rails_age 0.6.1 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 053d21a51d2e91cb61ea1678d2d84c05ac4a1a84a643334c4993df9f6ca9c3c0
-  data.tar.gz: 57f945d6055d9dca60414321e3f39dd09abfdb1a8f2a3a5fec0b4c5e3e9ee656
+  metadata.gz: '01018a3efe8d4cef46fce365b6fd442882d8bf4ff51e0ad3d3bdb235db80ebb7'
+  data.tar.gz: 69a20eb39f9609c6350463d6a391b7f08887079e51e56602a6357d914571ed8f
 SHA512:
-  metadata.gz: 017c585f995749dad85f341b41a01d2f94b0cc03fac6240d63e4755e8ab0c7148969793fbe9c308f13c0ea94d35eee3fb231516eb775817a53bef003843d41e4
-  data.tar.gz: 83760cc109544589665b7297776538f48f4ac0c14273455957e714ff6d9614e1a4e8d8ba862e39b8735a5f1e5a1f9c8ca5e429f1823aee8b98e38bad3dded2de
+  metadata.gz: cc2ea56dcb102213397ca5ffc19edc095341e51307b0500d0be7bc7595cb65f64e74c6490a678703f5faf903d0396010b63b8dd33e162ed218e038a4e95e05f5
+  data.tar.gz: 30e0472fb006bf883cb57a5c7406571d4fc4715a9d6d96e792dd5d3b4998e538eab74f809b5d384072d88e77ce2d6fb143cdb6a5c20fd044fd74673edd2bb13a

data/CHANGELOG.md

@@ -22,22 +22,34 @@
   * paths support
   * select attributes support
 
+## VERSION 0.8.0 - 2024-xx-xx
+
+breaking change?: namespaces (by default) will use their own schema? (add to database.yml & schema.rb ?)
+
+- **AGE Schema override**
+
+- **Multiple AGE Schema**
+
 ## VERSION 0.7.0 - 2024-xx-xx
 
 - **Age Path** - nodes and edges combined
   * add `rails generate apache_age:path_scaffold HasJob employee_role start_node:person end_node:company`
 
-## VERSION 0.6.3 - 2024-xx-xx
-
-breaking change?: namespaces (by default) will use their own schema? (add to database.yml & schema.rb ?)
 
-- **AGE Schema override**
+## VERSION 0.6.3 - 2024-xx-xx
 
-- **multiple AGE Schema**
+- **Query Sanitize**:
+  * reject attributes not defined in model
+  * sanitize strings using: id(find) = ?, 23 & find.first_name = ?, 'John'
 
-## VERSION 0.6.2 - 2024-xx-xx
+## VERSION 0.6.2 - 2024-09-30
 
 - **Query Sanitize**
+  * hashes sanitized
+
+- **TODO**:
+  * reject attributes not defined in model
+  * sanitize strings using: id(find) = ?, 23 & find.first_name = ?, 'John'
 
 ## VERSION 0.6.1 - 2024-09-29
 

data/README.md

@@ -387,7 +387,7 @@ query =
     .execute
 ```
 
-or more generally:
+or more generally (soon - not yet tested nor santized):
 
 ```ruby
 tihen =

data/lib/apache_age/entities/class_methods.rb

@@ -25,18 +25,20 @@ module ApacheAge
 
       # Private stuff
 
+      # used? or dead code?
       def where_edge(attributes)
         where_attribs =
           attributes
-          .compact
-          .except(:end_id, :start_id, :end_node, :start_node)
-          .map { |k, v| "find.#{k} = '#{v}'" }.join(' AND ')
+            .compact
+            .except(:end_id, :start_id, :end_node, :start_node)
+            .map { |k, v| ActiveRecord::Base.sanitize_sql(["find.#{k} = ?", v]) }
+            .join(' AND ')
         where_attribs = where_attribs.empty? ? nil : where_attribs
 
         end_id = attributes[:end_id] || attributes[:end_node]&.id
         start_id = attributes[:start_id] || attributes[:start_node]&.id
-        where_end_id = end_id ? "id(end_node) = #{end_id}" : nil
-        where_start_id = start_id ? "id(start_node) = #{start_id}" : nil
+        where_end_id = end_id ? ActiveRecord::Base.sanitize_sql(["id(end_node) = ?", end_id]) : nil
+        where_start_id = start_id ? ActiveRecord::Base.sanitize_sql(["id(start_node) = ?", start_id]) : nil
 
