RubyGems - json2sql - Versions diffs - 1.0.6 → 1.0.8 - Mend

json2sql 1.0.6 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/json2sql/input_policy.rb +122 -0
data/lib/json2sql/insert_model.rb +22 -10
data/lib/json2sql/update_model.rb +18 -6
data/lib/json2sql/version.rb +1 -1
data/lib/json2sql.rb +1 -0
metadata +4 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d0e99fbd9cb204b8c8ab64c96c810433474f649cdd80af3b5c6e8f38c8f4f57f
-  data.tar.gz: 3a9ab7dfbee2f9b7509b320edd460b2d8ca177552bfccfac7b10164366628f1a
+  metadata.gz: 20cb67d29822ef620acb57a06b9f5cb04c9e01139a83e264567fb595d6e02d1b
+  data.tar.gz: 6dbbf3faaa752c434a71a9f1a34d8fc4ca11aac7f104e7e7752d93b66357c902
 SHA512:
-  metadata.gz: de83391fec39ab3b474f4af3a360e0c842e2945c12fcee347507963b397c97b3b9157387758f1a07e9f5bb33e6e7ea675e5fb9f40c9365383c19776fc1c280fd
-  data.tar.gz: e6a6a70bbde21691e4ae1c1991ef4dabeaa4c0596f20a97a71886cf232aeb0b1484aaa2fe3016257d520f8d0aa6e4366a3e90deec85d9671f79d9c9ddcb4c6c9
+  metadata.gz: 2117b66124364adedd912a28667416e2e09da573e050dde88f2c94eab66ceb0ec25ccec36d8c88a7f7e7e81332b42bf897f4ed9bc12ed60c2540a2c06ad17159
+  data.tar.gz: 96d7046e9c69b7dd66a4c6dbdd1b190dc805c230d450db60c6d3b8f4b634f0e5aac6995080e26a5e1d880ad15fa9b08e08828ee0b6141ba6102fb78502bbe846

data/lib/json2sql/input_policy.rb ADDED Viewed

@@ -0,0 +1,122 @@
+module Json2sql
+  # Sanitizes a query input Hash before passing it to any Runner.
+  #
+  # Parameters:
+  #   mode:   :allow (default) — only tables listed in `tables:` are accessible.
+  #                              Tables absent from `tables:` are blocked entirely.
+  #                              Empty `tables:` = no restriction.
+  #           :deny            — all tables pass; only listed columns are stripped.
+  #   tables: Per-table configuration Hash:
+  #     { table_name => { columns: [...], where: { "and" => { col => val } } } }
+  #     columns: column list — filtered by `mode` (allowed or denied).
+  #              nil or absent = no column restriction for that table.
+  #     where:   server-side conditions merged into "and". Forced keys overwrite
+  #              user-supplied values — primary IDOR guard.
+  #
+  # Usage:
+  #   policy = Json2sql::InputPolicy.new(
+  #     mode:   :allow,
+  #     tables: {
+  #       orders: { columns: %w[id total status], where: { "and" => { "user_id" => 42 } } },
+  #       users:  { columns: %w[id name email] }
+  #     }
+  #   )
+  #   safe_input = policy.apply(raw_params)
+  #   sql = Json2sql::SelectRunner.build(safe_input)
+  class InputPolicy
+    def initialize(mode: :allow, tables: {})
+      @mode = mode
+      @tables = Json2sql.normalize(tables)
+    end
+    # Returns a sanitized copy of input ready to pass to any Runner.
+    # Runners remain unmodified — they receive only the clean Hash.
+    def apply(input)
+      input = Json2sql.normalize(input)
+      input = filter_tables(input)
+      input.each { |table, params| sanitize_table(params, table) }
+      input
+    end
+    private
+    def filter_tables(input)
+      return input if @mode == :deny || @tables.empty?
+      input.select { |table, _| @tables.key?(table) }
+    end
+    def sanitize_table(params, table)
+      return unless params.is_a?(Hash)
+      filter_columns(params, table)
+      inject_where(params, table)
+      %w[children parents].each do |relation|
+        next unless params[relation].is_a?(Hash)
+        params[relation].each { |child_table, child_params| sanitize_table(child_params, child_table) }
+      end
+    end
+    # Filters "columns" using mode (:allow or :deny).
+    # Handles Array (SELECT) and Hash (INSERT/UPDATE) column formats.
+    # Hash entries (function columns) always pass through in :allow mode.
+    # If no column list is defined for the table, columns are untouched.
+    def filter_columns(params, table)
+      columns = params["columns"]
+      return unless columns.is_a?(Array) || columns.is_a?(Hash)
+      list = @tables.dig(table, "columns")
+      return unless list.is_a?(Array)
+      params["columns"] = if @mode == :deny
+        columns.is_a?(Array) \
+          ? columns.reject { |c| list.include?(c) } \
+          : columns.reject { |k, _| list.include?(k) }
+      else
+        columns.is_a?(Array) \
+          ? columns.select { |c| c.is_a?(Hash) || list.include?(c) } \
+          : columns.select { |k, _| list.include?(k) }
+      end
+    end
+    # Merges forced "and" conditions into params["and"].
+    # Forced keys overwrite user-supplied values for the same column,
+    # preventing IDOR (e.g. attacker cannot override user_id).
+    def inject_where(params, table)
+      forced_and = @tables.dig(table, "where", "and")
+      return unless forced_and.is_a?(Hash)
+      params["and"] ||= {}
+      params["and"].merge!(forced_and)
+    end
+  end
+end

