jsonapi_parameters 2.1.1 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5de39e34dba3594c8bf020543481daa14945aff005cc537068b6a6eb49c9c219
-  data.tar.gz: 941dea9a1145a4efd538795eb3280a5000c767b00b86be97353a320f5074042d
+  metadata.gz: 8bcf0cd62169a18d8f485540f7fe27e85d2ed8278121fe19309d149b5c59141a
+  data.tar.gz: eef89bf8b7061bf21add79bd09ce3b164c6b0d91e0d8db2898de99e231ab7d36
 SHA512:
-  metadata.gz: 8a0e1b627dc18c7aa8ccfcdee552a0cdef0ef767661f638e612ea03f020ae265a0402409bf440d5e9d2ce48448926f4e1cfd416d69760521203dd5c16de23cc4
-  data.tar.gz: fcc264b264836ce8925979fa053965a9b6ccdcc0b813040fe30b0ece91653f1390b94a7d546ab16060824043b33eb257a2ed9c3214e7fbe9fd0076319ab8a320
+  metadata.gz: fbb1868c672869c4e0b561012dba89ed444271bef9246be22df68b564e397e21d1058860ce5416748c5a662f960bbe5c424db56882e2163bc8ae6516861de00e
+  data.tar.gz: '0940555db68b3b48522dbb33d6f035334ff8b149731b71b597df5e148b0d0d900141dd5213202c76eac4a406b2721c273773a401d90ae94caf44ae90b7a0c34c'

data/README.md

@@ -93,7 +93,53 @@ translator.jsonapify(params)
 
 As [stated in the JSON:API specification](https://jsonapi.org/#mime-types) correct mime type for JSON:API input should be [`application/vnd.api+json`](http://www.iana.org/assignments/media-types/application/vnd.api+json). 
 
-This gems intention is to make input consumption as easy as possible. Hence, it [registers this mime type for you](lib/jsonapi_parameters/core_ext/action_dispatch/http/mime_type.rb). 
+This gem's intention is to make input consumption as easy as possible. Hence, it [registers this mime type for you](lib/jsonapi_parameters/core_ext/action_dispatch/http/mime_type.rb).
+
+## Stack limit
+
+In theory, any payload may consist of infinite amount of relationships (and so each relationship may have its own, included, infinite amount of nested relationships).
+Because of that, it is a potential vector of attack. 
+
+For this reason we have introduced a default limit of stack levels that JsonApi::Parameters will go down through while parsing the payloads. 
+
+This default limit is 3, and can be overwritten by specifying the custom limit.
+
+#### Ruby
+``` 
+class Translator
+    include JsonApi::Parameters
+end
+
+translator = Translator.new
+
+translator.jsonapify(custom_stack_limit: 4)
+
+# OR
+ 
+translator.stack_limit = 4
+translator.jsonapify.(...)
+``` 
+
+#### Rails
+```
+# config/initializers/jsonapi_parameters.rb
+
+def create_params
+    params.from_jsonapi(custom_stack_limit: 4).require(:user).permit(
+        entities_attributes: { subentities_attributes: { ... } }
+    )
+end
+
+# OR
+ 
+def create_params
+    params.stack_level = 4
+
+    params.from_jsonapi.require(:user).permit(entities_attributes: { subentities_attributes: { ... } })
+ensure
+    params.reset_stack_limit!
+end
+```
 
 ## Customization
 

data/lib/jsonapi_parameters.rb

@@ -2,6 +2,5 @@ require 'jsonapi_parameters/parameters'
 require 'jsonapi_parameters/handlers'
 require 'jsonapi_parameters/translator'
 require 'jsonapi_parameters/core_ext'
+require 'jsonapi_parameters/stack_limit'
 require 'jsonapi_parameters/version'
-
-require 'active_support/inflector'

data/lib/jsonapi_parameters/core_ext/action_controller/parameters.rb

@@ -9,7 +9,7 @@ class ActionController::Parameters
     from_jsonapi(*args)
   end
 