         where_clause = [where_attribs, where_start_id, where_end_id].compact.join(' AND ')
         return nil if where_clause.empty?
@@ -115,33 +117,41 @@ module ApacheAge
 
         end_id =
           if attributes[:end_id]
-            end_id = attributes[:end_id]
+            attributes[:end_id]
           elsif attributes[:end_node].is_a?(Node)
-            end_id = attributes[:end_node]&.id
+            attributes[:end_node]&.id
           end
-        where_end_id = end_id ? "id(end_node) = #{end_id}" : nil
+        where_end_id = end_id ? ActiveRecord::Base.sanitize_sql(["id(end_node) = ?", end_id]) : nil
 
         start_id =
           if attributes[:start_id]
-            start_id = attributes[:start_id]
+            attributes[:start_id]
           elsif attributes[:start_node].is_a?(Node)
-            start_id = attributes[:start_node]&.id
+            attributes[:start_node]&.id
           end
-        where_start_id = start_id ? "id(start_node) = #{start_id}" : nil
+        where_start_id = start_id ? ActiveRecord::Base.sanitize_sql(["id(start_node) = ?", start_id]) : nil
 
         where_end_attrs =
-          attributes[:end_node].map { |k, v| "end_node.#{k} = '#{v}'" } if attributes[:end_node].is_a?(Hash)
+          if attributes[:end_node].is_a?(Hash)
+            attributes[:end_node].map { |k, v| ActiveRecord::Base.sanitize_sql(["end_node.#{k} = ?", v]) }
+          end
         where_start_attrs =
-          attributes[:start_node].map { |k, v| "start_node.#{k} = '#{v}'" } if attributes[:start_node].is_a?(Hash)
+          if attributes[:start_node].is_a?(Hash)
+            attributes[:start_node].map { |k, v| ActiveRecord::Base.sanitize_sql(["start_node.#{k} = ?", v]) }
+          end
 
         [core_clauses, where_start_id, where_end_id, where_start_attrs, where_end_attrs]
           .flatten.compact.join(' AND ')
       end
 
+
       def build_core_where_clause(attributes)
         attributes
           .compact
-          .map { |k, v| k == :id ? "id(find) = #{v}" : "find.#{k} = '#{v}'"}
+          .map do |k, v|
+            query_string = k == :id ? "id(find) = #{v}" : "find.#{k} = '#{v}'"
+            ActiveRecord::Base.sanitize_sql([query_string, v])
+          end
           .join(' AND ')
       end
     end

data/lib/apache_age/entities/common_methods.rb

@@ -57,13 +57,14 @@ module ApacheAge
       def destroy
         match_clause = (age_type == 'vertex' ? "(done:#{age_label})" : "()-[done:#{age_label}]->()")
         delete_clause = (age_type == 'vertex' ? 'DETACH DELETE done' : 'DELETE done')
+        sanitized_id = ActiveRecord::Base.sanitize_sql(["id(done) = ?", id])
         cypher_sql =
           <<-SQL
           SELECT *
           FROM cypher('#{age_graph}', $$
               MATCH #{match_clause}
-              WHERE id(done) = #{id}
-   	          #{delete_clause}
+              WHERE #{sanitized_id}
+              #{delete_clause}
               return done
           $$) as (deleted agtype);
           SQL
@@ -99,7 +100,8 @@ module ApacheAge
       def properties_to_s
         string_values =
           age_properties.each_with_object([]) do |(key, val), array|
-            array << "#{key}: '#{val}'"
+            sanitized_val = ActiveRecord::Base.sanitize_sql(["?", val])
+            array << "#{key}: #{sanitized_val}"
           end
         "{#{string_values.join(', ')}}"
       end

