merge_params 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3c1c70a888ac373aa3469a2f5c9363f40b201fdd
+  data.tar.gz: 465b22de3bebaef210a4ee8a5e94de389f38a099
+SHA512:
+  metadata.gz: e63a767704dd575d3376bff60cc895b182b43c88f8c549394b7dbeec777964d040b83a57dd8eee5326e6c534978859a70d44eac3bf4bca2fdcf234f711f6b80c
+  data.tar.gz: 3e57322d8275102875e4f313ad240dba635302f4fabb9d601d1c26d92fa59845f2039f7448e05819dd6ff01424b3af6dbfceba58790b3bebc514bf9a7ab24e20

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+Gemfile.lock

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.4.1
+before_install: gem install bundler -v 1.17.1

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in merge_params.gemspec
+gemspec

data/License

@@ -0,0 +1,18 @@
+Copyright (c) 2018 Tyler Rick
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/Readme.md

@@ -0,0 +1,84 @@
+# MergeParams
+
+## Why do we need it?
+
+Have you ever wanted to take the current route and change just one parameter in the route to
+generate a new route?
+
+For example, maybe you've tried to do something like this:
+
+```ruby
+  redirect_to url_for(params.merge(thing_id: thing.id));
+```
+
+or this:
+
+```ruby
+  link_to 'Download as CSV', params.merge(format: :csv)
+```
+
+If you have tried that, and you are on Rails 5.0 or later, then you have probably run into this
+error:
+
+  Attempting to generate a URL from non-sanitized request parameters! An attacker can
+  inject malicious data into the generated URL, such as changing the host.  Whitelist and sanitize
+  passed parameters to be secure.
+
+(See also: https://github.com/rails/rails/issues/26289)
+
+## How do I use it?
+
+Anywhere you would be tempted to do `params.merge(hash)`, just replace with `merge_params(hash)` or `merge_url_for(hash)`. For example:
+
+```ruby
+  link_to 'Download as CSV', merge_params(format: :csv)
+```
+
+```ruby
+  redirect_to merge_url_for(thing_id: thing.id);
+```
+
+## Is it guaranteed to be safe?
+
+No. While a best effort has been made to ensure unsafe params are not used to generate a URL, we may
+have overlooked something. Please review the code and the tests (coming soon) and open an issue if
+you find any security holes in this approach.
+
+## Other helpers
+
+Unlike `url_for_merge`, which tries to generate a route from the given params, sometimes you just
+want to add the given params to the "end" of the URL as part of the query string:
+
+```ruby
+add_params(key: 'value')
+# => "/current_path?key=value
+
+add_params({key: 'value'}, '/other_url')
+# => "/other_url?key=value
+```
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'merge_params'
+```
+
+Add this line to your `ApplicationController` (or whichever controller you want to have the
+helpers):
+
+```ruby
+  include MergeParams::Helpers
+```
+
+The helpers will be also be added with `helper_method` so that they are available for use in view
+templates as well.
+
+## Similar projects
+
+- [uri_query_merger](https://libraries.io/github/jordanmaguire/uri_query_merger)
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/TylerRick/merge_params.

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "merge_params"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/merge_params.rb

@@ -0,0 +1,8 @@
+require 'active_support'
+
+require 'merge_params/version'
+require 'merge_params/helpers'
+
+module MergeParams
+  autoload :Helpers, 'merge_params/helpers'
+end

data/lib/merge_params/helpers.rb

@@ -0,0 +1,97 @@
+require 'uri'
+
+module MergeParams::Helpers
+  extend ActiveSupport::Concern
+
+  # request.parameters but with symbolized keys.
+  def request_params
+    request.parameters.symbolize_keys
+  end
+
+  # request.parameters (which also includes POST params) but with only those keys that would
+  # normally be passed in a query string (without :controller, :action, :format) and with symbolized
+  # keys.
+  def query_params_from_request_params
+    request.parameters.symbolize_keys.
+      except(*request.path_parameters.symbolize_keys.keys)
+  end
+
+  # Returns a hash of params from the query string (https://en.wikipedia.org/wiki/Query_string),
+  # with symbolized keys.
+  def query_params
+    request.query_parameters.symbolize_keys
+  end
+
+  # Params that can safely be passed to url_for to build a route. (Used by merge_url_for.)
+  #
+  # We exclude RESERVED_OPTIONS such as :host because such options should only come from your app
+  # code. Allowing :host to be set via query params, for example, means a bad actor could cause
+  # links that go to a different site entirely:
+  #
+  # # Request for /things?host=somehackingsite.ru
+  # url_for(params) => "http://somehackingsite.ru/things"
+  #
+  # Similarly, the :controller and :action keys of `params` *never* come from the query string, but
+  # from `path_parameters`. (TODO: So why not just use params.except(...)?)
+  #
+  # TODO: Why not allow :format from params? To force people to use .:format? But doesn't that also
+  # come through as params?
+  #
+  # (And we don't even need to pass the path_parameters on to url_for because url_for already
+  # includes those (from :_recall)
+  #
+  def params_for_url_for
+    params.to_unsafe_h.symbolize_keys.except(
+      *ActionDispatch::Routing::RouteSet::RESERVED_OPTIONS,
+      :controller,
+      :action,
+      :format
+    )
+  end
+
+  # Safely merges the given params with the params from the current request
+  def merge_params(new_params = {})
+    params_for_url_for.merge(new_params)
+  end
+
+  # Safely merges the given params with the params from the current request, then generates a route
+  # from the merged params.
+  def merge_url_for(new_params = {})
+    url = url_for(merge_params(new_params))
+
+    # Now pass along in the *query string* any params that we couldn't pass to url_for because they
+    # were reserved options.
+    query_params_already_added = parse_nested_query(URI(url).query || '')
+    query_params_to_add = query_params.except(*query_params_already_added.keys)
+    add_params(query_params_to_add, url)
+  end
+
+  # Adds params to the query string
+  # (Unlike url_for_merge, which tries to generate a route from the params.)
+  # TODO: Should URL be first like https://libraries.io/github/jordanmaguire/uri_query_merger ?
+  #   UriQueryMerger.new("http://www.google.com?other=1", {jordan: "rules"}).merge
+  # Can we make it work that way when a URL is supplied buth otherwise let the params be the first
+  # and only argument (to optimize for that more common use case)?
+  def add_params(params = {}, url = request.fullpath)
+    uri = URI(url)
+    params    = parse_nested_query(uri.query || '').merge(params)
+    uri.query = Rack::Utils.build_nested_query(params)
+    uri.to_s
+  end
+
+  included do
+    helper_method(
+      :request_params,
+      :params_for_url_for,
+      :merge_params,
+      :merge_url_for,
+      :add_params
+    ) if respond_to?(:helper_method)
+  end
+
+private
+
+  def parse_nested_query(query)
+    Rack::Utils.parse_nested_query(query || '').symbolize_keys
+  end
+end

data/lib/merge_params/version.rb

@@ -0,0 +1,5 @@
+module MergeParams
+  def self.version
+    "0.1.0"
+  end
+end

data/merge_params.gemspec

@@ -0,0 +1,36 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "merge_params/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "merge_params"
+  spec.version       = MergeParams.version
+  spec.authors       = ["Tyler Rick"]
+  spec.email         = ["tyler@tylerrick.com"]
+  spec.license       = "MIT"
+
+  spec.summary       = %q{Safely merge params for use with url_for or for the query string}
+  spec.description   = spec.summary
+  spec.homepage      = "http://github.com/TylerRick/merge_params"
+
+  spec.metadata["homepage_uri"]    = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "TODO: Put your gem's Changelog.md URL here."
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = ">= 2.3.0"
+  spec.add_dependency "activesupport", [">= 4.2", "< 5.3"]
+  spec.add_dependency "actionpack", [">= 4.2", "< 5.3"]
+
+  spec.add_development_dependency "bundler", "~> 1.17"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

metadata

@@ -0,0 +1,142 @@
+--- !ruby/object:Gem::Specification
+name: merge_params
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Tyler Rick
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-11-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.3'
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.3'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Safely merge params for use with url_for or for the query string
+email:
+- tyler@tylerrick.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- License
+- Rakefile
+- Readme.md
+- bin/console
+- bin/setup
+- lib/merge_params.rb
+- lib/merge_params/helpers.rb
+- lib/merge_params/version.rb
+- merge_params.gemspec
+homepage: http://github.com/TylerRick/merge_params
+licenses:
+- MIT
+metadata:
+  homepage_uri: http://github.com/TylerRick/merge_params
+  source_code_uri: http://github.com/TylerRick/merge_params
+  changelog_uri: 'TODO: Put your gem''s Changelog.md URL here.'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Safely merge params for use with url_for or for the query string
+test_files: []