search_cop 1.0.9 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: ec8667b85e0e2df63ebb83e3d4af5319e52483b9
-  data.tar.gz: 0a1fd1d2c76c9395ac50adc9e1139dbc58ea2cd5
+SHA256:
+  metadata.gz: 07623ce75206a9b6b4455141697c09782649b05f1073ec27c965a7a4fdf2862a
+  data.tar.gz: 5adef700f6a6514d0d1de0b1f17958d03ecacc0a0f83df57de5aff480bc96da5
 SHA512:
-  metadata.gz: ca9b2397fb9bd9b7e3b339f001c58b36c42be50f5a9314094735f6633bb75cb26a91b9e08120a10750653ae5067a82eda96d2a562cff31b92ea3aaa390487c51
-  data.tar.gz: 6479e2365da9aa3ae8c9a9f6587c6f00a0f0c7d2546d05438dc4738eb810b5eed9a0d5ff432b91a1a9757486d99f795e86f556d55e379a4ce240ed21d89714de
+  metadata.gz: fbe73b6ec59b87263d9bfd7d4740618deab1dd7d4867dcb39a864e75db8614f08beed34518477791dd3d66f10ee8461a1282a3d81d35ee17b2a7de26d8c995cf
+  data.tar.gz: c131ea06253e994bc5550570708cc5dc973b5392ca208020de08c3384153492c0bc9820438fc0d32c596ec46f27c9982b445d98b80363a89764b6461a4a35706

data/.github/workflows/test.yml

@@ -0,0 +1,50 @@
+name: test
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.6", "2.7", "3.0", "3.1"]
+        rails: ["rails5", "rails6", "rails7"]
+        database: ["sqlite", "postgres", "mysql"]
+        exclude:
+          - ruby: "3.0"
+            rails: "rails5"
+          - ruby: "3.1"
+            rails: "rails5"
+          - ruby: "2.6"
+            rails: "rails7"
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_USER: search_cop
+          POSTGRES_PASSWORD: secret
+          POSTGRES_DB: search_cop
+        ports:
+          - 5432:5432
+      mysql:
+        image: mysql
+        env:
+          MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
+          MYSQL_ROOT_PASSWORD: ""
+          MYSQL_DATABASE: search_cop
+        ports:
+          - 3306:3306
+    steps:
+      - uses: actions/checkout@v1
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: test
+        env:
+          DATABASE: ${{ matrix.database }}
+        run: |
+          gem install bundler
+          bundle config set --local gemfile "gemfiles/${{ matrix.rails }}.gemfile"
+          bundle config set --local path "../vendor/bundle"
+          bundle install
+          bundle exec rake test
+          bundle exec rubocop

data/.rubocop.yml

@@ -0,0 +1,134 @@
+AllCops:
+  NewCops: enable
+
+Gemspec/RequireMFA:
+  Enabled: false
+
+Style/FetchEnvVar:
+  Enabled: false
+
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
+Style/CaseLikeIf:
+  Enabled: false
+
+Style/RedundantArgument:
+  Enabled: false
+
+Lint/EmptyBlock:
+  Enabled: false
+
+Layout/EmptyLineBetweenDefs:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Lint/RedundantRequireStatement:
+  Enabled: false
+
+Layout/ArgumentAlignment:
+  EnforcedStyle: with_fixed_indentation
+
+Layout/FirstArrayElementIndentation:
+  EnforcedStyle: consistent
+
+Style/PercentLiteralDelimiters:
+  Enabled: false
+
+Style/SpecialGlobalVars:
+  EnforcedStyle: use_english_names
+
+Security/Eval:
+  Enabled: false
+
+Style/WordArray:
+  EnforcedStyle: brackets
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Style/TrivialAccessors:
+  Enabled: false
+
+Style/Alias:
+  Enabled: false
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes
+
+Metrics/ClassLength:
+  Enabled: false
+
+Naming/MethodParameterName:
+  Enabled: false
+
+Style/SymbolArray:
+  EnforcedStyle: brackets
+
+Layout/RescueEnsureAlignment:
+  Enabled: false
+
+Layout/LineLength:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/ModuleLength:
+  Enabled: false
+
+Style/ZeroLengthPredicate:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/BlockNesting:
+  Enabled: false
+
+Style/NumericPredicate:
+  Enabled: false
+
+Naming/AccessorMethodName:
+  Enabled: false
+
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/Documentation:
+  Enabled: false
+
+Naming/ConstantName:
+  Enabled: false
+
+Style/MutableConstant:
+  Enabled: false
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+Layout/ParameterAlignment:
+  EnforcedStyle: with_fixed_indentation
+
+Lint/UnusedMethodArgument:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/RedundantBegin:
+  Enabled: false

data/CHANGELOG.md

@@ -1,14 +1,36 @@
 
 # Changelog
 
+Version 1.2.1:
+
+* Fix use of `table_name` to work with inherited models
+* Fix linter, add ruby 3 and rails 7 to ci pipeline
+
+Version 1.2.0:
+
+* Added support for disabling the right wildcard
+* Fixed escaping of wildcard chars (`_`, `%`)
+
+Version 1.1.0:
+
+* Adds customizable default operator to concatenate conditions (#49)
+* Make the postgis adapter use the postgres extensions
+
+Version 1.0.9:
+
+* Use `[:blank:]` instead of `\s` for space (#46)
+* Updated `SearchCop::Visitors::Visitor` to check the connection's `adapter_name` when extending. (#47)
+* Fix for negative numeric values
+* allow searching for relative dates, like hours, days, weeks, months or years ago
+
 Version 1.0.8:
 
 * No longer add search scope methods globally #34
 
 Version 1.0.7:
 
-* Bugfix regarding NOT queries in fulltext mode #32
-* Safely handle NULL values for match queries
+* Bugfix regarding `NOT` queries in fulltext mode #32
+* Safely handle `NULL` values for match queries
 * Added coalesce option
 
 Version 1.0.6:
@@ -46,7 +68,7 @@ Version 1.0.0:
 
 Version 0.0.5:
 
-* Supporting :default => false
+* Supporting `:default => false`
 * Datetime/Date greater operator fix
 * Use reflection to find associated models
 * Providing reflection
@@ -55,16 +77,16 @@ Version 0.0.4:
 
 * Fixed date attributes
 * Fail softly for mixed datatype attributes
-* Support custom table, class and alias names via attr_searchable_alias
+* Support custom table, class and alias names via `attr_searchable_alias`
 
 Version 0.0.3:
 
-* belongs_to association fixes
+* `belongs_to` association fixes
 
 Version 0.0.2:
 
 * Arel abstraction layer added
-* count() queries resulting in "Cannot visit AttrSearchableGrammar::Nodes..." fixed
+* `count()` queries resulting in "Cannot visit AttrSearchableGrammar::Nodes..." fixed
 * Better error messages
-* Model#unsafe_search added
+* `Model#unsafe_search` added
 

data/Gemfile

@@ -1,23 +1,10 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in search_cop.gemspec
 gemspec
 
-platforms :jruby do
-  gem 'activerecord-jdbcmysql-adapter'
-  gem 'activerecord-jdbcsqlite3-adapter'
-  gem 'activerecord-jdbcpostgresql-adapter'
-end
-
 platforms :ruby do
-  gem 'sqlite3'
-  gem 'mysql2'
-  gem 'pg'
+  gem "mysql2"
+  gem "pg"
+  gem "sqlite3"
 end
-
-platforms :rbx do
-  gem 'racc'
-  gem 'rubysl', '~> 2.0'
-  gem 'psych'
-end
-

data/README.md

@@ -1,8 +1,7 @@
 # SearchCop
 
-[![Build Status](https://secure.travis-ci.org/mrkamel/search_cop.png?branch=master)](http://travis-ci.org/mrkamel/search_cop)
+[![Build Status](https://github.com/mrkamel/search_cop/workflows/test/badge.svg?branch=master)](https://github.com/mrkamel/search_cop/actions?query=workflow%3Atest)
 [![Code Climate](https://codeclimate.com/github/mrkamel/search_cop.png)](https://codeclimate.com/github/mrkamel/search_cop)
-[![Dependency Status](https://gemnasium.com/mrkamel/search_cop.png?travis)](https://gemnasium.com/mrkamel/search_cop)
 [![Gem Version](https://badge.fury.io/rb/search_cop.svg)](http://badge.fury.io/rb/search_cop)
 
 ![search_cop](https://raw.githubusercontent.com/mrkamel/search_cop_logo/master/search_cop.png)
@@ -118,6 +117,24 @@ or post-process the search results in every possible way:
 Book.where(available: true).search("Harry Potter").order("books.id desc").paginate(page: params[:page])
 ```
 
+## Security
+
+When you pass a query string to SearchCop, it gets parsed, analyzed and mapped
+to finally build up an SQL query. To be more precise, when SearchCop parses the
+query, it creates objects (nodes), which represent the query expressions (And-,
+Or-, Not-, String-, Date-, etc Nodes). To build the SQL query, SearchCop uses
+the concept of visitors like e.g. used in
+[Arel](https://github.com/rails/arel), such that, for every node there must be
+a [visitor](https://github.com/mrkamel/search_cop/blob/master/lib/search_cop/visitors/visitor.rb),
+which transforms the node to SQL. When there is no visitor, an exception is
+raised when the query builder tries to "visit" the node. The visitors are
+responsible for sanitizing the user supplied input. This is primilarly done via
+quoting (string-, table-name-, column-quoting, etc). SearchCop is using the
+methods provided by the ActiveRecord connection adapter for sanitizing/quoting
+to prevent SQL injection. While we can never be 100% safe from security issues,
+SearchCop takes security issues seriously. Please report responsibly via
+security at flakks dot com in case you find any security related issues.
+
 ## Fulltext index capabilities
 
 By default, i.e. if you don't tell SearchCop about your fulltext indices,
@@ -283,7 +300,7 @@ For more details about PostgreSQL fulltext indices visit
 
 In case you expose non-fulltext attributes to search queries (price, stock,
 etc.), the respective queries, like `Book.search("stock > 0")`, will profit
-from from the usual non-fulltext indices. Thus, you should add a usual index on
+from the usual non-fulltext indices. Thus, you should add a usual index on
 every column you expose to search queries plus a fulltext index for every
 fulltext attribute.
 
@@ -312,6 +329,51 @@ User.search("admin")
 # ... WHERE users.username LIKE 'admin%'
 ```
 
+Similarly, you can disable the right wildcard as well:
+
+```ruby
+search_scope :search do
+  attributes :username
+
+  options :username, right_wildcard: false
+end
+```
+
+## Default operator
+
+When you define multiple fields on a search scope, SearcCop will use
+by default the AND operator to concatenate the conditions, e.g:
+
+```ruby
+class User < ActiveRecord::Base
+  include SearchCop
+
+  search_scope :search do
+    attributes :username, :fullname
+  end
+
+  # ...
+end
+```
+
+So a search like `User.search("something")` will generate a query
+with the following conditions:
+
+```sql
+... WHERE username LIKE '%something%' AND fullname LIKE '%something%'
+```
+
+However, there are cases where using AND as the default operator is not desired,
+so SearchCop allows you to override it and use OR as the default operator instead.
+A query like `User.search("something", default_operator: :or)` will
+generate the query using OR to concatenate the conditions
+
+```sql
+... WHERE username LIKE '%something%' OR fullname LIKE '%something%'
+```
+
+Finally, please note that you can apply it to fulltext indices/queries as well.
+
 ## Associations
 
 If you specify searchable attributes from another model, like
@@ -454,6 +516,10 @@ SearchCop also provides the ability to define custom operators by defining a
 search. This is useful when you want to use database operators that are not
 supported by SearchCop.
 
+Please note, when using generators, you are responsible for sanitizing/quoting
+the values (see example below). Otherwise your generator will allow SQL
+injection. Thus, please only use generators if you know what you're doing.
+
 For example, if you wanted to perform a `LIKE` query where a book title starts
 with a string, you can define the search scope like so:
 

data/Rakefile

@@ -6,4 +6,3 @@ Rake::TestTask.new(:test) do |t|
   t.pattern = "test/**/*_test.rb"
   t.verbose = true
 end
-

data/docker-compose.yml

@@ -0,0 +1,18 @@
+
+version: '2' 
+services:
+  mysql:
+    image: percona:5.7
+    environment:
+      - MYSQL_ALLOW_EMPTY_PASSWORD=yes
+      - MYSQL_ROOT_PASSWORD=
+    ports:
+      - 3306:3306
+  postgres:
+    image: postgres:9.6.6
+    environment:
+      POSTGRES_DB: search_cop
+      POSTGRES_USER: search_cop
+      POSTGRES_PASSWORD: secret
+    ports:
+      - 5432:5432

data/gemfiles/rails5.gemfile

@@ -0,0 +1,13 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 5.1"
+
+platforms :ruby do
+  gem "mysql2"
+  gem "pg"
+  gem "sqlite3"
+end
+
+gemspec path: "../"

data/gemfiles/rails6.gemfile

@@ -0,0 +1,13 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 6.0"
+
+platforms :ruby do
+  gem "mysql2"
+  gem "pg"
+  gem "sqlite3"
+end
+
+gemspec path: "../"

data/gemfiles/rails7.gemfile

@@ -0,0 +1,13 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 7.0"
+
+platforms :ruby do
+  gem "mysql2"
+  gem "pg"
+  gem "sqlite3"
+end
+
+gemspec path: "../"

data/lib/search_cop/grammar_parser.rb

@@ -1,8 +1,7 @@
-
 require "search_cop_grammar"
 require "treetop"
 
-Treetop.load File.expand_path("../../search_cop_grammar.treetop", __FILE__)
+Treetop.load File.expand_path("../search_cop_grammar.treetop", __dir__)
 
 module SearchCop
   class GrammarParser
@@ -12,11 +11,11 @@ module SearchCop
       @query_info = query_info
     end
 
-    def parse(string)
+    def parse(string, query_options)
       node = SearchCopGrammarParser.new.parse(string) || raise(ParseError)
       node.query_info = query_info
+      node.query_options = query_options
       node.evaluate
     end
   end
 end
-

data/lib/search_cop/hash_parser.rb

@@ -1,4 +1,3 @@
-
 class SearchCop::HashParser
   attr_reader :query_info
 
@@ -6,23 +5,25 @@ class SearchCop::HashParser
     @query_info = query_info
   end
 
-  def parse(hash)
+  def parse(hash, query_options = {})
+    default_operator = SearchCop::Helpers.sanitize_default_operator(query_options)
+
     res = hash.collect do |key, value|
       case key
-        when :and
-          value.collect { |val| parse val }.inject(:and)
-        when :or
-          value.collect { |val| parse val }.inject(:or)
-        when :not
-          parse(value).not
-        when :query
-          SearchCop::Parser.parse value, query_info
-        else
-          parse_attribute key, value
+      when :and
+        value.collect { |val| parse val }.inject(:and)
+      when :or
+        value.collect { |val| parse val }.inject(:or)
+      when :not
+        parse(value).not
+      when :query
+        SearchCop::Parser.parse(value, query_info)
+      else
+        parse_attribute(key, value)
       end
     end
 
-    res.inject :and
+    res.inject(default_operator)
   end
 
   private
@@ -33,14 +34,15 @@ class SearchCop::HashParser
     if value.is_a?(Hash)
       raise(SearchCop::ParseError, "Unknown operator #{value.keys.first}") unless collection.valid_operator?(value.keys.first)
 