data/lib/apache_age/entities/edge.rb

@@ -70,12 +70,25 @@ module ApacheAge
       def create_sql
         self.start_node = start_node.save unless start_node.persisted?
         self.end_node = end_node.save unless end_node.persisted?
+
+        start_node_age_label = ActiveRecord::Base.sanitize_sql(start_node.age_label)
+        end_node_age_label = ActiveRecord::Base.sanitize_sql(end_node.age_label)
+        sanitized_start_id = ActiveRecord::Base.sanitize_sql(["?", start_node.id])
+        sanitized_end_id = ActiveRecord::Base.sanitize_sql(["?", end_node.id])
+        # cant use sanitize_sql_like because it escapes the % and _ characters
+        # label_name = ActiveRecord::Base.sanitize_sql_like(age_label)
+
+        reject_keys = %i[id start_id end_id start_node end_node]
+        sanitized_properties =
+          self.to_h.reject { |k, _v| reject_keys.include?(k) }.reject { |_k, v| v.nil? }
+            .map { |k, v| "#{k}: #{ActiveRecord::Base.sanitize_sql(["?", v])}" }
+            .join(', ')
         <<-SQL
           SELECT *
           FROM cypher('#{age_graph}', $$
-              MATCH (from_node:#{start_node.age_label}), (to_node:#{end_node.age_label})
-              WHERE id(from_node) = #{start_node.id} and id(to_node) = #{end_node.id}
-              CREATE (from_node)-[edge#{self}]->(to_node)
+              MATCH (from_node:#{start_node_age_label}), (to_node:#{end_node_age_label})
+              WHERE id(from_node) = #{sanitized_start_id} AND id(to_node) = #{sanitized_end_id}
+              CREATE (from_node)-[edge:#{age_label} {#{sanitized_properties}}]->(to_node)
               RETURN edge
           $$) as (edge agtype);
         SQL
@@ -84,14 +97,24 @@ module ApacheAge
       # So far just properties of string type with '' around them
       def update_sql
         alias_name = age_alias || age_label.downcase
-        set_caluse =
-          age_properties.map { |k, v| v ? "#{alias_name}.#{k} = '#{v}'" : "#{alias_name}.#{k} = NULL" }.join(', ')
+        set_clause =
+          age_properties.map do |k, v|
+            if v
+              sanitized_value = ActiveRecord::Base.sanitize_sql(["?", v])
+              "#{alias_name}.#{k} = #{sanitized_value}"
+            else
+              "#{alias_name}.#{k} = NULL"
+            end
+          end.join(', ')
+
+        sanitized_id = ActiveRecord::Base.sanitize_sql(["?", id])
+
         <<-SQL
           SELECT *
           FROM cypher('#{age_graph}', $$
               MATCH ()-[#{alias_name}:#{age_label}]->()
-              WHERE id(#{alias_name}) = #{id}
-              SET #{set_caluse}
+              WHERE id(#{alias_name}) = #{sanitized_id}
+              SET #{set_clause}
               RETURN #{alias_name}
           $$) as (#{age_label} agtype);
         SQL

data/lib/apache_age/entities/entity.rb

@@ -3,14 +3,20 @@ module ApacheAge
     class Entity
       class << self
         def find_by(attributes)
-          where_clause = attributes.map { |k, v| "find.#{k} = '#{v}'" }.join(' AND ')
+          where_clause =
+            attributes
+              .map do |k, v|
+                if k == :id
+                  ActiveRecord::Base.sanitize_sql(["id(find) = ?", v])
+                else
+                  ActiveRecord::Base.sanitize_sql(["find.#{k} = ?", v])
+                end
+              end
+              .join(' AND ')
           handle_find(where_clause)
         end
 
-        def find(id)
-          where_clause = "id(find) = #{id}"
-          handle_find(where_clause)
-        end
+        def find(id) = find_by(id: id)
 
         private
 
@@ -46,19 +52,24 @@ module ApacheAge
           json_data = JSON.parse(json_string)
 
           age_label = json_data['label']
-          attribs = json_data.except('label', 'properties')
-                            .merge(json_data['properties'])
-                            .symbolize_keys
+          attribs =
+            json_data
+              .except('label', 'properties')
+              .merge(json_data['properties'])
+              .symbolize_keys
 
