search_cop 1.0.6 → 1.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8cb7e91b305057b2ea3df0c96643f8cd2cc726583f2362db9d576ef128826a75
+  data.tar.gz: 419ee38ec698795d478f7749486e63b533c9cc497057aa820b5627b343cbdeb4
+SHA512:
+  metadata.gz: 19b765a13b9a21a5b798b60618253729b4a8c1279babe47644d5c030b93b09c87706138ab11cd5bfd9daee757d8d04bff95fc1bc3ce50c5f6f7399aaaabc09d1
+  data.tar.gz: a65e72e3d6e5500b986bb312c45dbbd00432419b344765c71387432dd127efd5eb463cd42f71c3e405913a66b8d45201b9d909b9e66da17bf28f11ea3b7aa5c8

data/.github/workflows/test.yml

@@ -0,0 +1,42 @@
+name: test
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: ["2.5", "2.6", "2.7"]
+        rails: ["rails5", "rails6"]
+        database: ["sqlite", "postgres", "mysql"]
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_USER: search_cop
+          POSTGRES_PASSWORD: secret
+          POSTGRES_DB: search_cop
+        ports:
+          - 5432:5432
+      mysql:
+        image: mysql
+        env:
+          MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
+          MYSQL_ROOT_PASSWORD: ""
+          MYSQL_DATABASE: search_cop
+        ports:
+          - 3306:3306
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: test
+        env:
+          DATABASE: ${{ matrix.database }}
+        run: |
+          gem install bundler
+          bundle config set --local gemfile "gemfiles/${{ matrix.rails }}.gemfile"
+          bundle config set --local path "../vendor/bundle"
+          bundle install
+          bundle exec rake test
+          bundle exec rubocop

data/.rubocop.yml

@@ -0,0 +1,128 @@
+AllCops:
+  NewCops: enable
+
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
+Style/CaseLikeIf:
+  Enabled: false
+
+Style/RedundantArgument:
+  Enabled: false
+
+Lint/EmptyBlock:
+  Enabled: false
+
+Layout/EmptyLineBetweenDefs:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Lint/RedundantRequireStatement:
+  Enabled: false
+
+Layout/ArgumentAlignment:
+  EnforcedStyle: with_fixed_indentation
+
+Layout/FirstArrayElementIndentation:
+  EnforcedStyle: consistent
+
+Style/PercentLiteralDelimiters:
+  Enabled: false
+
+Style/SpecialGlobalVars:
+  EnforcedStyle: use_english_names
+
+Security/Eval:
+  Enabled: false
+
+Style/WordArray:
+  EnforcedStyle: brackets
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Style/TrivialAccessors:
+  Enabled: false
+
+Style/Alias:
+  Enabled: false
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes
+
+Metrics/ClassLength:
+  Enabled: false
+
+Naming/MethodParameterName:
+  Enabled: false
+
+Style/SymbolArray:
+  EnforcedStyle: brackets
+
+Layout/RescueEnsureAlignment:
+  Enabled: false
+
+Layout/LineLength:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/ModuleLength:
+  Enabled: false
+
+Style/ZeroLengthPredicate:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/BlockNesting:
+  Enabled: false
+
+Style/NumericPredicate:
+  Enabled: false
+
+Naming/AccessorMethodName:
+  Enabled: false
+
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/Documentation:
+  Enabled: false
+
+Naming/ConstantName:
+  Enabled: false
+
+Style/MutableConstant:
+  Enabled: false
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+Layout/ParameterAlignment:
+  EnforcedStyle: with_fixed_indentation
+
+Lint/UnusedMethodArgument:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/RedundantBegin:
+  Enabled: false

data/CHANGELOG.md

@@ -1,6 +1,37 @@
 
 # Changelog
 
+Version 1.2.0:
+
+* Added support for disabling the right wildcard
+* Fixed escaping of wildcard chars (`_`, `%`)
+
+Version 1.1.0:
+
+* Adds customizable default operator to concatenate conditions (#49)
+* Make the postgis adapter use the postgres extensions
+
+Version 1.0.9:
+
+* Use `[:blank:]` instead of `\s` for space (#46)
+* Updated `SearchCop::Visitors::Visitor` to check the connection's `adapter_name` when extending. (#47)
+* Fix for negative numeric values
+* allow searching for relative dates, like hours, days, weeks, months or years ago
+
+Version 1.0.8:
+
+* No longer add search scope methods globally #34
+
+Version 1.0.7:
+
+* Bugfix regarding `NOT` queries in fulltext mode #32
+* Safely handle `NULL` values for match queries
+* Added coalesce option
+
+Version 1.0.6:
+
+* Fixes a bug regarding date overflows in PostgreSQL
+
 Version 1.0.5:
 