-  def from_jsonapi(naming_convention = :snake)
-    @from_jsonapi ||= self.class.new jsonapify(self, naming_convention: naming_convention)
+  def from_jsonapi(naming_convention = :snake, custom_stack_limit: stack_limit)
+    @from_jsonapi ||= self.class.new jsonapify(self, naming_convention: naming_convention, custom_stack_limit: custom_stack_limit)
   end
 end

data/lib/jsonapi_parameters/default_handlers/to_many_relation_handler.rb

@@ -1,3 +1,5 @@
+require 'active_support/inflector'
+
 module JsonApi
   module Parameters
     module Handlers
@@ -34,8 +36,9 @@ module JsonApi
               @with_inclusion &= !included_object.empty?
 
               if with_inclusion
-                included_object.delete(:type)
-                included_object[:attributes].merge(id: related_id)
+                { **(included_object[:attributes] || {}), id: related_id }.tap do |body|
+                  body[:relationships] = included_object[:relationships] if included_object.key?(:relationships) # Pass nested relationships
+                end
               else
                 relationship.dig(:id)
               end

data/lib/jsonapi_parameters/default_handlers/to_one_relation_handler.rb

@@ -1,3 +1,5 @@
+require 'active_support/inflector'
+
 module JsonApi
   module Parameters
     module Handlers
@@ -15,8 +17,10 @@ module JsonApi
 
             return ["#{singularize(relationship_key)}_id".to_sym, related_id] if included_object.empty?
 
-            included_object.delete(:type)
-            included_object = included_object[:attributes].merge(id: related_id)
+            included_object = { **(included_object[:attributes] || {}), id: related_id }.tap do |body|
+              body[:relationships] = included_object[:relationships] if included_object.key?(:relationships) # Pass nested relationships
+            end
+
             ["#{singularize(relationship_key)}_attributes".to_sym, included_object]
           end
         end

data/lib/jsonapi_parameters/handlers.rb

@@ -29,7 +29,7 @@ module JsonApi
         resource_handlers[resource_key.to_sym] = handler_key.to_sym
       end
 
-      def reset_handlers!
+      def reset_handlers
         @handlers = DEFAULT_HANDLER_SET.dup
         @resource_handlers = {}
       end

data/lib/jsonapi_parameters/stack_limit.rb

@@ -0,0 +1,45 @@
+module JsonApi
+  module Parameters
+    LIMIT = 3
+
+    class StackLevelTooDeepError < StandardError
+    end
+
+    def stack_limit=(val)
+      @stack_limit = val
+    end
+
+    def stack_limit
+      @stack_limit || LIMIT
+    end
+
+    def reset_stack_limit
+      @stack_limit = LIMIT
+    end
+
+    private
+
+    def initialize_stack(custom_stack_limit)
+      @current_stack_level = 0
+      @stack_limit = custom_stack_limit
+    end
+
+    def increment_stack_level!
+      @current_stack_level += 1
+
+      raise StackLevelTooDeepError.new(stack_exception_message) if @current_stack_level > stack_limit
+    end
+
+    def decrement_stack_level
+      @current_stack_level -= 1
+    end
+
+    def reset_stack_level
+      @current_stack_level = 0
+    end
+
+    def stack_exception_message
+      "Stack level of nested payload is too deep: #{@current_stack_level}/#{stack_limit}. Please see the documentation on how to overwrite the limit."
+    end
+  end
+end

data/lib/jsonapi_parameters/translator.rb

@@ -3,7 +3,9 @@ require 'active_support/inflector'
 module JsonApi::Parameters
   include ActiveSupport::Inflector
 
-  def jsonapify(params, naming_convention: :snake)
+  def jsonapify(params, naming_convention: :snake, custom_stack_limit: stack_limit)
+    initialize_stack(custom_stack_limit)
+
     jsonapi_translate(params, naming_convention: naming_convention)
   end
 
