restful_query 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6f782db244df437f5e1653556e54f629a2e7b1b6
4
- data.tar.gz: eb3fd20c0dde5cee15037b3b8ef220257d6e6329
3
+ metadata.gz: 25b42eb97b49dbc1d08d730ad29113a888033813
4
+ data.tar.gz: 11d809dc510245c2932677df4115d077f6d8c2a7
5
5
  SHA512:
6
- metadata.gz: 62fde767dcb820a0539c1e163fcf59b628e8c94a63b4f0c177d5f2165d85411b82bfe5d4a4730c53fcc1e85146663e087c8aea349e6d581ea8bae13efdd56e58
7
- data.tar.gz: fcca5416bbba463353a99f87fe7af42b567f933da4ea2d61a0b1458e92e6124052fde6b8ae93367c245858454c96e6d21a7062070790c7e464175be702b0ba61
6
+ metadata.gz: 8bbe7feccab43431afd22e87a04b89c2c6d223ebe16804ff3389228be9f9ef5b78a11a4788a1d3b407000d4e56cb304e02ce6df7929f60710f3f2bdfde1fd074
7
+ data.tar.gz: f37c120c774a0d580944f1a04c9dd604e2919d8745073c9fc5679b4a8dc833c76d789a2b54be692efa8a24481ef8f64643cc8bcbd06b4f59b0319d48bc7d624d
@@ -0,0 +1,6 @@
1
+ language: ruby
2
+ rvm:
3
+ - 1.9.3
4
+ - 2.0.0
5
+ - 2.1
6
+ - 2.2
@@ -1,3 +1,7 @@
1
+ == 0.5.0 2015-10-07
2
+
3
+ * Security Release: Fix for improperly escaped columns, could cause potential SQL injection attack depending on what params were being passed to restful query
4
+
1
5
  == 0.3.5 2011-08-15
2
6
 
3
7
  * Too quick to release the last one. Fixed now.
@@ -5,7 +5,7 @@ require "active_support"
5
5
  require "chronic"
6
6
 
7
7
  module RestfulQuery
8
- VERSION = "0.4.0"
8
+ VERSION = "0.5.0"
9
9
 
10
10
  class Error < RuntimeError; end
11
11
  end
@@ -2,7 +2,7 @@ module RestfulQuery
2
2
  class InvalidOperator < Error; end;
3
3
 
4
4
  class Condition
5
- attr_reader :column, :value, :operator, :options
5
+ attr_reader :value, :operator, :options
6
6
 
7
7
  OPERATOR_MAPPING = {
8
8
  'lt' => '<',
@@ -80,6 +80,10 @@ module RestfulQuery
80
80
  def to_condition_array
81
81
  ["#{column} #{operator} #{placeholder}", value]
82
82
  end
83
+
84
+ def column
85
+ ActiveRecord::Base.connection.quote_column_name(@column)
86
+ end
83
87
 
84
88
  def placeholder
85
89
  if ['IN', 'NOT IN'].include?(operator)
@@ -8,6 +8,12 @@ module RestfulQuery
8
8
  end
9
9
 
10
10
  end
11
+
12
+ class Condition
13
+ def column
14
+ DB.quote_identifier(@column)
15
+ end
16
+ end
11
17
  end
12
18
 
13
19
  module Sequel
@@ -2,16 +2,16 @@
2
2
  # DO NOT EDIT THIS FILE DIRECTLY
3
3
  # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
4
4
  # -*- encoding: utf-8 -*-
5
- # stub: restful_query 0.4.0 ruby lib
5
+ # stub: restful_query 0.5.0 ruby lib
6
6
 
7
7
  Gem::Specification.new do |s|
8
8
  s.name = "restful_query"
9
- s.version = "0.4.0"
9
+ s.version = "0.5.0"
10
10
 
11
11
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
12
12
  s.require_paths = ["lib"]
13
13
  s.authors = ["Aaron Quint"]
14
- s.date = "2015-02-27"
14
+ s.date = "2015-10-07"
15
15
  s.description = "RestfulQuery provides a simple interface in front of a complex parser to parse specially formatted query hashes into complex SQL queries. It includes ActiveRecord and Sequel extensions."
16
16
  s.email = "aaron@quirkey.com"
17
17
  s.extra_rdoc_files = [
@@ -19,6 +19,7 @@ Gem::Specification.new do |s|
19
19
  "README.rdoc"
20
20
  ]
21
21
  s.files = [
22
+ ".travis.yml",
22
23
  "Appraisals",
23
24
  "Gemfile",
24
25
  "History.txt",
@@ -43,7 +44,7 @@ Gem::Specification.new do |s|
43
44
  ]
44
45
  s.homepage = "https://github.com/quirkey/restful_query"
45
46
  s.licenses = ["MIT"]
46
- s.rubygems_version = "2.2.2"
47
+ s.rubygems_version = "2.4.5"
47
48
  s.summary = "Simple ActiveRecord and Sequel queries from a RESTful and safe interface"
48
49
 
49
50
  if s.respond_to? :specification_version then
@@ -11,7 +11,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
11
11
  end
12
12
 