data/lib/json2sql/insert_model.rb CHANGED Viewed

@@ -8,6 +8,8 @@ module Json2sql
   # Values:
   #   Integer / Float → inserted as raw numbers
   #   String          → wrapped in single quotes with SQL escaping
+  #
+  # Auto-injected when absent: created_at and updated_at → NOW()
   class InsertModel
@@ -20,28 +22,41 @@ module Json2sql
     def build(params)
+      columns = params["columns"]
+      return unless columns.is_a?(Hash)
+      columns = build_timestamps(columns)
       @sql << "INSERT INTO "
       @sql << Sanitizer.keyword_wrap(@table)
       @sql << " ("
-      build_columns(params)
+      build_columns(columns)
       @sql << ") VALUES ("
-      build_values(params)
+      build_values(columns)
       @sql << ")"
     end
     private
-    def build_columns(params)
+    def build_timestamps(columns)
-      columns = params["columns"]
+      timestamps = {}
-      return unless columns.is_a?(Hash)
+      timestamps["created_at"] = :now unless columns.key?("created_at")
+      timestamps["updated_at"] = :now unless columns.key?("updated_at")
+      timestamps.empty? ? columns : columns.merge(timestamps)
+    end
+    def build_columns(columns)
       separator = false
@@ -55,11 +70,7 @@ module Json2sql
       end
     end
-    def build_values(params)
-      columns  = params["columns"]
-      return unless columns.is_a?(Hash)
+    def build_values(columns)
       separator = false
@@ -73,6 +84,7 @@ module Json2sql
         when Float   then @sql << value.to_s
         when Integer then @sql << value.to_s
         when String  then @sql << Sanitizer.value_wrap(value)
+        when :now    then @sql << "NOW()"
         end
       end
     end

data/lib/json2sql/update_model.rb CHANGED Viewed

@@ -8,6 +8,8 @@ module Json2sql
   #   "or"      => { ... }                  – WHERE conditions (OR)
   #
   # Value types follow the same rules as InsertModel.
+  #
+  # Auto-injected when absent: updated_at → NOW()
   class UpdateModel
@@ -22,31 +24,40 @@ module Json2sql
     def build(params)
+      columns = params["columns"]
+      return unless columns.is_a?(Hash)
+      columns = build_timestamp(columns)
       @sql << "UPDATE "
       @sql << Sanitizer.keyword_wrap(@table)
       @sql << " SET "
-      build_columns(params)
+      build_columns(columns)
       WhereModel.new(@sql, @table, @relation).build(params)
     end
     private
-    def build_columns(params)
+    def build_timestamp(columns)
-      columns   = params["columns"]
+      return columns if columns.key?("updated_at")
-      return unless columns.is_a?(Hash)
+      columns.merge("updated_at" => :now)
+    end
+    def build_columns(columns)
       separator = false
       columns.each do |key, value|
         @sql << ", " if separator
         separator = true
         column = key.to_s
@@ -61,6 +72,7 @@ module Json2sql
         when Float   then @sql << value.to_s
         when Integer then @sql << value.to_s
         when String  then @sql << Sanitizer.value_wrap(value)
+        when :now    then @sql << "NOW()"
         end
       end
     end

data/lib/json2sql/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Json2sql
-  VERSION = "1.0.6"
+  VERSION = "1.0.8"
 end

data/lib/json2sql.rb CHANGED Viewed

@@ -10,6 +10,7 @@ require_relative "json2sql/update_model"
 require_relative "json2sql/update_runner"
 require_relative "json2sql/delete_model"
 require_relative "json2sql/delete_runner"
+require_relative "json2sql/input_policy"
 # Json2sql — SQL builder that generates MySQL/MariaDB query strings from
 # plain Ruby Hashes (or parsed JSON).

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: json2sql
 version: !ruby/object:Gem::Version
-  version: 1.0.6
+  version: 1.0.8
 platform: ruby
 authors:
 - Tiago da Silva
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-03 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -50,6 +49,7 @@ files:
 - lib/json2sql.rb
 - lib/json2sql/delete_model.rb
 - lib/json2sql/delete_runner.rb
+- lib/json2sql/input_policy.rb
 - lib/json2sql/insert_model.rb
 - lib/json2sql/insert_runner.rb
 - lib/json2sql/sanitizer.rb
@@ -66,7 +66,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/tyagoy/json2sql
   source_code_uri: https://github.com/tyagoy/json2sql
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -81,8 +80,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Translates Ruby Hashes (or parsed JSON) into MySQL/MariaDB query strings.
 test_files: []