RubyGems - order_as_specified - Versions diffs - 1.1 → 1.2 - Mend

order_as_specified 1.1 → 1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -1
data/README.md +36 -0
data/lib/order_as_specified/version.rb +1 -1
data/lib/order_as_specified.rb +4 -3
data/order_as_specified.gemspec +1 -1
data/spec/postgresql_spec.rb +26 -0
data/spec/shared/order_as_specified_examples.rb +50 -0
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c3348c26ab12edd7c9a4066c710b0cc914974946
-  data.tar.gz: 10b274073cfa67a6237afe207f3df7ae7141fddf
+  metadata.gz: 69bf1783284bb4738f7c5a3d189e122d3f5f00a2
+  data.tar.gz: 6c9f53fe8658d25a1d44dc9cd120d8eda8d62537
 SHA512:
-  metadata.gz: 4a8cb8f25341c51ede2a157a997c41bafe0f4c1ba2174e727f7c9f4b35ffb39f86c5d229cd614a25967eda34e731ae9704c2f372f12d77a9bda5a2261b67ea45
-  data.tar.gz: 92fce24b220e4a658da7eb7c6be5520f532935806793f2d145b190e4db7b85190d7b39bc14f4c6782e79b708ff1433c616623d760a56cd7d46f78438dd8c7a1e
+  metadata.gz: 9f971220e0601e197de6ca6d16e5275db283f9d4c895953801220c527725242dd6a6401e94d73346555b4e0c7548893403dfc6538a91d8db9baf796db6aa13fa
+  data.tar.gz: 8f9dba4933b6c521c4a7dbfdbac6c7a23e2bd374151862ee1166ef2c916ebfa2dcf1a02975f3d51ec0abff5ca27002ec7ea5eb143546480cc3c21bdf50166777

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,24 @@
+# 1.2
+This release contains an important change: `order_as_specified` is no longer
+vulnerable to SQL injection attacks. Big thanks to
+[Anthony Mangano](https://github.com/wangteji) for finding and fixing this
+issue.
+In addition, this release corrects an error in the `.gemspec`—this gem relies on
+ActiveRecord >= 4.0.1, not 4.0.0.
+# 1.1
+This release contains several minor changes:
+- Tests now run against Ruby 2.2.5 and 2.3.1 and Rails 4.2 and 5.0.
+- A code change was made to fix a Rails 5 deprecation warning.
 # 1.0
-We've hit our first major release! This release contains **no** breaking changes. The changes:
+We've hit our first major release! This release contains **no** breaking
+changes. The changes:
 - Added `:distinct_on` option. [[#3](https://github.com/panorama-ed/order_as_specified/issues/3)]
 - Improved error message for `nil` arguments. [[#8](https://github.com/panorama-ed/order_as_specified/pull/8)]

data/README.md CHANGED Viewed

@@ -80,6 +80,42 @@ TestObject.
    ]>
 ```
+We can use chaining in this way to order by multiple attributes as well:
+```ruby
+TestObject.
+  order_as_specified(language: ["es", "en"]).
+  order_as_specified(id: [4, 3, 5]).
+  order(:updated_at)
+=> #<ActiveRecord::Relation [
+  # First is language "es"...
+     #<TestObject id: 1, language: "es", updated_at: "2016-08-01 02:22:00">,
+    # Within the language, we order by :updated_at...
+     #<TestObject id: 2, language: "es", updated_at: "2016-08-01 07:29:07">,
+  # Then language "en"...
+     #<TestObject id: 9, language: "en", updated_at: "2016-08-03 04:11:26">,
+    # Within the language, we order by :updated_at...
+     #<TestObject id: 8, language: "en", updated_at: "2016-08-04 18:52:14">,
+  # Then id 4...
+     #<TestObject id: 4, language: "fr", updated_at: "2016-08-01 12:59:33">,
+  # Then id 3...
+     #<TestObject id: 3, language: "ar", updated_at: "2016-08-02 19:41:44">,
+  # Then id 5...
+     #<TestObject id: 5, language: "ar", updated_at: "2016-08-02 22:12:52">,
+  # Then we order by :updated_at...
+     #<TestObject id: 7, language: "fr", updated_at: "2016-08-02 14:27:16">,
+     #<TestObject id: 6, language: "ar", updated_at: "2016-08-03 14:26:06">,
+   ]>
+```
 We can also use this when we want to sort by an attribute in another model:
 ```ruby

data/lib/order_as_specified/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module OrderAsSpecified
-  VERSION = "1.1"
+  VERSION = "1.2"
 end

