RubyGems - json2sql - Versions diffs - 1.0.8 → 1.0.9 - Mend

json2sql 1.0.8 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/json2sql/input_policy.rb +60 -23
data/lib/json2sql/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 20cb67d29822ef620acb57a06b9f5cb04c9e01139a83e264567fb595d6e02d1b
-  data.tar.gz: 6dbbf3faaa752c434a71a9f1a34d8fc4ca11aac7f104e7e7752d93b66357c902
+  metadata.gz: acb969a8408adbf24bf7794bcc4a6b057c90c0e53d8b57041f01e9b19bc073cc
+  data.tar.gz: 961326ecdf490e74c444acc01adbe5edca42b1c1d91b2c68f6fe68a47be14a57
 SHA512:
-  metadata.gz: 2117b66124364adedd912a28667416e2e09da573e050dde88f2c94eab66ceb0ec25ccec36d8c88a7f7e7e81332b42bf897f4ed9bc12ed60c2540a2c06ad17159
-  data.tar.gz: 96d7046e9c69b7dd66a4c6dbdd1b190dc805c230d450db60c6d3b8f4b634f0e5aac6995080e26a5e1d880ad15fa9b08e08828ee0b6141ba6102fb78502bbe846
+  metadata.gz: a7c7d34b754e4d8b823610837dc4dfb165cb34e315cbf46b965b9f25ef7292ce5b1424375f0bc4ae397c55493ca518a5b285606914364e6feed878f0d90f17d8
+  data.tar.gz: 8cbee6aa534d976a64f2d4b233abc37421940cd8da6a6e1f2c2204ce9a1cc07f400286c697b520e3aa22f49ed8746f683cffc66ca2c2dfa957746d20bd64901e

data/lib/json2sql/input_policy.rb CHANGED Viewed

@@ -7,19 +7,30 @@ module Json2sql
   #                              Tables absent from `tables:` are blocked entirely.
   #                              Empty `tables:` = no restriction.
   #           :deny            — all tables pass; only listed columns are stripped.
-  #   tables: Per-table configuration Hash:
-  #     { table_name => { columns: [...], where: { "and" => { col => val } } } }
-  #     columns: column list — filtered by `mode` (allowed or denied).
-  #              nil or absent = no column restriction for that table.
-  #     where:   server-side conditions merged into "and". Forced keys overwrite
-  #              user-supplied values — primary IDOR guard.
+  #   tables: Per-table configuration Hash (recursive):
+  #     { table_name => { columns: [...],
+  #                       children: { child_table => { columns: [...], ... } },
+  #                       parents:  { parent_table => { columns: [...], ... } },
+  #                       where: { "and" => { col => val } } } }
+  #     columns:  column list — filtered by `mode` (allowed or denied).
+  #               nil or absent = no column restriction for that table.
+  #     children: nested hash of allowed/denied child tables with their own config.
+  #               nil or absent = no restriction on children.
+  #     parents:  nested hash of allowed/denied parent tables with their own config.
+  #               nil or absent = no restriction on parents.
+  #     where:    server-side conditions merged into "and". Forced keys overwrite
+  #               user-supplied values — primary IDOR guard.
   #
   # Usage:
   #   policy = Json2sql::InputPolicy.new(
   #     mode:   :allow,
   #     tables: {
-  #       orders: { columns: %w[id total status], where: { "and" => { "user_id" => 42 } } },
-  #       users:  { columns: %w[id name email] }
+  #       orders: {
+  #         columns:  %w[id total status],
+  #         children: { order_items: { columns: %w[id price] } },
+  #         parents:  { users: { columns: %w[id name] } },
+  #         where:    { "and" => { "user_id" => 42 } }
+  #       }
   #     }
   #   )
   #   safe_input = policy.apply(raw_params)
@@ -43,7 +54,7 @@ module Json2sql
       input = filter_tables(input)
-      input.each { |table, params| sanitize_table(params, table) }
+      input.each { |table, params| sanitize_table(params, @tables[table] || {}) }
       input
     end
@@ -57,19 +68,49 @@ module Json2sql
       input.select { |table, _| @tables.key?(table) }
     end
-    def sanitize_table(params, table)
+    def sanitize_table(params, config)
       return unless params.is_a?(Hash)
-      filter_columns(params, table)
+      filter_columns(params, config)
-      inject_where(params, table)
+      inject_where(params, config)
       %w[children parents].each do |relation|
+        filter_relations(params, config, relation)
         next unless params[relation].is_a?(Hash)
-        params[relation].each { |child_table, child_params| sanitize_table(child_params, child_table) }
+        relation_configs = config[relation].is_a?(Hash) ? config[relation] : {}
+        params[relation].each { |child_table, child_params| sanitize_table(child_params, relation_configs[child_table] || {}) }
+      end
+    end
+    # Filters children/parents relations using mode.
+    # In :allow mode, only relations present as keys in config[relation_key] pass.
+    # In :deny mode, relations present as keys in config[relation_key] are removed.
+    # If config[relation_key] is absent or not a Hash, relations are untouched.
+    def filter_relations(params, config, relation_key)
+      relations = params[relation_key]
+      return unless relations.is_a?(Hash)
+      relation_config = config[relation_key]
+      return unless relation_config.is_a?(Hash)
+      params[relation_key] = if @mode == :deny
+        relations.reject { |t, _| relation_config.key?(t) }
+      else
+        relations.select { |t, _| relation_config.key?(t) }
       end
     end
@@ -78,27 +119,23 @@ module Json2sql
     # Hash entries (function columns) always pass through in :allow mode.
     # If no column list is defined for the table, columns are untouched.
-    def filter_columns(params, table)
+    def filter_columns(params, config)
       columns = params["columns"]
       return unless columns.is_a?(Array) || columns.is_a?(Hash)
-      list = @tables.dig(table, "columns")
+      list = config["columns"]
       return unless list.is_a?(Array)
       params["columns"] = if @mode == :deny
-        columns.is_a?(Array) \
-          ? columns.reject { |c| list.include?(c) } \
-          : columns.reject { |k, _| list.include?(k) }
+        columns.is_a?(Array) ? columns.reject { |c| list.include?(c) } : columns.reject { |k, _| list.include?(k) }
       else
-        columns.is_a?(Array) \
-          ? columns.select { |c| c.is_a?(Hash) || list.include?(c) } \
-          : columns.select { |k, _| list.include?(k) }
+        columns.is_a?(Array) ? columns.select { |c| c.is_a?(Hash) || list.include?(c) } : columns.select { |k, _| list.include?(k) }
       end
     end
@@ -107,9 +144,9 @@ module Json2sql
     # Forced keys overwrite user-supplied values for the same column,
     # preventing IDOR (e.g. attacker cannot override user_id).
-    def inject_where(params, table)
+    def inject_where(params, config)
-      forced_and = @tables.dig(table, "where", "and")
+      forced_and = config.dig("where", "and")
       return unless forced_and.is_a?(Hash)

data/lib/json2sql/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Json2sql
-  VERSION = "1.0.8"
+  VERSION = "1.0.9"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json2sql
 version: !ruby/object:Gem::Version
-  version: 1.0.8
+  version: 1.0.9
 platform: ruby
 authors:
 - Tiago da Silva