jsonapi_parameters 1.1.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ad28494a05c8bc7f45b3b4408989aa44c311741fbefea777bd9fedb91bba464
-  data.tar.gz: 57180a59200f87667ebfdc57c1063e1855ce16777c80e4d8562780bfbbd96bfa
+  metadata.gz: 414c6d7e91cd71641096a2fc6dcb6d7055f9154cab1db06be6dbb188fddb3c6a
+  data.tar.gz: 483e0f4576c935632ca3cdbe48b10050d232dbb67e202a4db0fca2d4f0004721
 SHA512:
-  metadata.gz: 166f3aed4fe6f74806fdad8f17bb924812d4678f8fc2ca55d16cfdff7c2497a43d4c9331280b128b74ac1051ccb6022e16880daae409fb93a402134196c34937
-  data.tar.gz: 8556b0aaed3936f78999f7fe7a0438ce1c66af2c7f2d78e499a7ba53c00ff6d60c9c83b949a4096b88a79ddf248bfa0cba89559923fa4f73ce720caf1f49ffec
+  metadata.gz: 5a90b5d5a44fcbe5ee66e13308ab190e73a7a84409727c6c7530d66d5105baf4754987d634b71ebe4f7674d3b491e95a7ed8bb8e5fd399f4a638cb2bb272f087
+  data.tar.gz: 89d0c3dc2b6b100c53f1c446b80d9bd8acfc5e9db33587330c5fd57c362d9c92d8b9866f5c2afb95aa86233bb5c40ce72c61baac6cafa2b40d53df37d39dc47d

data/README.md

@@ -4,6 +4,7 @@ Simple [JSON:API](https://jsonapi.org/) compliant parameters translator.
 [![Gem Version](https://badge.fury.io/rb/jsonapi_parameters.svg)](https://badge.fury.io/rb/jsonapi_parameters)
 [![Maintainability](https://api.codeclimate.com/v1/badges/84fd5b548eea8d7e18af/maintainability)](https://codeclimate.com/github/visualitypl/jsonapi_parameters/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/84fd5b548eea8d7e18af/test_coverage)](https://codeclimate.com/github/visualitypl/jsonapi_parameters/test_coverage)
+[![CircleCI](https://circleci.com/gh/visualitypl/jsonapi_parameters.svg?style=svg)](https://circleci.com/gh/visualitypl/jsonapi_parameters)
 
 [Documentation](https://github.com/visualitypl/jsonapi_parameters/wiki)
 
@@ -92,13 +93,63 @@ translator.jsonapify(params)
 
 As [stated in the JSON:API specification](https://jsonapi.org/#mime-types) correct mime type for JSON:API input should be [`application/vnd.api+json`](http://www.iana.org/assignments/media-types/application/vnd.api+json). 
 
-This gems intention is to make input consumption as easy as possible. Hence, it [registers this mime type for you](lib/jsonapi_parameters/core_ext/action_dispatch/http/mime_type.rb). 
+This gem's intention is to make input consumption as easy as possible. Hence, it [registers this mime type for you](lib/jsonapi_parameters/core_ext/action_dispatch/http/mime_type.rb).
+
+## Stack limit
+
+In theory, any payload may consist of infinite amount of relationships (and so each relationship may have its own, included, infinite amount of nested relationships).
+Because of that, it is a potential vector of attack. 
+
+For this reason we have introduced a default limit of stack levels that JsonApi::Parameters will go down through while parsing the payloads. 
+
+This default limit is 3, and can be overwritten by specifying the custom limit.
+
+#### Ruby
+```ruby
+class Translator
+    include JsonApi::Parameters
+end
+
+translator = Translator.new
+
+translator.jsonapify(custom_stack_limit: 4)
+
+# OR
+ 
+translator.stack_limit = 4
+translator.jsonapify.(...)
+``` 
+
+#### Rails
+```ruby
+def create_params
+    params.from_jsonapi(custom_stack_limit: 4).require(:user).permit(
+        entities_attributes: { subentities_attributes: { ... } }
+    )
+end
+
+# OR
+ 
+def create_params
+    params.stack_level = 4
+
+    params.from_jsonapi.require(:user).permit(entities_attributes: { subentities_attributes: { ... } })
+ensure
+    params.reset_stack_limit!
+end
+```
 
 ## Customization
 
 If you need custom relationship handling (for instance, if you have a relationship named `scissors` that is plural, but it actually is a single entity), you can use Handlers to define appropriate behaviour.
 