data/lib/order_as_specified.rb CHANGED Viewed

@@ -13,8 +13,8 @@ module OrderAsSpecified
     distinct_on = hash.delete(:distinct_on)
     params = extract_params(hash)
-    table = params[:table]
-    attribute = params[:attribute]
+    table = connection.quote_table_name(params[:table])
+    attribute = connection.quote_column_name(params[:attribute])
     # We have to explicitly quote for now because SQL sanitization for ORDER BY
     # queries isn't in less current versions of Rails.
@@ -22,7 +22,8 @@ module OrderAsSpecified
     conditions = params[:values].map do |value|
       raise OrderAsSpecified::Error, "Cannot order by `nil`" if value.nil?
-      "#{table}.#{attribute}='#{value}'"
+      # Sanitize each value to reduce the risk of SQL injection.
+      "#{table}.#{attribute}=#{sanitize(value)}"
     end
     scope = order(conditions.map { |cond| "#{cond} DESC" }.join(", "))

data/order_as_specified.gemspec CHANGED Viewed

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
-  spec.add_dependency "activerecord", ">= 4.0"
+  spec.add_dependency "activerecord", ">= 4.0.1"
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "codeclimate-test-reporter", "~> 0.4"

data/spec/postgresql_spec.rb CHANGED Viewed

@@ -28,5 +28,31 @@ RSpec.describe "PostgreSQL" do
     it "returns distinct objects" do
       expect(subject.length).to eq 3
     end
+    context "input safety" do
+      before(:each) { TestClass.create(field: "foo") }
+      it "sanitizes column values" do
+        # Attempt to inject code to add a 'hi' field to each record. If the SQL inputs
+        # are properly sanitized, the code will be ignored and the returned model
+        # instances will not respond to #hi. If not, the code will execute and
+        # each of the returned model instances will have a #hi method to access the
+        # new field.
+        bad_value = "foo') field, 'hi'::varchar AS hi FROM test_classes --"
+        record = TestClass.order_as_specified(distinct_on: true, field: [bad_value]).to_a.first
+        expect(record).to_not respond_to(:hi)
+      end
+      it "quotes column and table names" do
+        table = "association_test_classes"
+        quoted_table = AssociationTestClass.connection.quote_table_name(table)
+        column = "id"
+        quoted_column = AssociationTestClass.connection.quote_column_name(column)
+        sql = TestClass.order_as_specified(distinct_on: true, table => { column => ["foo"] }).to_sql
+        expect(sql).to include("DISTINCT ON (#{quoted_table}.#{quoted_column}")
+      end
+    end
   end
 end

data/spec/shared/order_as_specified_examples.rb CHANGED Viewed

@@ -30,6 +30,24 @@ RSpec.shared_examples ".order_as_specified" do
         to eq [*shuffled_object_ids, omitted_object.id]
     end
+    context "when the order is chained with other orderings" do
+      subject do
+        TestClass.
+          order_as_specified(field: shuffled_object_fields.take(3)).
+          order(:id)
+      end
+      it "returns results in the given order by multiple fields" do
+        shuffled_objects # Build these objects first.
+        omitted_object # Build an object that isn't sorted in this list.
+        expect(subject.map(&:id)).to eq [
+          *shuffled_object_ids.take(3),
+          *shuffled_object_ids.drop(3).sort,
+          omitted_object.id
+        ]
+      end
+    end
     context "when the order includes nil" do
       let(:shuffled_objects) do
         5.times.map do |i|
@@ -77,4 +95,36 @@ RSpec.shared_examples ".order_as_specified" do
         to eq [*shuffled_object_ids, omitted_object.id]
     end
   end
+  context "input safety" do
+    before(:each) do
+      2.times { |i| TestClass.create(field: "foo#{i}") }
+    end
+    it "sanitizes column values" do
+      # Verify that the result set includes two records when using good column value.
+      good_value = "foo"
+      records = TestClass.order_as_specified(field: [good_value]).to_a
+      expect(records.count).to eq(2)
+      # Attempt to inject a LIMIT clause into the query. If the SQL inputs are
+      # properly sanitized, it will be ignored and the returned result set will
+      # include two records. If not, the LIMIT clause will execute and the result
+      # set will include just one record.
+      bad_value = "' LIMIT 1 --"
+      records = TestClass.order_as_specified(field: [bad_value]).to_a
+      expect(records.count).to eq(2)
+    end
+    it "quotes column and table names" do
+      table = "association_test_classes"
+      quoted_table = AssociationTestClass.connection.quote_table_name(table)
+      column = "id"
+      quoted_column = AssociationTestClass.connection.quote_column_name(column)
+      sql = TestClass.order_as_specified(table => { column => ["foo"] }).to_sql
+      expect(sql).to include("ORDER BY #{quoted_table}.#{quoted_column}")
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: order_as_specified
 version: !ruby/object:Gem::Version
-  version: '1.1'
+  version: '1.2'
 platform: ruby
 authors:
 - Jacob Evelyn
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-07-13 00:00:00.000000000 Z
+date: 2016-10-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 4.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 4.0.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement