    @error_details = {}
+
+    errors.each do |error|
+      (@error_codes[error.field] ||= []) << error.code
+      (@messages[error.field] ||= []) << error.message
+      error_value_hash = { :value => error.value }
+      (@error_details[error.field] ||= []) << error_value_hash
+    end
+  end
+
+  def [](attribute)
+    @error_codes[attribute]
+  end
+
+  def each
+    @error_codes.each_key do |attribute|
+      self[attribute].each { |error| yield attribute, error }
+    end
+  end
+
+  def size
+    @error_codes.size
+  end
+  alias_method :length, :size
+  alias_method :count, :size
+
+  def empty?
+    @error_codes.empty?
+  end
+
+  def add(attribute, code = :invalid, options = {})
+    (@error_codes[attribute] ||= []) << code
+    (@messages[attribute] ||= []) << options.delete(:messages)
+    (@error_details[attribute] ||= []) << options
+  end
+
+  def to_hash
+    messages.dup
+  end
+  alias_method :full_messages, :to_hash
+end

data/lib/input_sanitizer/v2/nested_sanitizer_factory.rb

@@ -0,0 +1,19 @@
+class InputSanitizer::V2::NestedSanitizerFactory
+  class NilAllowed
+    def cleaned
+      nil
+    end
+
+    def valid?
+      true
+    end
+  end
+
+  def self.for(nested_sanitizer_klass, value, options)
+    if value.nil? && options[:allow_nil] && !options[:collection]
+      NilAllowed.new
+    else
+      nested_sanitizer_klass.new(value, options)
+    end
+  end
+end

data/lib/input_sanitizer/v2/payload_sanitizer.rb

@@ -0,0 +1,130 @@
+class InputSanitizer::V2::PayloadSanitizer < InputSanitizer::Sanitizer
+  attr_reader :validation_context
+
+  def initialize(data, validation_context = {})
+    super data
+
+    self.validation_context = validation_context || {}
+  end
+
+  def validation_context=(context)
+    raise ArgumentError, "validation_context must be a Hash" unless context && context.is_a?(Hash)
+    @validation_context = context
+  end
+
+  def error_collection
+    @error_collection ||= InputSanitizer::V2::ErrorCollection.new(errors)
+  end
+
+  def self.converters
+    {
+      :integer => InputSanitizer::V2::Types::IntegerCheck.new,
+      :float => InputSanitizer::V2::Types::FloatCheck.new,
+      :string => InputSanitizer::V2::Types::StringCheck.new,
+      :boolean => InputSanitizer::V2::Types::BooleanCheck.new,
+      :datetime => InputSanitizer::V2::Types::DatetimeCheck.new,
+      :date => InputSanitizer::V2::Types::DatetimeCheck.new(:check_date => true),
+      :url => InputSanitizer::V2::Types::URLCheck.new,
+    }
+  end
+  initialize_types_dsl
+
+  def self.nested(*keys)
+    options = keys.pop
+    sanitizer = options.delete(:sanitizer)
+    keys.push(options)
+    raise "You did not define a sanitizer for nested value" if sanitizer == nil
+    converter = lambda { |value, converter_options|
+      instance = InputSanitizer::V2::NestedSanitizerFactory.for(sanitizer, value, converter_options)
+      raise InputSanitizer::NestedError.new(instance.errors) unless instance.valid?
+      instance.cleaned
+    }
+
+    keys << {} unless keys.last.is_a?(Hash)
+    keys.last[:nested] = true
+
+    self.set_keys_to_converter(keys, converter)
+  end
+
+  private
+  def perform_clean
+    super
+    @data.reject { |key, _| self.class.fields.keys.include?(key) }.each { |key, _| @errors << InputSanitizer::ExtraneousParamError.new("/#{key}") }
+  end
+
+  def prepare_options!(options)
+    return options if @validation_context.empty?
+    context = @validation_context.dup
+    context_provided_values = context.delete(:provided)
+
+    intersection = options.keys & context.keys
+
+    unless intersection.empty?
+      message = "validation context and converter options have the same keys: #{intersection}. " \
+        "In order to proceed please fix the configuration. " \
+        "In the meantime aborting ..."
+      raise RuntimeError, message
+    end
+
+    if context_provided_values
+      options[:provided] ||= {}
+      options[:provided] = options[:provided].merge(context_provided_values)
+    end
+
+    options.merge(context)
+  end
+
+  def clean_field(field, hash)
+    options = hash[:options].clone
+    collection = options.delete(:collection)
+    default = options.delete(:default)
+    has_key = @data.has_key?(field)
+    value = @data[field]
+    is_nested = options.delete(:nested)
+
+    provide = options.delete(:provide)
+    provided = Array(provide).inject({}) { |memo, value| memo[value] = @data[value]; memo }
+    options[:provided] = provided
+
+    if is_nested && has_key
+      if collection
+        raise InputSanitizer::TypeMismatchError.new(value, "array") unless value.is_a?(Array)
+      elsif !options[:allow_nil] || (options[:allow_nil] && !value.nil?)
+        raise InputSanitizer::TypeMismatchError.new(value, "hash") unless value.is_a?(Hash)
+      end
+    end
+
+    @cleaned[field] = InputSanitizer::V2::CleanField.call(
+      :data => value,
+      :has_key => has_key,
+      :default => default,
+      :collection => collection,
+      :type => sanitizer_type,
+      :converter => hash[:converter],
+      :options => prepare_options!(options)
+    )
+  rescue InputSanitizer::OptionalValueOmitted
+  rescue InputSanitizer::ValidationError => error
+    @errors += handle_error(field, error)
+  end
+
+  def handle_error(field, error)
+    case error
+    when InputSanitizer::CollectionError
+      error.collection_errors.map do |index, error|
+        handle_error("#{field}/#{index}", error)
+      end
+    when InputSanitizer::NestedError
+      error.nested_errors.map do |error|
+        handle_error("#{field}#{error.field}", error)
+      end
+    else
+      error.field = "/#{field}"
+      Array(error)
+    end.flatten
+  end
+
+  def sanitizer_type
+    :payload
+  end
+end