-Read more at [Relationship Handlers]()
+Read more at [Relationship Handlers](https://github.com/visualitypl/jsonapi_parameters/wiki/Relationship-handlers).
+
+## Team
+
+Project started by [Jasiek Matusz](https://github.com/Marahin).
+
+Currently, jsonapi_parameters is maintained by Visuality's [Open Source Commitee](https://www.visuality.pl/open-source).
 
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/lib/jsonapi_parameters.rb

@@ -2,6 +2,5 @@ require 'jsonapi_parameters/parameters'
 require 'jsonapi_parameters/handlers'
 require 'jsonapi_parameters/translator'
 require 'jsonapi_parameters/core_ext'
+require 'jsonapi_parameters/stack_limit'
 require 'jsonapi_parameters/version'
-
-require 'active_support/inflector'

data/lib/jsonapi_parameters/core_ext/action_controller/parameters.rb

@@ -9,7 +9,7 @@ class ActionController::Parameters
     from_jsonapi(*args)
   end
 
-  def from_jsonapi(naming_convention = :snake)
-    @from_jsonapi ||= self.class.new jsonapify(self, naming_convention: naming_convention)
+  def from_jsonapi(naming_convention = :snake, custom_stack_limit: stack_limit)
+    @from_jsonapi ||= self.class.new jsonapify(self, naming_convention: naming_convention, custom_stack_limit: custom_stack_limit)
   end
 end

data/lib/jsonapi_parameters/default_handlers/base_handler.rb

@@ -5,6 +5,10 @@ module JsonApi
         class BaseHandler
           attr_reader :relationship_key, :relationship_value, :included
 
+          def self.call(key, val, included)
+            new(key, val, included).handle
+          end
+
           def initialize(relationship_key, relationship_value, included)
             @relationship_key = relationship_key
             @relationship_value = relationship_value

data/lib/jsonapi_parameters/default_handlers/nil_relation_handler.rb

@@ -1,3 +1,5 @@
+require 'active_support/inflector'
+
 require_relative './base_handler'
 
 module JsonApi

data/lib/jsonapi_parameters/default_handlers/to_many_relation_handler.rb

@@ -1,3 +1,5 @@
+require 'active_support/inflector'
+
 module JsonApi
   module Parameters
     module Handlers
@@ -34,8 +36,9 @@ module JsonApi
               @with_inclusion &= !included_object.empty?
 
               if with_inclusion
-                included_object.delete(:type)
-                included_object[:attributes].merge(id: related_id)
+                { **(included_object[:attributes] || {}), id: related_id }.tap do |body|
+                  body[:relationships] = included_object[:relationships] if included_object.key?(:relationships) # Pass nested relationships
+                end
               else
                 relationship.dig(:id)
               end

data/lib/jsonapi_parameters/default_handlers/to_one_relation_handler.rb

@@ -1,3 +1,5 @@
+require 'active_support/inflector'
+
 module JsonApi
   module Parameters
     module Handlers
@@ -15,8 +17,10 @@ module JsonApi
 
             return ["#{singularize(relationship_key)}_id".to_sym, related_id] if included_object.empty?
 