 * Fixes a bug regarding quotation
@@ -32,7 +63,7 @@ Version 1.0.0:
 
 Version 0.0.5:
 
-* Supporting :default => false
+* Supporting `:default => false`
 * Datetime/Date greater operator fix
 * Use reflection to find associated models
 * Providing reflection
@@ -41,16 +72,16 @@ Version 0.0.4:
 
 * Fixed date attributes
 * Fail softly for mixed datatype attributes
-* Support custom table, class and alias names via attr_searchable_alias
+* Support custom table, class and alias names via `attr_searchable_alias`
 
 Version 0.0.3:
 
-* belongs_to association fixes
+* `belongs_to` association fixes
 
 Version 0.0.2:
 
 * Arel abstraction layer added
-* count() queries resulting in "Cannot visit AttrSearchableGrammar::Nodes..." fixed
+* `count()` queries resulting in "Cannot visit AttrSearchableGrammar::Nodes..." fixed
 * Better error messages
-* Model#unsafe_search added
+* `Model#unsafe_search` added
 

data/CONTRIBUTING.md

@@ -0,0 +1,18 @@
+
+# Contributing
+
+There are two ways to contribute: issues and pull requests.
+
+## Issues
+
+You are very welcome to submit a github issue in case you find a bug.
+The more detailed, the easier to reproduce. So please be verbose.
+
+## Pull Requests
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+

data/Gemfile

@@ -1,23 +1,10 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in search_cop.gemspec
 gemspec
 
-platforms :jruby do
-  gem 'activerecord-jdbcmysql-adapter'
-  gem 'activerecord-jdbcsqlite3-adapter'
-  gem 'activerecord-jdbcpostgresql-adapter'
-end
-
 platforms :ruby do
-  gem 'sqlite3'
-  gem 'mysql2'
-  gem 'pg'
+  gem "mysql2"
+  gem "pg"
+  gem "sqlite3"
 end
-
-platforms :rbx do
-  gem 'racc'
-  gem 'rubysl', '~> 2.0'
-  gem 'psych'
-end
-

data/README.md

@@ -1,8 +1,7 @@
 # SearchCop
 
-[![Build Status](https://secure.travis-ci.org/mrkamel/search_cop.png?branch=master)](http://travis-ci.org/mrkamel/search_cop)
+[![Build Status](https://github.com/mrkamel/search_cop/workflows/test/badge.svg?branch=master)](https://github.com/mrkamel/search_cop/actions?query=workflow%3Atest)
 [![Code Climate](https://codeclimate.com/github/mrkamel/search_cop.png)](https://codeclimate.com/github/mrkamel/search_cop)
-[![Dependency Status](https://gemnasium.com/mrkamel/search_cop.png?travis)](https://gemnasium.com/mrkamel/search_cop)
 [![Gem Version](https://badge.fury.io/rb/search_cop.svg)](http://badge.fury.io/rb/search_cop)
 
 ![search_cop](https://raw.githubusercontent.com/mrkamel/search_cop_logo/master/search_cop.png)
@@ -29,24 +28,17 @@ to make optimal use of them. Read more below.
 Complex hash-based queries are supported as well:
 
 ```ruby
-Book.search(:author => "Rowling", :title => "Harry Potter")
-Book.search(:or => [{:author => "Rowling"}, {:author => "Tolkien"}])
-Book.search(:and => [{:price => {:gt => 10}}, {:not => {:stock => 0}}, :or => [{:title => "Potter"}, {:author => "Rowling"}]])
-Book.search(:or => [{:query => "Rowling -Potter"}, {:query => "Tolkien -Rings"}])
+Book.search(author: "Rowling", title: "Harry Potter")
+Book.search(or: [{author: "Rowling"}, {author: "Tolkien"}])
+Book.search(and: [{price: {gt: 10}}, {not: {stock: 0}}, or: [{title: "Potter"}, {author: "Rowling"}]])
+Book.search(or: [{query: "Rowling -Potter"}, {query: "Tolkien -Rings"}])
+Book.search(title: {my_custom_sql_query: "Rowl"}})
 # ...
 ```
 
-## AttrSearchable is now SearchCop
-
-As the set of features of AttrSearchable grew and grew, it has been neccessary
-to change its DSL and name, as no `attr_searchable` method is present anymore.
-The new DSL is cleaner and more concise. Morever, the migration process is
-simple. Please take a look into the migration guide
-[MIGRATION.md](https://github.com/mrkamel/search_cop/blob/master/MIGRATION.md)
-
 ## Installation
 
-For Rails/ActiveRecord 3 (or 4), add this line to your application's Gemfile:
+Add this line to your application's Gemfile:
 
     gem 'search_cop'
 