-      if generator = collection.generator_for(value.keys.first)
-        collection.generator generator, value.values.first
+      generator = collection.generator_for(value.keys.first)
+
+      if generator
+        collection.generator(generator, value.values.first)
       else
-        collection.send value.keys.first, value.values.first.to_s
+        collection.send(value.keys.first, value.values.first.to_s)
       end
     else
-      collection.send :matches, value.to_s
+      collection.send(:matches, value.to_s)
     end
   end
 end
-

data/lib/search_cop/helpers.rb

@@ -0,0 +1,15 @@
+module SearchCop
+  module Helpers
+    def self.sanitize_default_operator(query_options)
+      return "and" unless query_options.key?(:default_operator)
+
+      default_operator = query_options[:default_operator].to_s.downcase
+
+      unless ["and", "or"].include?(default_operator)
+        raise(SearchCop::UnknownDefaultOperator, "Unknown default operator value #{default_operator}")
+      end
+
+      default_operator
+    end
+  end
+end

data/lib/search_cop/query_builder.rb

@@ -1,19 +1,18 @@
-
 module SearchCop
   class QueryBuilder
     attr_accessor :query_info, :scope, :sql
 
-    def initialize(model, query, scope)
+    def initialize(model, query, scope, query_options)
       self.scope = scope
       self.query_info = QueryInfo.new(model, scope)
 
-      arel = SearchCop::Parser.parse(query, query_info).optimize!
+      arel = SearchCop::Parser.parse(query, query_info, query_options).optimize!
 
       self.sql = SearchCop::Visitors::Visitor.new(model.connection).visit(arel)
     end
 
     def associations
-      all_associations - [query_info.model.name.tableize.to_sym]
+      all_associations - [query_info.model.table_name.to_sym]
     end
 
     private
@@ -32,4 +31,3 @@ module SearchCop
     end
   end
 end
-

data/lib/search_cop/query_info.rb

@@ -1,4 +1,3 @@
-
 module SearchCop
   class QueryInfo
     attr_accessor :model, :scope, :references
@@ -10,4 +9,3 @@ module SearchCop
     end
   end
 end
-

data/lib/search_cop/search_scope.rb

@@ -1,4 +1,3 @@
-
 module SearchCop
   class Reflection
     attr_accessor :attributes, :options, :aliases, :scope, :generators
@@ -11,11 +10,11 @@ module SearchCop
     end
 
     def default_attributes
-      keys = options.select { |key, value| value[:default] == true }.keys
+      keys = options.select { |_key, value| value[:default] == true }.keys
       keys = attributes.keys.reject { |key| options[key] && options[key][:default] == false } if keys.empty?
       keys = keys.to_set
 
-      attributes.select { |key, value| keys.include? key }
+      attributes.select { |key, _value| keys.include? key }
     end
   end
 
@@ -64,4 +63,3 @@ module SearchCop
     end
   end
 end
-

data/lib/search_cop/version.rb

@@ -1,3 +1,3 @@
 module SearchCop
-  VERSION = "1.0.9"
+  VERSION = "1.2.1"
 end

data/lib/search_cop/visitors/mysql.rb

@@ -1,7 +1,8 @@
-
 module SearchCop
   module Visitors
     module Mysql
+      # rubocop:disable Naming/MethodName
+
       class FulltextQuery < Visitor
         def visit_SearchCopGrammar_Nodes_MatchesFulltextNot(node)
           node.right.split(/[\s+'"<>()~-]+/).collect { |word| "-#{word}" }.join(" ")
@@ -38,6 +39,7 @@ module SearchCop
         "MATCH(#{visit node.collection}) AGAINST(#{visit FulltextQuery.new(connection).visit(node.node)} IN BOOLEAN MODE)"
       end
     end
+
+    # rubocop:enable Naming/MethodName
   end
 end
-