data/lib/input_sanitizer/v2/payload_transform.rb

@@ -0,0 +1,42 @@
+require 'active_support/core_ext/hash/indifferent_access'
+
+class InputSanitizer::V2::PayloadTransform
+  attr_reader :original_payload, :context
+
+  def self.call(original_payload, context = {})
+    new(original_payload, context).call
+  end
+
+  def initialize(original_payload, context = {})
+    fail "#{self.class} is missing #transform method" unless respond_to?(:transform)
+    @original_payload, @context = original_payload, context
+  end
+
+  def call
+    transform
+    payload
+  end
+
+  private
+  def rename(from, to)
+    if has?(from)
+      data = payload.delete(from)
+      payload[to] = data
+    end
+  end
+
+  def merge_in(field, options = {})
+    if source = payload.delete(field)
+      source = options[:using].call(source) if options[:using]
+      payload.merge!(source)
+    end
+  end
+
+  def has?(key)
+    payload.has_key?(key)
+  end
+
+  def payload
+    @payload ||= original_payload.with_indifferent_access
+  end
+end

data/lib/input_sanitizer/v2/query_sanitizer.rb

@@ -0,0 +1,33 @@
+class InputSanitizer::V2::QuerySanitizer < InputSanitizer::V2::PayloadSanitizer
+  def self.converters
+    {
+      :integer => InputSanitizer::V2::Types::CoercingIntegerCheck.new,
+      :float => InputSanitizer::V2::Types::CoercingFloatCheck.new,
+      :string => InputSanitizer::V2::Types::StringCheck.new,
+      :boolean => InputSanitizer::V2::Types::CoercingBooleanCheck.new,
+      :datetime => InputSanitizer::V2::Types::DatetimeCheck.new,
+      :date => InputSanitizer::V2::Types::DatetimeCheck.new(:check_date => true),
+      :url => InputSanitizer::V2::Types::URLCheck.new,
+    }
+  end
+  initialize_types_dsl
+
+  def self.sort_by(allowed_values, options = {})
+    set_keys_to_converter([:sort_by, { :allow => allowed_values }.merge(options)], InputSanitizer::V2::Types::SortByCheck.new)
+  end
+
+  # allow underscore cache buster by default
+  string :_
+
+  private
+  def perform_clean
+    super
+    @errors.each do |error|
+      error.field = error.field[1..-1] if error.field.start_with?('/')
+    end
+  end
+
+  def sanitizer_type
+    :query
+  end
+end

