restful_query 0.4.0 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6f782db244df437f5e1653556e54f629a2e7b1b6
4
- data.tar.gz: eb3fd20c0dde5cee15037b3b8ef220257d6e6329
3
+ metadata.gz: 25b42eb97b49dbc1d08d730ad29113a888033813
4
+ data.tar.gz: 11d809dc510245c2932677df4115d077f6d8c2a7
5
5
  SHA512:
6
- metadata.gz: 62fde767dcb820a0539c1e163fcf59b628e8c94a63b4f0c177d5f2165d85411b82bfe5d4a4730c53fcc1e85146663e087c8aea349e6d581ea8bae13efdd56e58
7
- data.tar.gz: fcca5416bbba463353a99f87fe7af42b567f933da4ea2d61a0b1458e92e6124052fde6b8ae93367c245858454c96e6d21a7062070790c7e464175be702b0ba61
6
+ metadata.gz: 8bbe7feccab43431afd22e87a04b89c2c6d223ebe16804ff3389228be9f9ef5b78a11a4788a1d3b407000d4e56cb304e02ce6df7929f60710f3f2bdfde1fd074
7
+ data.tar.gz: f37c120c774a0d580944f1a04c9dd604e2919d8745073c9fc5679b4a8dc833c76d789a2b54be692efa8a24481ef8f64643cc8bcbd06b4f59b0319d48bc7d624d
@@ -0,0 +1,6 @@
1
+ language: ruby
2
+ rvm:
3
+ - 1.9.3
4
+ - 2.0.0
5
+ - 2.1
6
+ - 2.2
@@ -1,3 +1,7 @@
1
+ == 0.5.0 2015-10-07
2
+
3
+ * Security Release: Fix for improperly escaped columns, could cause potential SQL injection attack depending on what params were being passed to restful query
4
+
1
5
  == 0.3.5 2011-08-15
2
6
 
3
7
  * Too quick to release the last one. Fixed now.
@@ -5,7 +5,7 @@ require "active_support"
5
5
  require "chronic"
6
6
 
7
7
  module RestfulQuery
8
- VERSION = "0.4.0"
8
+ VERSION = "0.5.0"
9
9
 
10
10
  class Error < RuntimeError; end
11
11
  end
@@ -2,7 +2,7 @@ module RestfulQuery
2
2
  class InvalidOperator < Error; end;
3
3
 
4
4
  class Condition
5
- attr_reader :column, :value, :operator, :options
5
+ attr_reader :value, :operator, :options
6
6
 
7
7
  OPERATOR_MAPPING = {
8
8
  'lt' => '<',
@@ -80,6 +80,10 @@ module RestfulQuery
80
80
  def to_condition_array
81
81
  ["#{column} #{operator} #{placeholder}", value]
82
82
  end
83
+
84
+ def column
85
+ ActiveRecord::Base.connection.quote_column_name(@column)
86
+ end
83
87
 
84
88
  def placeholder
85
89
  if ['IN', 'NOT IN'].include?(operator)
@@ -8,6 +8,12 @@ module RestfulQuery
8
8
  end
9
9
 
10
10
  end
11
+
12
+ class Condition
13
+ def column
14
+ DB.quote_identifier(@column)
15
+ end
16
+ end
11
17
  end
12
18
 
13
19
  module Sequel
@@ -2,16 +2,16 @@
2
2
  # DO NOT EDIT THIS FILE DIRECTLY
3
3
  # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
4
4
  # -*- encoding: utf-8 -*-
5
- # stub: restful_query 0.4.0 ruby lib
5
+ # stub: restful_query 0.5.0 ruby lib
6
6
 
7
7
  Gem::Specification.new do |s|
8
8
  s.name = "restful_query"
9
- s.version = "0.4.0"
9
+ s.version = "0.5.0"
10
10
 
11
11
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
12
12
  s.require_paths = ["lib"]
13
13
  s.authors = ["Aaron Quint"]
14
- s.date = "2015-02-27"
14
+ s.date = "2015-10-07"
15
15
  s.description = "RestfulQuery provides a simple interface in front of a complex parser to parse specially formatted query hashes into complex SQL queries. It includes ActiveRecord and Sequel extensions."
16
16
  s.email = "aaron@quirkey.com"
17
17
  s.extra_rdoc_files = [
@@ -19,6 +19,7 @@ Gem::Specification.new do |s|
19
19
  "README.rdoc"
20
20
  ]
21
21
  s.files = [
22
+ ".travis.yml",
22
23
  "Appraisals",
23
24
  "Gemfile",
24
25
  "History.txt",
@@ -43,7 +44,7 @@ Gem::Specification.new do |s|
43
44
  ]
44
45
  s.homepage = "https://github.com/quirkey/restful_query"
45
46
  s.licenses = ["MIT"]
46
- s.rubygems_version = "2.2.2"
47
+ s.rubygems_version = "2.4.5"
47
48
  s.summary = "Simple ActiveRecord and Sequel queries from a RESTful and safe interface"
48
49
 
49
50
  if s.respond_to? :specification_version then
@@ -11,7 +11,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
11
11
  end
12
12
 
13
13
  should "save column" do
14
- assert_equal 'created_at', @condition.column
14
+ assert_equal "'created_at'", @condition.column
15
15
  end
16
16
 