-            included_object.delete(:type)
-            included_object = included_object[:attributes].merge(id: related_id)
+            included_object = { **(included_object[:attributes] || {}), id: related_id }.tap do |body|
+              body[:relationships] = included_object[:relationships] if included_object.key?(:relationships) # Pass nested relationships
+            end
+
             ["#{singularize(relationship_key)}_attributes".to_sym, included_object]
           end
         end

data/lib/jsonapi_parameters/handlers.rb

@@ -8,9 +8,9 @@ module JsonApi
       include DefaultHandlers
 
       DEFAULT_HANDLER_SET = {
-        to_many: ->(k, v, included) { ToManyRelationHandler.new(k, v, included).handle },
-        to_one: ->(k, v, included) { ToOneRelationHandler.new(k, v, included).handle },
-        nil: ->(k, v, included) { NilRelationHandler.new(k, v, included).handle }
+        to_many: ToManyRelationHandler,
+        to_one: ToOneRelationHandler,
+        nil: NilRelationHandler
       }.freeze
 
       module_function
@@ -29,7 +29,7 @@ module JsonApi
         resource_handlers[resource_key.to_sym] = handler_key.to_sym
       end
 
-      def reset_handlers!
+      def reset_handlers
         @handlers = DEFAULT_HANDLER_SET.dup
         @resource_handlers = {}
       end

data/lib/jsonapi_parameters/stack_limit.rb

@@ -0,0 +1,45 @@
+module JsonApi
+  module Parameters
+    LIMIT = 3
+
+    class StackLevelTooDeepError < StandardError
+    end
+
+    def stack_limit=(val)
+      @stack_limit = val
+    end
+
+    def stack_limit
+      @stack_limit || LIMIT
+    end
+
+    def reset_stack_limit
+      @stack_limit = LIMIT
+    end
+
+    private
+
+    def initialize_stack(custom_stack_limit)
+      @current_stack_level = 0
+      @stack_limit = custom_stack_limit
+    end
+
+    def increment_stack_level!
+      @current_stack_level += 1
+
+      raise StackLevelTooDeepError.new(stack_exception_message) if @current_stack_level > stack_limit
+    end
+
+    def decrement_stack_level
+      @current_stack_level -= 1
+    end
+
+    def reset_stack_level
+      @current_stack_level = 0
+    end
+
+    def stack_exception_message
+      "Stack level of nested payload is too deep: #{@current_stack_level}/#{stack_limit}. Please see the documentation on how to overwrite the limit."
+    end
+  end
+end

data/lib/jsonapi_parameters/translator.rb

@@ -3,7 +3,9 @@ require 'active_support/inflector'
 module JsonApi::Parameters
   include ActiveSupport::Inflector
 
-  def jsonapify(params, naming_convention: :snake)
+  def jsonapify(params, naming_convention: :snake, custom_stack_limit: stack_limit)
+    initialize_stack(custom_stack_limit)
+
     jsonapi_translate(params, naming_convention: naming_convention)
   end
 
@@ -15,7 +17,9 @@ module JsonApi::Parameters
     return params if params.nil? || params.empty?
 
     @jsonapi_unsafe_hash = if naming_convention != :snake || JsonApi::Parameters.ensure_underscore_translation
-                             params.deep_transform_keys { |key| key.to_s.underscore.to_sym }
+                             params = params.deep_transform_keys { |key| key.to_s.underscore.to_sym }
+                             params[:data][:type] = params[:data][:type].underscore if params.dig(:data, :type)
+                             params
                            else
                              params.deep_symbolize_keys
                            end
@@ -36,27 +40,11 @@ module JsonApi::Parameters
   def jsonapi_main_body
     jsonapi_unsafe_params.tap do |param|
       jsonapi_relationships.each do |relationship_key, relationship_value|
-        relationship_value = relationship_value[:data]
-        handler_args = [relationship_key, relationship_value, jsonapi_included]
-        handler = if Handlers.resource_handlers.key?(relationship_key)
-                    Handlers.handlers[Handlers.resource_handlers[relationship_key]]
-                  else
-                    case relationship_value
-                    when Array
-                      Handlers.handlers[:to_many]
-                    when Hash
-                      Handlers.handlers[:to_one]
-                    when nil
-                      Handlers.handlers[:nil]
-                    else
-                      raise NotImplementedError.new('relationship resource linkage has to be a type of Array, Hash or nil')
-                    end
-                  end
-
-        key, val = handler.call(*handler_args)
-        param[key] = val
+        param = handle_relationships(param, relationship_key, relationship_value)
       end
     end
+  ensure
+    reset_stack_level
   end
 