           "#{json_data['label'].gsub('__', '::')}".constantize.new(**attribs)
         end
 
         def find_sql(match_clause, where_clause)
+          sanitized_match_clause = ActiveRecord::Base.sanitize_sql(match_clause)
+          sanitized_where_clause = where_clause # Already sanitized in `find_by` or `find`
+
           <<-SQL
             SELECT *
             FROM cypher('#{age_graph}', $$
-                MATCH #{match_clause}
-                WHERE #{where_clause}
+                MATCH #{sanitized_match_clause}
+                WHERE #{sanitized_where_clause}
                 RETURN find
             $$) as (found agtype);
           SQL

data/lib/apache_age/entities/node.rb

@@ -25,11 +25,21 @@ module ApacheAge
       # RETURN company
       # $$) as (Company agtype);
       def create_sql
+        # can't use sanitiye without a solution for '_' in the alias name & label
+        # alias_name = ActiveRecord::Base.sanitize_sql_like(age_alias || age_label.downcase)
+        # label_name = ActiveRecord::Base.sanitize_sql_like(age_label)
+
         alias_name = age_alias || age_label.downcase
-        <<-SQL
+        sanitized_properties =
+          self
+            .to_h.reject { |k, v| k == :id }.reject { |k, v| v.nil? }
+            .map { |k, v| "#{k}: #{ActiveRecord::Base.sanitize_sql(["?", v])}" }
+            .join(', ')
+
+        <<~SQL.squish
           SELECT *
           FROM cypher('#{age_graph}', $$
-              CREATE (#{alias_name}#{self})
+              CREATE (#{alias_name}:#{age_label} {#{sanitized_properties}})
           RETURN #{alias_name}
           $$) as (#{age_label} agtype);
         SQL
@@ -37,19 +47,29 @@ module ApacheAge
 
       # So far just properties of string type with '' around them
       def update_sql
-        alias_name = age_alias || age_label.downcase
-        set_caluse =
-          age_properties.map { |k, v| v ? "#{alias_name}.#{k} = '#{v}'" : "#{alias_name}.#{k} = NULL" }.join(', ')
+        alias_name = ActiveRecord::Base.sanitize_sql_like(age_alias || age_label.downcase)
+        sanitized_set_clause = age_properties.map do |k, v|
+          if v
+            sanitized_value = ActiveRecord::Base.sanitize_sql(["?", v])
+            "#{alias_name}.#{k} = #{sanitized_value}"
+          else
+            "#{alias_name}.#{k} = NULL"
+          end
+        end.join(', ')
+
+        sanitized_id = ActiveRecord::Base.sanitize_sql(["?", id])
+
         <<-SQL
           SELECT *
           FROM cypher('#{age_graph}', $$
               MATCH (#{alias_name}:#{age_label})
-              WHERE id(#{alias_name}) = #{id}
-              SET #{set_caluse}
+              WHERE id(#{alias_name}) = #{sanitized_id}
+              SET #{sanitized_set_clause}
               RETURN #{alias_name}
           $$) as (#{age_label} agtype);
         SQL
       end
+
     end
   end
 end

data/lib/apache_age/entities/query_builder.rb

@@ -41,7 +41,10 @@ module ApacheAge
         self
       end
 
-      # need to handle string inputs too: ie: "id(find) = #{id}"
+      # TODO: need to handle string inputs too: instead of: \
+      # "id(find) = #{id}" & "find.name = #{name}"
+      # we can have: "id(find) = ?", id & "find.name = ?", name
+      # ActiveRecord::Base.sanitize_sql([query_string, v])
       def where(attributes)
         return self if attributes.blank?
 