data/lib/input_sanitizer/v2/types.rb

@@ -0,0 +1,213 @@
+require 'active_support/core_ext/object/blank'
+
+module InputSanitizer::V2::Types
+  class IntegerCheck
+    def call(value, options = {})
+      if value == nil && (options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil
+        value
+      else
+        Integer(value).tap do |integer|
+          raise InputSanitizer::TypeMismatchError.new(value, :integer) unless integer == value
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && integer < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && integer > options[:maximum]
+        end
+      end
+    rescue ArgumentError, TypeError
+      raise InputSanitizer::TypeMismatchError.new(value, :integer)
+    end
+  end
+
+  class CoercingIntegerCheck
+    def call(value, options = {})
+      if value == nil || value == 'null'
+        if options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true
+          raise InputSanitizer::BlankValueError
+        else
+          nil
+        end
+      else
+        Integer(value).tap do |integer|
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && integer < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && integer > options[:maximum]
+        end
+      end
+    rescue ArgumentError
+      raise InputSanitizer::TypeMismatchError.new(value, :integer)
+    end
+  end
+
+  class FloatCheck
+    def call(value, options = {})
+      if value == nil && (options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil
+        value
+      else
+        Float(value).tap do |float|
+          raise InputSanitizer::TypeMismatchError.new(value, :float) unless float == value
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && float < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && float > options[:maximum]
+        end
+      end
+    rescue ArgumentError, TypeError
+      raise InputSanitizer::TypeMismatchError.new(value, :float)
+    end
+  end
+
+  class CoercingFloatCheck
+    def call(value, options = {})
+      if value == nil || value == 'null'
+        if options[:allow_nil] == false || options[:allow_blank] == false || options[:required] == true
+          raise InputSanitizer::BlankValueError
+        else
+          nil
+        end
+      else
+        Float(value).tap do |float|
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && float < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && float > options[:maximum]
+        end
+      end
+    rescue ArgumentError
+      raise InputSanitizer::TypeMismatchError.new(value, :float)
+    end
+  end
+
+  class StringCheck
+    def call(value, options = {})
+      if options[:allow] && !options[:allow].include?(value)
+        raise InputSanitizer::ValueNotAllowedError.new(value)
+      elsif value.blank? && (options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif options[:regexp] && options[:regexp].match(value).nil?
+        raise InputSanitizer::RegexpMismatchError.new
+      elsif value == nil && options[:allow_nil] == false
+        raise InputSanitizer::BlankValueError
+      elsif value.blank?
+        value
+      else
+        value.to_s.tap do |string|
+          raise InputSanitizer::TypeMismatchError.new(value, :string) unless string == value
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && string.length < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && string.length > options[:maximum]
+        end
+      end
+    end
+  end
+
+  class BooleanCheck
+    def call(value, options = {})
+      if value == nil
+        raise InputSanitizer::BlankValueError
+      elsif [true, false].include?(value)
+        value
+      else
+        raise InputSanitizer::TypeMismatchError.new(value, :boolean)
+      end
+    end
+  end
+
+  class CoercingBooleanCheck
+    def call(value, options = {})
+      if [true, 'true'].include?(value)
+        true
+      elsif [false, 'false'].include?(value)
+        false
+      else
+        raise InputSanitizer::TypeMismatchError.new(value, :boolean)
+      end
+    end
+  end
+
+  class DatetimeCheck
+    def initialize(options = {})
+      @check_date = options && options[:check_date]
+      @klass = @check_date ? Date : DateTime
+    end
+
+    def call(value, options = {})
+      raise InputSanitizer::TypeMismatchError.new(value, @check_date ? :date : :datetime) unless value == nil || value.is_a?(String)
+
+      if value.blank? && (options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil && options[:allow_nil] == false
+        raise InputSanitizer::BlankValueError
+      elsif value.blank?
+        value
+      else
+        @klass.parse(value).tap do |datetime|
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:minimum] && datetime < options[:minimum]
+          raise InputSanitizer::ValueError.new(value, options[:minimum], options[:maximum]) if options[:maximum] && datetime > options[:maximum]
+        end
+      end
+    rescue ArgumentError, TypeError
+      raise InputSanitizer::TypeMismatchError.new(value, @check_date ? :date : :datetime)
+    end
+  end
+
+  class URLCheck
+    def call(value, options = {})
+      if value.blank? && (options[:allow_blank] == false || options[:required] == true)
+        raise InputSanitizer::BlankValueError
+      elsif value == nil && options[:allow_nil] == false
+        raise InputSanitizer::BlankValueError
+      elsif value.blank?
+        value
+      else
+        unless /\A#{URI.regexp(%w(http https)).to_s}\z/.match(value)
+          raise InputSanitizer::TypeMismatchError.new(value, :url)
+        end
+        value
+      end
+    end
+  end
+
+  class SortByCheck
+    def call(value, options = {})
+      check_options!(options)
+
+      key, direction = split(value)
+      direction = 'asc' if direction.blank?
+
+      # special case when fallback takes care of separator sanitization e.g. custom fields
+      if options[:fallback] && !allowed_directions.include?(direction)
+        direction = 'asc'
+        key = value
+      end
+
+      unless valid?(key, direction, options)
+        raise InputSanitizer::ValueNotAllowedError.new(value)
+      end
+
+      [key, direction]
+    end
+
+  private
+    def valid?(key, direction, options)
+      allowed_keys = options[:allow]
+      fallback = options[:fallback]
+
+      allowed_directions.include?(direction) &&
+        ((allowed_keys && allowed_keys.include?(key)) ||
+          (fallback && fallback.call(key, direction, options)))
+    end
+
+    def split(value)
+      head, _, tail = value.to_s.rpartition(':')
+      head.empty? ? [tail, head] : [head, tail]
+    end
+
+    def check_options!(options)
+      fallback = options[:fallback]
+      if fallback && !fallback.respond_to?(:call)
+        raise ArgumentError, ":fallback option must respond to method :call (proc, lambda etc)"
+      end
+    end
+
+    def allowed_directions
+      ['asc', 'desc']
+    end
+  end
+end