@@ -69,8 +61,8 @@ class Book < ActiveRecord::Base
 
   search_scope :search do
     attributes :title, :description, :stock, :price, :created_at, :available
-    attributes :comment => ["comments.title", "comments.message"]
-    attributes :author => "author.name"
+    attributes comment: ["comments.title", "comments.message"]
+    attributes author: "author.name"
     # ...
   end
 
@@ -122,9 +114,27 @@ As `Book.search(...)` returns an `ActiveRecord::Relation`, you are free to pre-
 or post-process the search results in every possible way:
 
 ```ruby
-Book.where(:available => true).search("Harry Potter").order("books.id desc").paginate(:page => params[:page])
+Book.where(available: true).search("Harry Potter").order("books.id desc").paginate(page: params[:page])
 ```
 
+## Security
+
+When you pass a query string to SearchCop, it gets parsed, analyzed and mapped
+to finally build up an SQL query. To be more precise, when SearchCop parses the
+query, it creates objects (nodes), which represent the query expressions (And-,
+Or-, Not-, String-, Date-, etc Nodes). To build the SQL query, SearchCop uses
+the concept of visitors like e.g. used in
+[Arel](https://github.com/rails/arel), such that, for every node there must be
+a [visitor](https://github.com/mrkamel/search_cop/blob/master/lib/search_cop/visitors/visitor.rb),
+which transforms the node to SQL. When there is no visitor, an exception is
+raised when the query builder tries to "visit" the node. The visitors are
+responsible for sanitizing the user supplied input. This is primilarly done via
+quoting (string-, table-name-, column-quoting, etc). SearchCop is using the
+methods provided by the ActiveRecord connection adapter for sanitizing/quoting
+to prevent SQL injection. While we can never be 100% safe from security issues,
+SearchCop takes security issues seriously. Please report responsibly via
+security at flakks dot com in case you find any security related issues.
+
 ## Fulltext index capabilities
 
 By default, i.e. if you don't tell SearchCop about your fulltext indices,
@@ -172,12 +182,12 @@ search in, such that SearchCop must no longer search within all fields:
 
 ```ruby
 search_scope :search do
-  attributes :all => [:author, :title]
+  attributes all: [:author, :title]
 
-  options :all, :type => :fulltext, :default => true
+  options :all, :type => :fulltext, default: true
 
-  # Use :default => true to explicitly enable fields as default fields (whitelist approach)
-  # Use :default => false to explicitly disable fields as default fields (blacklist approach)
+  # Use default: true to explicitly enable fields as default fields (whitelist approach)
+  # Use default: false to explicitly disable fields as default fields (blacklist approach)
 end
 ```
 
@@ -255,6 +265,23 @@ Regarding compound indices for PostgreSQL, use:
 ActiveRecord::Base.connection.execute "CREATE INDEX fulltext_index_books_on_title ON books USING GIN(to_tsvector('simple', author || ' ' || title))"
 ```
 
+To handle NULL values with PostgreSQL correctly, use COALESCE both at index
+creation time and when specifying the `search_scope`:
+
+```ruby
+ActiveRecord::Base.connection.execute "CREATE INDEX fulltext_index_books_on_title ON books USING GIN(to_tsvector('simple', COALESCE(author, '') || ' ' || COALESCE(title, '')))"
+```
+
+plus:
+
+```ruby
+search_scope :search do
+  attributes :title
+
+  options :title, :type => :fulltext, coalesce: true
+end
+```
+
 To use another PostgreSQL dictionary than `simple`, you have to create the
 index accordingly and you need tell SearchCop about it, e.g.:
 
@@ -262,7 +289,7 @@ index accordingly and you need tell SearchCop about it, e.g.:
 search_scope :search do
   attributes :title
 
-  options :title, :type => :fulltext, :dictionary => "english"
+  options :title, :type => :fulltext, dictionary: "english"
 end
 ```
 
@@ -273,7 +300,7 @@ For more details about PostgreSQL fulltext indices visit
 
 In case you expose non-fulltext attributes to search queries (price, stock,
 etc.), the respective queries, like `Book.search("stock > 0")`, will profit
-from from the usual non-fulltext indices. Thus, you should add a usual index on
+from the usual non-fulltext indices. Thus, you should add a usual index on
 every column you expose to search queries plus a fulltext index for every
 fulltext attribute.
 