@@ -112,21 +115,23 @@ module ApacheAge
 
       private
 
+      # TODO: ensure ordering keys are present in the model
       def parse_ordering(ordering)
         if ordering.is_a?(Hash)
-          # Convert hash into "find.key direction" format and join with commas
-          ordering = ordering.map { |k, v| "find.#{k} #{v}" }.join(', ')
+          ordering =
+            ordering
+              .map { |k, v| "find.#{k} #{ActiveRecord::Base.sanitize_sql_like(v.to_s)}" }
+              .join(', ')
         elsif ordering.is_a?(Symbol)
-          # If it's a symbol, simply prepend "find."
           ordering = "find.#{ordering}"
         elsif ordering.is_a?(String)
-          # If it's a string, assume it's already in the correct format
-          ordering = ordering
+          ordering
         elsif ordering.is_a?(Array)
-          # If it's an array, process each element recursively
           ordering = ordering.map do |order|
             if order.is_a?(Hash)
-              order.map { |k, v| "find.#{k} #{v}" }.join(', ')
+              order
+                .map { |k, v| "find.#{k} #{ActiveRecord::Base.sanitize_sql_like(v.to_s)}" }
+                .join(', ')
             elsif order.is_a?(Symbol)
               "find.#{order}"
             elsif order.is_a?(String)
@@ -154,6 +159,22 @@ module ApacheAge
           $$) AS (#{return_names.join(' agtype, ')} agtype);
         SQL
       end
+      # def build_query(_extra_clause = nil)
+      #   sanitized_where_sql = where_clauses.any? ? "WHERE #{where_clauses.map { |clause| ActiveRecord::Base.sanitize_sql_like(clause) }.join(' AND ')}" : ''
+      #   sanitized_order_by = order_clause.present? ? ActiveRecord::Base.sanitize_sql_like(order_clause) : ''
+      #   sanitized_limit_clause = limit_clause.present? ? ActiveRecord::Base.sanitize_sql_like(limit_clause) : ''
+
+      #   <<-SQL.squish
+      #     SELECT *
+      #     FROM cypher('#{graph_name}', $$
+      #         MATCH #{ActiveRecord::Base.sanitize_sql_like(match_clause)}
+      #         #{sanitized_where_sql}
+      #         RETURN #{ActiveRecord::Base.sanitize_sql_like(return_clause)}
+      #         #{sanitized_order_by}
+      #         #{sanitized_limit_clause}
+      #     $$) AS (#{return_names.map { |name| "#{ActiveRecord::Base.sanitize_sql_like(name)} agtype" }.join(', ')});
+      #   SQL
+      # end
     end
   end
 end

data/lib/rails_age/version.rb

@@ -1,3 +1,3 @@
 module RailsAge
-  VERSION = '0.6.1'
+  VERSION = '0.6.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_age
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.6.2
 platform: ruby
 authors:
 - Bill Tihen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-09-29 00:00:00.000000000 Z
+date: 2024-09-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -119,7 +119,6 @@ files:
 - lib/apache_age/entities/node.rb
 - lib/apache_age/entities/path.rb
 - lib/apache_age/entities/query_builder.rb
-- lib/apache_age/entities/vertex.rb
 - lib/apache_age/node.rb
 - lib/apache_age/path.rb
 - lib/apache_age/types/factory.rb

data/lib/apache_age/entities/vertex.rb

@@ -1,53 +0,0 @@
-# module ApacheAge
-#   module Entities
-#     module Vertex
-#       extend ActiveSupport::Concern
-
-#       included do
-#         include ActiveModel::Model
-#         include ActiveModel::Dirty
-#         include ActiveModel::Attributes
-
-#         attribute :id, :integer
-
-#         extend ApacheAge::Entities::ClassMethods
-#         include ApacheAge::Entities::CommonMethods
-#       end
-
-#       def age_type = 'vertex'
-
-#       # AgeSchema::Nodes::Company.create(company_name: 'Bedrock Quarry')
-#       # SELECT *
-#       # FROM cypher('age_schema', $$
-#       #     CREATE (company:Company {company_name: 'Bedrock Quarry'})
-#       # RETURN company
-#       # $$) as (Company agtype);
-#       def create_sql
-#         alias_name = age_alias || age_label.downcase
-#         <<-SQL
-#           SELECT *
-#           FROM cypher('#{age_graph}', $$
-#               CREATE (#{alias_name}#{self})
-#           RETURN #{alias_name}
-#           $$) as (#{age_label} agtype);
-#         SQL
-#       end
-
-#       # So far just properties of string type with '' around them
-#       def update_sql
-#         alias_name = age_alias || age_label.downcase
-#         set_caluse =
-#           age_properties.map { |k, v| v ? "#{alias_name}.#{k} = '#{v}'" : "#{alias_name}.#{k} = NULL" }.join(', ')
-#         <<-SQL
-#           SELECT *
-#           FROM cypher('#{age_graph}', $$
-#               MATCH (#{alias_name}:#{age_label})
-#               WHERE id(#{alias_name}) = #{id}
-#               SET #{set_caluse}
-#               RETURN #{alias_name}
-#           $$) as (#{age_label} agtype);
-#         SQL
-#       end
-#     end
-#   end
-# end