13
13
  should "save column" do
14
- assert_equal 'created_at', @condition.column
14
+ assert_equal "'created_at'", @condition.column
15
15
  end
16
16
 
17
17
  should "save value" do
@@ -104,7 +104,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
104
104
  end
105
105
 
106
106
  should "include parens in placeholder" do
107
- assert_equal ["year IN (?)", ['1995', '2005', '2006']], @condition.to_condition_array
107
+ assert_equal ["'year' IN (?)", ['1995', '2005', '2006']], @condition.to_condition_array
108
108
  end
109
109
 
110
110
  context "when the value is already an array" do
@@ -150,7 +150,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
150
150
  end
151
151
 
152
152
  should "translate operator to LIKE" do
153
- assert_equal("title LIKE ?", @to_condition_array[0])
153
+ assert_equal("'title' LIKE ?", @to_condition_array[0])
154
154
  end
155
155
 
156
156
  end
@@ -165,7 +165,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
165
165
  end
166
166
 
167
167
  should "have conditional string first" do
168
- assert_equal 'title < ?', @to_condition[0]
168
+ assert_equal "'title' < ?", @to_condition[0]
169
169
  end
170
170
 
171
171
  should "have value as [1]" do
@@ -175,7 +175,17 @@ class RestfulQuery::ConditionTest < Minitest::Test
175
175
 
176
176
  context "to_hash" do
177
177
  should "return hash like params" do
178
- assert_equal({'title' => {'lt' => 'Bossman'}}, @condition.to_hash)
178
+ assert_equal({"'title'" => {'lt' => 'Bossman'}}, @condition.to_hash)
179
+ end
180
+ end
181
+
182
+ context "invalid Condition" do
183
+ setup do
184
+ @condition = RestfulQuery::Condition.new('title\'invalid', 'Bossman', 'lt')
185
+ end
186
+
187
+ should "escape column name" do
188
+ assert_equal("'title''invalid' < ?", @condition.to_condition_array[0])
179
189
  end
180
190
  end
181
191
  end
@@ -19,11 +19,21 @@ unless defined?(ActiveRecord)
19
19
 
20
20
  def named_scope(name, options = {})
21
21
  end
22
+
23
+ def connection
24
+ PGAdapter.new
25
+ end
22
26
  end
23
27
  self.pluralize_table_names = true
24
28
 
25
29
  include RestfulQuery::CanQuery
26
30
  end
31
+
32
+ class PGAdapter
33
+ def quote_column_name(column_name)
34
+ "'" + column_name.to_s.gsub(/'/, "''") + "'"
35
+ end
36
+ end
27
37
  end
28
38
  end
29
39
 
@@ -163,7 +163,7 @@ class RestfulQuery::ParserTest < Minitest::Test
163
163
 
164
164
  should "map condition column" do
165
165
  assert @parser.conditions_for('section')
166
- assert_equal 'section_id', @parser.conditions_for('section').first.column
166
+ assert_equal "'section_id'", @parser.conditions_for('section').first.column
167
167
  end
168
168
 
169
169
  should "map sort column" do
@@ -329,7 +329,7 @@ class RestfulQuery::ParserTest < Minitest::Test
329
329
  assert @conditions.is_a?(Array)
330
330
  @conditions.each do |condition|
331
331
  assert condition.is_a?(RestfulQuery::Condition)
332
- assert_equal 'created_at', condition.column
332
+ assert_equal "'created_at'", condition.column
333
333
  end
334
334
  end
335
335
 
@@ -349,7 +349,7 @@ class RestfulQuery::ParserTest < Minitest::Test
349
349
  end
350
350
 
351
351
  should "include operators for all querys" do
352
- assert_match(/(([a-z_]) (\<|\>|\=|\<\=|\>\=) \? AND)+/,@conditions[0])
352
+ assert_match(/(([a-z_']) (\<|\>|\=|\<\=|\>\=) \? AND)+/,@conditions[0])
353
353
  end
354
354
 
355
355
  should "join query hash with AND" do
@@ -368,7 +368,7 @@ class RestfulQuery::ParserTest < Minitest::Test
368
368
  end
369
369
 
370
370
  should "join query hash with OR" do
371
- assert_match(/(([a-z_]) (\<|\>|\=|\<\=|\>\=) \? OR)+/,@conditions[0])
371
+ assert_match(/(([a-z_']) (\<|\>|\=|\<\=|\>\=) \? OR)+/,@conditions[0])
372
372
  end
373
373
  end
374
374
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: restful_query
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Aaron Quint
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-02-27 00:00:00.000000000 Z
11
+ date: 2015-10-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -110,6 +110,7 @@ extra_rdoc_files:
110
110
  - LICENSE
111
111
  - README.rdoc
112
112
  files:
113
+ - ".travis.yml"
113
114
  - Appraisals
114
115
  - Gemfile
115
116
  - History.txt
@@ -151,7 +152,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
151
152
  version: '0'
152
153
  requirements: []
153
154
  rubyforge_project:
154
- rubygems_version: 2.2.2
155
+ rubygems_version: 2.4.5
155
156
  signing_key:
156
157
  specification_version: 4
157
158
  summary: Simple ActiveRecord and Sequel queries from a RESTful and safe interface