json2sql 1.0.7 → 1.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44981099a9e736eea37fae8938dbc885a7cf366a394ca46e884ff6abf14ab9a4
-  data.tar.gz: bb1ebf19a636bf8e28be4d6720afa8e0d90a4f5310625c5b70beaddb7f9276df
+  metadata.gz: acb969a8408adbf24bf7794bcc4a6b057c90c0e53d8b57041f01e9b19bc073cc
+  data.tar.gz: 961326ecdf490e74c444acc01adbe5edca42b1c1d91b2c68f6fe68a47be14a57
 SHA512:
-  metadata.gz: 01f29fa62d0d3a6e3d3f5f1fc3eded2a07db8b6500d3e2f8b72f4e5d37d96360ed719f3d9e01be88516eb8cf42297a39b97fee6ddff62eeaae48a190dfb7dee4
-  data.tar.gz: 184b5d2e228ae4786d84d53f7eb26090bdbc2a539dced777bdb9bf5c2d0aeb95e1335922c7dd2530b8eb7a54421c2b3d779f49ffb1b053cf44a53e8f1cad7584
+  metadata.gz: a7c7d34b754e4d8b823610837dc4dfb165cb34e315cbf46b965b9f25ef7292ce5b1424375f0bc4ae397c55493ca518a5b285606914364e6feed878f0d90f17d8
+  data.tar.gz: 8cbee6aa534d976a64f2d4b233abc37421940cd8da6a6e1f2c2204ce9a1cc07f400286c697b520e3aa22f49ed8746f683cffc66ca2c2dfa957746d20bd64901e