   def jsonapi_unsafe_params
@@ -67,11 +55,63 @@ module JsonApi::Parameters
     end
   end
 
+  def jsonapi_relationships
+    @jsonapi_relationships ||= @jsonapi_unsafe_hash.dig(:data, :relationships) || []
+  end
+
   def jsonapi_included
     @jsonapi_included ||= @jsonapi_unsafe_hash[:included] || []
   end
 
-  def jsonapi_relationships
-    @jsonapi_relationships ||= @jsonapi_unsafe_hash.dig(:data, :relationships) || []
+  def handle_relationships(param, relationship_key, relationship_value)
+    increment_stack_level!
+
+    relationship_value = relationship_value[:data]
+    handler_args = [relationship_key, relationship_value, jsonapi_included]
+    handler = if Handlers.resource_handlers.key?(relationship_key)
+                Handlers.handlers[Handlers.resource_handlers[relationship_key]]
+              else
+                case relationship_value
+                when Array
+                  Handlers.handlers[:to_many]
+                when Hash
+                  Handlers.handlers[:to_one]
+                when nil
+                  Handlers.handlers[:nil]
+                else
+                  raise NotImplementedError.new('relationship resource linkage has to be a type of Array, Hash or nil')
+                end
+              end
+
+    key, val = handler.call(*handler_args)
+
+    param[key] = handle_nested_relationships(val)
+
+    param
+  ensure
+    decrement_stack_level
+  end
+
+  def handle_nested_relationships(val)
+    # We can only consider Hash relationships (which imply to-one relationship) and Array relationships (which imply to-many).
+    # Each type has a different handling method, though in both cases we end up passing the nested relationship recursively to handle_relationship
+    # (and yes, this may go on indefinitely, basically we're going by the relationship levels, deeper and deeper)
+    case val
+    when Array
+      relationships_with_nested_relationships = val.select { |rel| rel.is_a?(Hash) && rel.dig(:relationships) }
+      relationships_with_nested_relationships.each do |relationship_with_nested_relationship|
+        relationship_with_nested_relationship.delete(:relationships).each do |rel_key, rel_val|
+          relationship_with_nested_relationship = handle_relationships(relationship_with_nested_relationship, rel_key, rel_val)
+        end
+      end
+    when Hash
+      if val.key?(:relationships)
+        val.delete(:relationships).each do |rel_key, rel_val|
+          val = handle_relationships(val, rel_key, rel_val)
+        end
+      end
+    end
+
+    val
   end
 end

data/lib/jsonapi_parameters/version.rb

@@ -1,5 +1,5 @@
 module JsonApi
   module Parameters
-    VERSION = '1.1.0'.freeze
+    VERSION = '2.3.0'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jsonapi_parameters
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Visuality
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-06 00:00:00.000000000 Z
+date: 2021-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -45,14 +45,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: '1.11'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: '1.11'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -327,6 +327,7 @@ files:
 - lib/jsonapi_parameters/default_handlers/to_one_relation_handler.rb
 - lib/jsonapi_parameters/handlers.rb
 - lib/jsonapi_parameters/parameters.rb
+- lib/jsonapi_parameters/stack_limit.rb
 - lib/jsonapi_parameters/translator.rb
 - lib/jsonapi_parameters/version.rb
 homepage: https://github.com/visualitypl/jsonapi_parameters
@@ -341,14 +342,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.4
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Translator for JSON:API compliant parameters