17
17
  should "save value" do
@@ -104,7 +104,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
104
104
  end
105
105
 
106
106
  should "include parens in placeholder" do
107
- assert_equal ["year IN (?)", ['1995', '2005', '2006']], @condition.to_condition_array
107
+ assert_equal ["'year' IN (?)", ['1995', '2005', '2006']], @condition.to_condition_array
108
108
  end
109
109
 
110
110
  context "when the value is already an array" do
@@ -150,7 +150,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
150
150
  end
151
151
 
152
152
  should "translate operator to LIKE" do
153
- assert_equal("title LIKE ?", @to_condition_array[0])
153
+ assert_equal("'title' LIKE ?", @to_condition_array[0])
154
154
  end
155
155
 
156
156
  end
@@ -165,7 +165,7 @@ class RestfulQuery::ConditionTest < Minitest::Test
165
165
  end
166
166
 
167
167
  should "have conditional string first" do
168
- assert_equal 'title < ?', @to_condition[0]
168
+ assert_equal "'title' < ?", @to_condition[0]
169
169
  end
170
170
 
171
171
  should "have value as [1]" do
@@ -175,7 +175,17 @@ class RestfulQuery::ConditionTest < Minitest::Test
175
175
 
176
176
  context "to_hash" do
177
177
  should "return hash like params" do
178
- assert_equal({'title' => {'lt' => 'Bossman'}}, @condition.to_hash)
178
+ assert_equal({"'title'" => {'lt' => 'Bossman'}}, @condition.to_hash)
179
+ end
180
+ end
181
+
182
+ context "invalid Condition" do
183
+ setup do
184
+ @condition = RestfulQuery::Condition.new('title\'invalid', 'Bossman', 'lt')
185
+ end
186
+
187
+ should "escape column name" do
188
+ assert_equal("'title''invalid' < ?", @condition.to_condition_array[0])
179
189
  end
180
190
  end
181
191
  end
@@ -19,11 +19,21 @@ unless defined?(ActiveRecord)
19
19
 
20
20
  def named_scope(name, options = {})
21
21
  end
22
+
23
+ def connection
24
+ PGAdapter.new
25
+ end
22
26
  end
23
27
  self.pluralize_table_names = true
24
28
 
25
29
  include RestfulQuery::CanQuery
26
30
  end
31
+
32
+ class PGAdapter
33
+ def quote_column_name(column_name)
34
+ "'" + column_name.to_s.gsub(/'/, "''") + "'"
35
+ end
36
+ end
27
37
  end
28
38
  end
29
39
 
@@ -163,7 +163,7 @@ class RestfulQuery::ParserTest < Minitest::Test
163
163
 
164
164
  should "map condition column" do
165
165
  assert @parser.conditions_for('section')
166
- assert_equal 'section_id', @parser.conditions_for('section').first.column
166
+ assert_equal "'section_id'", @parser.conditions_for('section').first.column
167
167
  end
168
168
 
169
169
  should "map sort column" do
@@ -329,7 +329,7 @@ class RestfulQuery::ParserTest < Minitest::Test
329
329
  assert @conditions.is_a?(Array)
330
330
  @conditions.each do |condition|
331
331
  assert condition.is_a?(RestfulQuery::Condition)
332
- assert_equal 'created_at', condition.column
332
+ assert_equal "'created_at'", condition.column
333
333
  end
334
334
  end
335
335
 
@@ -349,7 +349,7 @@ class RestfulQuery::ParserTest < Minitest::Test
349
349
  end
350
350
 
351
351
  should "include operators for all querys" do
352
- assert_match(/(([a-z_]) (\<|\>|\=|\<\=|\>\=) \? AND)+/,@conditions[0])
352
+ assert_match(/(([a-z_']) (\<|\>|\=|\<\=|\>\=) \? AND)+/,@conditions[0])
353
353
  end
354
354
 
355
355
  should "join query hash with AND" do
@@ -368,7 +368,7 @@ class RestfulQuery::ParserTest < Minitest::Test
368
368
  end
369
369
 
370
370
  should "join query hash with OR" do
371
- assert_match(/(([a-z_]) (\<|\>|\=|\<\=|\>\=) \? OR)+/,@conditions[0])
371
+ assert_match(/(([a-z_']) (\<|\>|\=|\<\=|\>\=) \? OR)+/,@conditions[0])
372
372
  end
373
373
  end
374
374
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: restful_query
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Aaron Quint
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-02-27 00:00:00.000000000 Z
11
+ date: 2015-10-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -110,6 +110,7 @@ extra_rdoc_files:
110
110
  - LICENSE
111
111
  - README.rdoc
112
112
  files:
113
+ - ".travis.yml"
113
114
  - Appraisals
114
115
  - Gemfile
115
116
  - History.txt
@@ -151,7 +152,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
151
152
  version: '0'
152
153
  requirements: []
153
154
  rubyforge_project:
154
- rubygems_version: 2.2.2
155
+ rubygems_version: 2.4.5
155
156
  signing_key:
156
157
  specification_version: 4
157
158
  summary: Simple ActiveRecord and Sequel queries from a RESTful and safe interface