praxis 2.0.pre.12 → 2.0.pre.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cf4b54b686373509e0920a93d482e29f4c198491f88d382b6ff429e5128d6574
-  data.tar.gz: '08b2d7342069e8584676e03c828e144b99eb9282b193113b987d8060cb143cfd'
+  metadata.gz: c4be08481cbad0604fdb8e45dfc66aec895478a0b7578544b773af7fa6f3863f
+  data.tar.gz: 122625c252f5d9a2166e8958408bedf7ac5aee13500488e44c453ddeff3fbcc8
 SHA512:
-  metadata.gz: ef7cd7fe985d4af76cf7ec6459e58990b8dbc6f3c4fac5c26ce04d56e23a3d743a0f4bb776f4d5c913224e031567e9993ad52e611e4258ee853cdf86b3099255
-  data.tar.gz: f4fe45f97c9bc26aa513a24ee358b04dc114af0e7f4849071f699c0c22df460253452dd54e9bcb510fc4f977aa9104774f70c882f46b8aa937404e79814d6f3d
+  metadata.gz: 6472e4ef1f9ad601ed5c13774a336b93d52356a3a0bccb3a3707953658918a79457d314ceca1ce676a15f51c10bcebb4556388c95ba3aeca2cbec40625b13734
+  data.tar.gz: d8a4bad9469579530974d3c61d61fd7441b4e9d48d2ecb90ac81d4951cda0293428f750011e406e755103abb162b4fb1c60b87a584fe77da74c68dafaa997ecd

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## next
 
+## 2.0.pre.13
+
+* Fix filters parser regression, which would incorrectly decode url-encoded values
+
 ## 2.0.pre.12
 
 * Rebuilt API filters to support a much richer syntax. One can now use ANDs and ORs (with ANDs having order precedence), as well as group them with parenthesis. The same individual filter operands are supported. For example: 'email=*@gmail.com&(friends.first_name=Joe*,Patty|friends.last_name=Smith)

data/lib/praxis/extensions/attribute_filtering/filtering_params.rb

@@ -160,7 +160,8 @@ module Praxis
           return filters if filters.is_a?(native_type)
           return new if filters.nil? || filters.blank?
 
-          parsed = Parser.new.parse(CGI.unescape(filters))
+          parsed = Parser.new.parse(filters)
+          
           tree = ConditionGroup.load(parsed)
 
           rr = tree.flattened_conditions

data/lib/praxis/extensions/attribute_filtering/filters_parser.rb

@@ -24,9 +24,9 @@ module Praxis
               @values = if values.empty?
                 ""
               elsif values.size == 1
-                values.first[:value].to_s
+                CGI.unescape(values.first[:value].to_s)
               else
-                values.map{|e| e[:value].to_s}
+                values.map{|e| CGI.unescape(e[:value].to_s)}
               end
             else # No values for the operand
               @name = triad[:name].to_sym
@@ -36,7 +36,7 @@ module Praxis
               else
                 # Value operand without value? => convert it to empty string
                 raise "Interesting, didn't know this could happen. Oops!" if triad[:value].is_a?(Array) && !triad[:value].empty?
-                @values = (triad[:value] == []) ? '' : triad[:value].to_s # TODO: could this be an array (or it always comes the other if)
+                @values = (triad[:value] == []) ? '' : CGI.unescape(triad[:value].to_s) # TODO: could this be an array (or it always comes the other if)
               end
             end
           end

data/lib/praxis/version.rb

@@ -1,3 +1,3 @@
 module Praxis
-  VERSION = '2.0.pre.12'
+  VERSION = '2.0.pre.13'
 end

data/spec/praxis/extensions/attribute_filtering/filtering_params_spec.rb

@@ -7,15 +7,30 @@ describe Praxis::Extensions::AttributeFiltering::FilteringParams do
   context '.load' do
     subject { described_class.load(filters_string) }
 
-    it 'unescapes the URL encoded string' do
-        str = CGI.escape("one=fun!,Times,3&two>*|three<^%$#!st_uff")
+    context 'unescapes the URL encoded values' do
+      it 'for single values' do
+          str = "one=#{CGI.escape('*')}&two>#{CGI.escape('^%$#!st_uff')}|three<normal"
+          parsed = [
+            { name: :one, op: '=', value: '*'},
+            { name: :two, op: '>', value: '^%$#!st_uff'},
+            { name: :three, op: '<', value: 'normal'},
+          ]
+          expect(described_class.load(str).parsed_array.map{|i| i.slice(:name,:op,:value)}).to eq(parsed)
+      end
+      it 'each of the multi-values' do
+        escaped_one = [
+          CGI.escape('fun!'),
+          CGI.escape('Times'),
+          CGI.escape('~!@#$%^&*()_+-={}|[]\:";\'<>?,./`')
+        ].join(',')
+        str = "one=#{escaped_one}&two>normal"
         parsed = [
-          { name: :one, op: '=', value: ["fun!","Times","3"]},
-          { name: :two, op: '>', value: "*"},
-          { name: :three, op: '<', value: "^%$#!st_uff"},
+          { name: :one, op: '=', value: ['fun!','Times','~!@#$%^&*()_+-={}|[]\:";\'<>?,./`']},
+          { name: :two, op: '>', value: 'normal'},
         ]
         expect(described_class.load(str).parsed_array.map{|i| i.slice(:name,:op,:value)}).to eq(parsed)
     end
+    end
     context 'parses for operator' do
       described_class::VALUE_OPERATORS.each do |op|
         it "#{op}" do

data/spec/praxis/extensions/attribute_filtering/filters_parser_spec.rb

@@ -118,14 +118,23 @@ describe Praxis::Extensions::AttributeFiltering::FilteringParams::Parser do
         'cOrN.00copia.of_thinGs.42_here=1' => 'cOrN.00copia.of_thinGs.42_here=1',
       }
     end
-    context 'supports everything (except &|(),) for values' do
+    context 'supports everything (except &|(),) for values (even without encoding..not allowed, but just to ensure the parser does not bomb)' do
       it_behaves_like 'round-trip-properly', {
         'v=1123' => 'v=1123',
         'v=*foo*' => 'v=*foo*',
         'v=*^%$#@!foo' => 'v=*^%$#@!foo',
-        'v=_-+=\{}"?:><' => 'v=_-+=\{}"?:><',
-        'v=_-+=\{}"?:><,another_value!' => 'v=[_-+=\{}"?:><,another_value!]',
+        'v=_-=\{}"?:><' => 'v=_-=\{}"?:><',
+        'v=_-=\{}"?:><,another_value!' => 'v=[_-=\{}"?:><,another_value!]',
       }
     end
+    context 'properly handles url-encoded values' do
+      it_behaves_like 'round-trip-properly', {
+        "v=#{CGI.escape('1123')}" => 'v=1123',
+        "v=#{CGI.escape('*foo*')}" => 'v=*foo*',
+        "v=#{CGI.escape('*^%$#@!foo')}" => 'v=*^%$#@!foo',
+        "v=#{CGI.escape('~!@#$%^&*()_+-={}|[]\:";\'<>?,./`')}" => 'v=~!@#$%^&*()_+-={}|[]\:";\'<>?,./`',
+        "v=#{CGI.escape('_-+=\{}"?:><')},#{CGI.escape('another_value!')}" => 'v=[_-+=\{}"?:><,another_value!]',
+      }
+    end 
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: praxis
 version: !ruby/object:Gem::Version
-  version: 2.0.pre.12
+  version: 2.0.pre.13
 platform: ruby
 authors:
 - Josep M. Blanquer
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-23 00:00:00.000000000 Z
+date: 2021-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack