json2sql 1.0.9 → 1.0.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/json2sql/input_policy.rb +25 -16
- data/lib/json2sql/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b734e672123b35d6b3878a30bf9629821915140e3240eba21cd8e853ac414911
|
|
4
|
+
data.tar.gz: 819e7767505a2154f0071a46ffee6640d30954e7bae623f308cb185791f2f1f3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8a0743bbb6f1e26aacf1cdf62e0e81ce19992a79b0c748225a3d563a810ef4d8278b59d068fe28ee8707bb55080130d27538dc6711a2782dc392762aefd92a32
|
|
7
|
+
data.tar.gz: 90cb0a70a7443c7bd6b3f4c6f12d02298d6e6c906d399cebc02c1edf1c566dc5eef470790d7f9213ef88b266a3b11f39f53fd74eaaa1ca1f37ef8daa015331d8
|
|
@@ -16,8 +16,11 @@ module Json2sql
|
|
|
16
16
|
# nil or absent = no column restriction for that table.
|
|
17
17
|
# children: nested hash of allowed/denied child tables with their own config.
|
|
18
18
|
# nil or absent = no restriction on children.
|
|
19
|
+
# In :deny mode: a child relation is removed only when all its
|
|
20
|
+
# columns are denied (result is empty array).
|
|
19
21
|
# parents: nested hash of allowed/denied parent tables with their own config.
|
|
20
22
|
# nil or absent = no restriction on parents.
|
|
23
|
+
# In :deny mode: same rules as children.
|
|
21
24
|
# where: server-side conditions merged into "and". Forced keys overwrite
|
|
22
25
|
# user-supplied values — primary IDOR guard.
|
|
23
26
|
#
|
|
@@ -78,20 +81,34 @@ module Json2sql
|
|
|
78
81
|
|
|
79
82
|
%w[children parents].each do |relation|
|
|
80
83
|
|
|
81
|
-
|
|
84
|
+
if @mode == :deny
|
|
82
85
|
|
|
83
|
-
|
|
86
|
+
next unless params[relation].is_a?(Hash)
|
|
84
87
|
|
|
85
|
-
|
|
88
|
+
relation_configs = config[relation].is_a?(Hash) ? config[relation] : {}
|
|
86
89
|
|
|
87
|
-
|
|
90
|
+
params[relation].each { |child_table, child_params| sanitize_table(child_params, relation_configs[child_table] || {}) }
|
|
91
|
+
|
|
92
|
+
params[relation].reject! { |_, child_params| child_params.is_a?(Hash) && child_params["columns"].is_a?(Array) && child_params["columns"].empty? }
|
|
93
|
+
|
|
94
|
+
else
|
|
95
|
+
|
|
96
|
+
filter_relations(params, config, relation)
|
|
97
|
+
|
|
98
|
+
next unless params[relation].is_a?(Hash)
|
|
99
|
+
|
|
100
|
+
relation_configs = config[relation].is_a?(Hash) ? config[relation] : {}
|
|
101
|
+
|
|
102
|
+
params[relation].each { |child_table, child_params| sanitize_table(child_params, relation_configs[child_table] || {}) }
|
|
103
|
+
|
|
104
|
+
end
|
|
88
105
|
end
|
|
89
106
|
end
|
|
90
107
|
|
|
91
|
-
# Filters children/parents relations
|
|
92
|
-
#
|
|
93
|
-
# In :deny mode, relations present as keys in config[relation_key] are removed.
|
|
108
|
+
# Filters children/parents relations in :allow mode.
|
|
109
|
+
# Only relations present as keys in config[relation_key] pass through.
|
|
94
110
|
# If config[relation_key] is absent or not a Hash, relations are untouched.
|
|
111
|
+
# In :deny mode, pruning is handled in sanitize_table after column filtering.
|
|
95
112
|
|
|
96
113
|
def filter_relations(params, config, relation_key)
|
|
97
114
|
|
|
@@ -103,15 +120,7 @@ module Json2sql
|
|
|
103
120
|
|
|
104
121
|
return unless relation_config.is_a?(Hash)
|
|
105
122
|
|
|
106
|
-
params[relation_key] =
|
|
107
|
-
|
|
108
|
-
relations.reject { |t, _| relation_config.key?(t) }
|
|
109
|
-
|
|
110
|
-
else
|
|
111
|
-
|
|
112
|
-
relations.select { |t, _| relation_config.key?(t) }
|
|
113
|
-
|
|
114
|
-
end
|
|
123
|
+
params[relation_key] = relations.select { |t, _| relation_config.key?(t) }
|
|
115
124
|
end
|
|
116
125
|
|
|
117
126
|
# Filters "columns" using mode (:allow or :deny).
|
data/lib/json2sql/version.rb
CHANGED