@@ -38,27 +40,11 @@ module JsonApi::Parameters
   def jsonapi_main_body
     jsonapi_unsafe_params.tap do |param|
       jsonapi_relationships.each do |relationship_key, relationship_value|
-        relationship_value = relationship_value[:data]
-        handler_args = [relationship_key, relationship_value, jsonapi_included]
-        handler = if Handlers.resource_handlers.key?(relationship_key)
-                    Handlers.handlers[Handlers.resource_handlers[relationship_key]]
-                  else
-                    case relationship_value
-                    when Array
-                      Handlers.handlers[:to_many]
-                    when Hash
-                      Handlers.handlers[:to_one]
-                    when nil
-                      Handlers.handlers[:nil]
-                    else
-                      raise NotImplementedError.new('relationship resource linkage has to be a type of Array, Hash or nil')
-                    end
-                  end
-
-        key, val = handler.call(*handler_args)
-        param[key] = val
+        param = handle_relationships(param, relationship_key, relationship_value)
       end
     end
+  ensure
+    reset_stack_level
   end
 
   def jsonapi_unsafe_params
@@ -69,11 +55,63 @@ module JsonApi::Parameters
     end
   end
 
+  def jsonapi_relationships
+    @jsonapi_relationships ||= @jsonapi_unsafe_hash.dig(:data, :relationships) || []
+  end
+
   def jsonapi_included
     @jsonapi_included ||= @jsonapi_unsafe_hash[:included] || []
   end
 
-  def jsonapi_relationships
-    @jsonapi_relationships ||= @jsonapi_unsafe_hash.dig(:data, :relationships) || []
+  def handle_relationships(param, relationship_key, relationship_value)
+    increment_stack_level!
+
+    relationship_value = relationship_value[:data]
+    handler_args = [relationship_key, relationship_value, jsonapi_included]
+    handler = if Handlers.resource_handlers.key?(relationship_key)
+                Handlers.handlers[Handlers.resource_handlers[relationship_key]]
+              else
+                case relationship_value
+                when Array
+                  Handlers.handlers[:to_many]
+                when Hash
+                  Handlers.handlers[:to_one]
+                when nil
+                  Handlers.handlers[:nil]
+                else
+                  raise NotImplementedError.new('relationship resource linkage has to be a type of Array, Hash or nil')
+                end
+              end
+
+    key, val = handler.call(*handler_args)
+
+    param[key] = handle_nested_relationships(val)
+
+    param
+  ensure
+    decrement_stack_level
+  end
+
+  def handle_nested_relationships(val)
+    # We can only consider Hash relationships (which imply to-one relationship) and Array relationships (which imply to-many).
+    # Each type has a different handling method, though in both cases we end up passing the nested relationship recursively to handle_relationship
+    # (and yes, this may go on indefinitely, basically we're going by the relationship levels, deeper and deeper)
+    case val
+    when Array
+      relationships_with_nested_relationships = val.select { |rel| rel.is_a?(Hash) && rel.dig(:relationships) }
+      relationships_with_nested_relationships.each do |relationship_with_nested_relationship|
+        relationship_with_nested_relationship.delete(:relationships).each do |rel_key, rel_val|
+          relationship_with_nested_relationship = handle_relationships(relationship_with_nested_relationship, rel_key, rel_val)
+        end
+      end
+    when Hash
+      if val.key?(:relationships)
+        val.delete(:relationships).each do |rel_key, rel_val|
+          val = handle_relationships(val, rel_key, rel_val)
+        end
+      end
+    end
+
+    val
   end
 end

data/lib/jsonapi_parameters/version.rb

@@ -1,5 +1,5 @@
 module JsonApi
   module Parameters
-    VERSION = '2.1.1'.freeze
+    VERSION = '2.2.0'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jsonapi_parameters
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.2.0
 platform: ruby
 authors:
 - Visuality
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-31 00:00:00.000000000 Z
+date: 2020-08-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -327,6 +327,7 @@ files:
 - lib/jsonapi_parameters/default_handlers/to_one_relation_handler.rb
 - lib/jsonapi_parameters/handlers.rb
 - lib/jsonapi_parameters/parameters.rb
+- lib/jsonapi_parameters/stack_limit.rb
 - lib/jsonapi_parameters/translator.rb
 - lib/jsonapi_parameters/version.rb
 homepage: https://github.com/visualitypl/jsonapi_parameters