@@ -289,7 +316,7 @@ class User < ActiveRecord::Base
   search_scope :search do
     attributes :username
 
-    options :username, :left_wildcard => false
+    options :username, left_wildcard: false
   end
 
   # ...
@@ -302,6 +329,51 @@ User.search("admin")
 # ... WHERE users.username LIKE 'admin%'
 ```
 
+Similarly, you can disable the right wildcard as well:
+
+```ruby
+search_scope :search do
+  attributes :username
+
+  options :username, right_wildcard: false
+end
+```
+
+## Default operator
+
+When you define multiple fields on a search scope, SearcCop will use
+by default the AND operator to concatenate the conditions, e.g:
+
+```ruby
+class User < ActiveRecord::Base
+  include SearchCop
+
+  search_scope :search do
+    attributes :username, :fullname
+  end
+
+  # ...
+end
+```
+
+So a search like `User.search("something")` will generate a query
+with the following conditions:
+
+```sql
+... WHERE username LIKE '%something%' AND fullname LIKE '%something%'
+```
+
+However, there are cases where using AND as the default operator is not desired,
+so SearchCop allows you to override it and use OR as the default operator instead.
+A query like `User.search("something", default_operator: :or)` will
+generate the query using OR to concatenate the conditions
+
+```sql
+... WHERE username LIKE '%something%' OR fullname LIKE '%something%'
+```
+
+Finally, please note that you can apply it to fulltext indices/queries as well.
+
 ## Associations
 
 If you specify searchable attributes from another model, like
@@ -313,7 +385,7 @@ class Book < ActiveRecord::Base
   belongs_to :author
 
   search_scope :search do
-    attributes :author => "author.name"
+    attributes author: "author.name"
   end
 
   # ...
@@ -347,13 +419,13 @@ class Book < ActiveRecord::Base
   # ...
 
   search_scope :search do
-    attributes :similar => ["similar_books.title", "similar_books.description"]
+    attributes similar: ["similar_books.title", "similar_books.description"]
 
     scope do
       joins "left outer join books similar_books on ..."
     end
 
-    aliases :similar_books => Book # Tell SearchCop how to map SQL aliases to models
+    aliases similar_books: Book # Tell SearchCop how to map SQL aliases to models
   end
 
   # ...
@@ -370,7 +442,7 @@ class Book < ActiveRecord::Base
   has_many :users, :through => :comments
 
   search_scope :search do
-    attributes :user => "users.username"
+    attributes user: "users.username"
   end
 
   # ...
@@ -393,7 +465,7 @@ class Book < ActiveRecord::Base
   belongs_to :user
 
   search_scope :search do
-    attributes :user => ["user.username", "users_books.username"]
+    attributes user: ["user.username", "users_books.username"]
   end
 
   # ...
@@ -431,12 +503,48 @@ Query string queries support `AND/and`, `OR/or`, `:`, `=`, `!=`, `<`, `<=`,
 and `matches`, `OR` has precedence over `AND`. `NOT` can only be used as infix
 operator regarding a single attribute.
 
-Hash based queries support `:and => [...]` and `:or => [...]`, which take an array
-of `:not => {...}`, `:matches => {...}`, `:eq => {...}`, `:not_eq => {...}`,
-`:lt => {...}`, `:lteq => {...}`, `:gt => {...}`, `:gteq => {...}` and `:query => "..."`
-arguments. Moreover, `:query => "..."` makes it possible to create sub-queries.
+Hash based queries support `and: [...]` and `or: [...]`, which take an array
+of `not: {...}`, `matches: {...}`, `eq: {...}`, `not_eq: {...}`,
+`lt: {...}`, `lteq: {...}`, `gt: {...}`, `gteq: {...}` and `query: "..."`
+arguments. Moreover, `query: "..."` makes it possible to create sub-queries.
 The other rules for query string queries apply to hash based queries as well.
 
+### Custom operators (Hash based queries)
+
+SearchCop also provides the ability to define custom operators by defining a
+`generator` in `search_scope`. They can then be used with the hash based query
+search. This is useful when you want to use database operators that are not
+supported by SearchCop.
+
+Please note, when using generators, you are responsible for sanitizing/quoting
+the values (see example below). Otherwise your generator will allow SQL
+injection. Thus, please only use generators if you know what you're doing.
+
+For example, if you wanted to perform a `LIKE` query where a book title starts
+with a string, you can define the search scope like so:
+
+```ruby
+search_scope :search do
+  attributes :title
+
+  generator :starts_with do |column_name, raw_value|
+    pattern = "#{raw_value}%"
+    "#{column_name} LIKE #{quote pattern}"
+  end
+end
+```
+
+When you want to perform the search you use it like this:
+
+```ruby
+Book.search(title: { starts_with: "The Great" })
+```
+
+Security Note: The query returned from the generator will be interpolated
+directly into the query that goes to your database. This opens up a potential
+SQL Injection point in your app. If you use this feature you'll want to make
+sure the query you're returning is safe to execute.
+
 ## Mapping
 
 When searching in boolean, datetime, timestamp, etc. fields, SearchCop
@@ -521,7 +629,7 @@ class Product < ActiveRecord::Base
   search_scope :search do
     attributes :title, :description
 
-    options :title, :default => true
+    options :title, default: true
   end
 end