json2sql 1.0.9 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/json2sql/input_policy.rb +8 -2
  3. data/lib/json2sql/version.rb +1 -1
  4. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: acb969a8408adbf24bf7794bcc4a6b057c90c0e53d8b57041f01e9b19bc073cc
4
- data.tar.gz: 961326ecdf490e74c444acc01adbe5edca42b1c1d91b2c68f6fe68a47be14a57
3
+ metadata.gz: eb3184ddebd15d9412944f3e518524bbb0ae82b37dfcc925acb4c907e1244c3a
4
+ data.tar.gz: 0575b7e23355d4c08954cdf08a8da924bb8fccf67cd77086bb191c10b35a5780
5
5
  SHA512:
6
- metadata.gz: a7c7d34b754e4d8b823610837dc4dfb165cb34e315cbf46b965b9f25ef7292ce5b1424375f0bc4ae397c55493ca518a5b285606914364e6feed878f0d90f17d8
7
- data.tar.gz: 8cbee6aa534d976a64f2d4b233abc37421940cd8da6a6e1f2c2204ce9a1cc07f400286c697b520e3aa22f49ed8746f683cffc66ca2c2dfa957746d20bd64901e
6
+ metadata.gz: 3501e46e1a5f0d10abe56a545f965e6c501864e436064f1cbe69e7e3573e35d177ae41b379df5e90ca77baf8d9ca19ea2b3843d21bdbc22b8e5bd21aab86f125
7
+ data.tar.gz: 5df88c1b1c985fc920baea0717746e7348c6040ec2d3ef8309a0f52dbb3c72a8f2cdc4e1e520e347bcceb6001ee59206680f90f7663522d0ba40b718ef82a8d7
data/lib/json2sql/input_policy.rb CHANGED
@@ -16,8 +16,11 @@ module Json2sql
16
16
  # nil or absent = no column restriction for that table.
17
17
  # children: nested hash of allowed/denied child tables with their own config.
18
18
  # nil or absent = no restriction on children.
19
+ # In :deny mode: use empty hash {} to deny the relation entirely;
20
+ # a non-empty config applies column/where filtering without blocking.
19
21
  # parents: nested hash of allowed/denied parent tables with their own config.
20
22
  # nil or absent = no restriction on parents.
23
+ # In :deny mode: same rules as children.
21
24
  # where: server-side conditions merged into "and". Forced keys overwrite
22
25
  # user-supplied values — primary IDOR guard.
23
26
  #
@@ -90,7 +93,10 @@ module Json2sql
90
93
 
91
94
  # Filters children/parents relations using mode.
92
95
  # In :allow mode, only relations present as keys in config[relation_key] pass.
93
- # In :deny mode, relations present as keys in config[relation_key] are removed.
96
+ # In :deny mode:
97
+ # - relation config is nil or {} → relation is denied entirely.
98
+ # - relation config is a non-empty Hash → relation passes; sub-config is
99
+ # applied recursively (column filtering, where injection, etc.).
94
100
  # If config[relation_key] is absent or not a Hash, relations are untouched.
95
101
 
96
102
  def filter_relations(params, config, relation_key)
@@ -105,7 +111,7 @@ module Json2sql
105
111
 
106
112
  params[relation_key] = if @mode == :deny
107
113
 
108
- relations.reject { |t, _| relation_config.key?(t) }
114
+ relations.reject { |t, _| relation_config.key?(t) && (relation_config[t].nil? || (relation_config[t].is_a?(Hash) && relation_config[t].empty?)) }
109
115
 
110
116
  else
111
117
 
data/lib/json2sql/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Json2sql
4
- VERSION = "1.0.9"
4
+ VERSION = "1.0.10"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: json2sql
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.9
4
+ version: 1.0.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tiago da Silva