json2sql 1.0.10 → 1.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb3184ddebd15d9412944f3e518524bbb0ae82b37dfcc925acb4c907e1244c3a
-  data.tar.gz: 0575b7e23355d4c08954cdf08a8da924bb8fccf67cd77086bb191c10b35a5780
+  metadata.gz: 3a1ea5e0f95c4a548b1bb9360e2adb5a4b5356992016d76b4babc16acb0d85c9
+  data.tar.gz: '01873a86ae29993fd7b5e9902506b074333294207fa8ef6b4b8d122272bad4b6'
 SHA512:
-  metadata.gz: 3501e46e1a5f0d10abe56a545f965e6c501864e436064f1cbe69e7e3573e35d177ae41b379df5e90ca77baf8d9ca19ea2b3843d21bdbc22b8e5bd21aab86f125
-  data.tar.gz: 5df88c1b1c985fc920baea0717746e7348c6040ec2d3ef8309a0f52dbb3c72a8f2cdc4e1e520e347bcceb6001ee59206680f90f7663522d0ba40b718ef82a8d7
+  metadata.gz: 01d567792598296fbeaa37e25a215a33a911fabcf8c847818a3f6c1dba59c9a9ef792ccd387f4728bbf2616a3135ff6a6246a637376e9b3940414c8127160ce6
+  data.tar.gz: 0263df1d2046c256341c926b9dfece8bdedc9722e603153df64c7175884acf76bd66fe24f9de360177dcb97639444c6b32539d2eaec52cc91761d229ba426f23

data/lib/json2sql/{input_policy.rb → query_policy.rb}

@@ -6,7 +6,9 @@ module Json2sql
   #   mode:   :allow (default) — only tables listed in `tables:` are accessible.
   #                              Tables absent from `tables:` are blocked entirely.
   #                              Empty `tables:` = no restriction.
-  #           :deny            — all tables pass; only listed columns are stripped.
+  #           :deny            — all tables pass. After column filtering, tables
+  #                              with no remaining accessible columns are removed.
+  #                              Same rule applies to children and parents.
   #   tables: Per-table configuration Hash (recursive):
   #     { table_name => { columns: [...],
   #                       children: { child_table => { columns: [...], ... } },
@@ -16,8 +18,8 @@ module Json2sql
   #               nil or absent = no column restriction for that table.
   #     children: nested hash of allowed/denied child tables with their own config.
   #               nil or absent = no restriction on children.
-  #               In :deny mode: use empty hash {} to deny the relation entirely;
-  #               a non-empty config applies column/where filtering without blocking.
+  #               In :deny mode: a child relation is removed only when all its
+  #               columns are denied (result is empty array).
   #     parents:  nested hash of allowed/denied parent tables with their own config.
   #               nil or absent = no restriction on parents.
   #               In :deny mode: same rules as children.
@@ -25,7 +27,7 @@ module Json2sql
   #               user-supplied values — primary IDOR guard.
   #
   # Usage:
-  #   policy = Json2sql::InputPolicy.new(
+  #   policy = Json2sql::QueryPolicy.new(
   #     mode:   :allow,
   #     tables: {
   #       orders: {
@@ -39,7 +41,7 @@ module Json2sql
   #   safe_input = policy.apply(raw_params)
   #   sql = Json2sql::SelectRunner.build(safe_input)
 
-  class InputPolicy
+  class QueryPolicy
 
     def initialize(mode: :allow, tables: {})
 
@@ -54,27 +56,24 @@ module Json2sql
     def apply(input)
 
       input = Json2sql.normalize(input)
+      
+      filter_tables(input, @tables)
 
-      input = filter_tables(input)
+      input.each { |table, params| sanitize_table(params, @tables[table]) }
 
-      input.each { |table, params| sanitize_table(params, @tables[table] || {}) }
+      input.reject! { |_, params| empty_columns?(params) }
 
       input
     end
 
     private
 
-    def filter_tables(input)
-
-      return input if @mode == :deny || @tables.empty?
-
-      input.select { |table, _| @tables.key?(table) }
-    end
-
     def sanitize_table(params, config)
 
       return unless params.is_a?(Hash)
 