data/lib/json2sql/input_policy.rb

@@ -0,0 +1,159 @@
+module Json2sql
+
+  # Sanitizes a query input Hash before passing it to any Runner.
+  #
+  # Parameters:
+  #   mode:   :allow (default) — only tables listed in `tables:` are accessible.
+  #                              Tables absent from `tables:` are blocked entirely.
+  #                              Empty `tables:` = no restriction.
+  #           :deny            — all tables pass; only listed columns are stripped.
+  #   tables: Per-table configuration Hash (recursive):
+  #     { table_name => { columns: [...],
+  #                       children: { child_table => { columns: [...], ... } },
+  #                       parents:  { parent_table => { columns: [...], ... } },
+  #                       where: { "and" => { col => val } } } }
+  #     columns:  column list — filtered by `mode` (allowed or denied).
+  #               nil or absent = no column restriction for that table.
+  #     children: nested hash of allowed/denied child tables with their own config.
+  #               nil or absent = no restriction on children.
+  #     parents:  nested hash of allowed/denied parent tables with their own config.
+  #               nil or absent = no restriction on parents.
+  #     where:    server-side conditions merged into "and". Forced keys overwrite
+  #               user-supplied values — primary IDOR guard.
+  #
+  # Usage:
+  #   policy = Json2sql::InputPolicy.new(
+  #     mode:   :allow,
+  #     tables: {
+  #       orders: {
+  #         columns:  %w[id total status],
+  #         children: { order_items: { columns: %w[id price] } },
+  #         parents:  { users: { columns: %w[id name] } },
+  #         where:    { "and" => { "user_id" => 42 } }
+  #       }
+  #     }
+  #   )
+  #   safe_input = policy.apply(raw_params)
+  #   sql = Json2sql::SelectRunner.build(safe_input)
+
+  class InputPolicy
+
+    def initialize(mode: :allow, tables: {})
+
+      @mode = mode
+
+      @tables = Json2sql.normalize(tables)
+    end
+
+    # Returns a sanitized copy of input ready to pass to any Runner.
+    # Runners remain unmodified — they receive only the clean Hash.
+
+    def apply(input)
+
+      input = Json2sql.normalize(input)
+
+      input = filter_tables(input)
+
+      input.each { |table, params| sanitize_table(params, @tables[table] || {}) }
+
+      input
+    end
+
+    private
+
+    def filter_tables(input)
+
+      return input if @mode == :deny || @tables.empty?
+
+      input.select { |table, _| @tables.key?(table) }
+    end
+
+    def sanitize_table(params, config)
+
+      return unless params.is_a?(Hash)
+
+      filter_columns(params, config)
+
+      inject_where(params, config)
+
+      %w[children parents].each do |relation|
+
+        filter_relations(params, config, relation)
+
+        next unless params[relation].is_a?(Hash)
+
+        relation_configs = config[relation].is_a?(Hash) ? config[relation] : {}
+
+        params[relation].each { |child_table, child_params| sanitize_table(child_params, relation_configs[child_table] || {}) }
+      end
+    end
+
+    # Filters children/parents relations using mode.
+    # In :allow mode, only relations present as keys in config[relation_key] pass.
+    # In :deny mode, relations present as keys in config[relation_key] are removed.
+    # If config[relation_key] is absent or not a Hash, relations are untouched.
+
+    def filter_relations(params, config, relation_key)
+
+      relations = params[relation_key]
+
+      return unless relations.is_a?(Hash)
+
+      relation_config = config[relation_key]
+
+      return unless relation_config.is_a?(Hash)
+
+      params[relation_key] = if @mode == :deny
+
+        relations.reject { |t, _| relation_config.key?(t) }
+
+      else
+
+        relations.select { |t, _| relation_config.key?(t) }
+
+      end
+    end
+
+    # Filters "columns" using mode (:allow or :deny).
+    # Handles Array (SELECT) and Hash (INSERT/UPDATE) column formats.
+    # Hash entries (function columns) always pass through in :allow mode.
+    # If no column list is defined for the table, columns are untouched.
+
+    def filter_columns(params, config)
+
+      columns = params["columns"]
+
+      return unless columns.is_a?(Array) || columns.is_a?(Hash)
+
+      list = config["columns"]
+
+      return unless list.is_a?(Array)
+
+      params["columns"] = if @mode == :deny
+
+        columns.is_a?(Array) ? columns.reject { |c| list.include?(c) } : columns.reject { |k, _| list.include?(k) }
+
+      else
+
+        columns.is_a?(Array) ? columns.select { |c| c.is_a?(Hash) || list.include?(c) } : columns.select { |k, _| list.include?(k) }
+
+      end
+    end
+
+    # Merges forced "and" conditions into params["and"].
+    # Forced keys overwrite user-supplied values for the same column,
+    # preventing IDOR (e.g. attacker cannot override user_id).
+
+    def inject_where(params, config)
+
+      forced_and = config.dig("where", "and")
+
+      return unless forced_and.is_a?(Hash)
+
+      params["and"] ||= {}
+
+      params["and"].merge!(forced_and)
+    end
+
+  end
+end

data/lib/json2sql/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Json2sql
-  VERSION = "1.0.7"
+  VERSION = "1.0.9"
 end

data/lib/json2sql.rb

@@ -10,6 +10,7 @@ require_relative "json2sql/update_model"
 require_relative "json2sql/update_runner"
 require_relative "json2sql/delete_model"
 require_relative "json2sql/delete_runner"
+require_relative "json2sql/input_policy"
 
 # Json2sql — SQL builder that generates MySQL/MariaDB query strings from
 # plain Ruby Hashes (or parsed JSON).

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: json2sql
 version: !ruby/object:Gem::Version
-  version: 1.0.7
+  version: 1.0.9
 platform: ruby
 authors:
 - Tiago da Silva
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-03 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -50,6 +49,7 @@ files:
 - lib/json2sql.rb
 - lib/json2sql/delete_model.rb
 - lib/json2sql/delete_runner.rb
+- lib/json2sql/input_policy.rb
 - lib/json2sql/insert_model.rb
 - lib/json2sql/insert_runner.rb
 - lib/json2sql/sanitizer.rb
@@ -66,7 +66,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/tyagoy/json2sql
   source_code_uri: https://github.com/tyagoy/json2sql
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -81,8 +80,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Translates Ruby Hashes (or parsed JSON) into MySQL/MariaDB query strings.
 test_files: []