+      return unless config.is_a?(Hash)
+
       filter_columns(params, config)
 
       inject_where(params, config)
@@ -85,39 +84,51 @@ module Json2sql
 
         next unless params[relation].is_a?(Hash)
 
-        relation_configs = config[relation].is_a?(Hash) ? config[relation] : {}
+        tables = config[relation].is_a?(Hash) ? config[relation] : {}
+
+        params[relation].each { |table, params| sanitize_table(params, tables[table]) }
+
+        params[relation].reject! { |_, params| empty_columns?(params) }
 
-        params[relation].each { |child_table, child_params| sanitize_table(child_params, relation_configs[child_table] || {}) }
       end
     end
 
-    # Filters children/parents relations using mode.
-    # In :allow mode, only relations present as keys in config[relation_key] pass.
-    # In :deny mode:
-    #   - relation config is nil or {} → relation is denied entirely.
-    #   - relation config is a non-empty Hash  → relation passes; sub-config is
-    #     applied recursively (column filtering, where injection, etc.).
-    # If config[relation_key] is absent or not a Hash, relations are untouched.
+    def empty_columns?(params)
+
+      params.is_a?(Hash) && params["columns"].is_a?(Array) && params["columns"].empty?
+    end
+
+    def filter_tables(params, config)
+
+      return if @mode == :deny
+
+      return unless params.is_a?(Hash)
 
-    def filter_relations(params, config, relation_key)
+      tables = config.is_a?(Hash) ? config : {}
 
-      relations = params[relation_key]
+      return if tables.empty?
 
-      return unless relations.is_a?(Hash)
+      params.select! { |table, _| tables.key?(table) }
+    end
+    
+    # Filters children/parents relations in :allow mode.
+    # Only relations present as keys in config[relation] pass through.
+    # If config[relation] is absent or not a Hash, relations are untouched.
+    # No-op in :deny mode.
 
-      relation_config = config[relation_key]
+    def filter_relations(params, config, relation)
 
-      return unless relation_config.is_a?(Hash)
+      return if @mode == :deny
 
-      params[relation_key] = if @mode == :deny
+      param_tables = params[relation]
 
-        relations.reject { |t, _| relation_config.key?(t) && (relation_config[t].nil? || (relation_config[t].is_a?(Hash) && relation_config[t].empty?)) }
+      return unless param_tables.is_a?(Hash)
 
-      else
+      config_tables = config[relation]
 
-        relations.select { |t, _| relation_config.key?(t) }
+      return unless config_tables.is_a?(Hash)
 
-      end
+      params[relation] = param_tables.select { |table, _| config_tables.key?(table) }
     end
 
     # Filters "columns" using mode (:allow or :deny).

data/lib/json2sql/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Json2sql
-  VERSION = "1.0.10"
+  VERSION = "1.0.12"
 end

data/lib/json2sql.rb

@@ -10,7 +10,7 @@ require_relative "json2sql/update_model"
 require_relative "json2sql/update_runner"
 require_relative "json2sql/delete_model"
 require_relative "json2sql/delete_runner"
-require_relative "json2sql/input_policy"
+require_relative "json2sql/query_policy"
 
 # Json2sql — SQL builder that generates MySQL/MariaDB query strings from
 # plain Ruby Hashes (or parsed JSON).

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json2sql
 version: !ruby/object:Gem::Version
-  version: 1.0.10
+  version: 1.0.12
 platform: ruby
 authors:
 - Tiago da Silva
@@ -49,9 +49,9 @@ files:
 - lib/json2sql.rb
 - lib/json2sql/delete_model.rb
 - lib/json2sql/delete_runner.rb
-- lib/json2sql/input_policy.rb
 - lib/json2sql/insert_model.rb
 - lib/json2sql/insert_runner.rb
+- lib/json2sql/query_policy.rb
 - lib/json2sql/sanitizer.rb
 - lib/json2sql/select_model.rb
 - lib/json2sql/select_runner.rb