RubyGems - sql-maker - Versions diffs - 0.0.3 → 0.0.4 - Mend

sql-maker 0.0.3 → 0.0.4

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32d150cb48d1dafd939ac1562fc6e7a31195172d
-  data.tar.gz: 749f497d5f5a1f5d38a1f1855e575725b862bf9a
+  metadata.gz: df6b66323d8c864915eacfa06aecea6273e58c46
+  data.tar.gz: 307efe4066f6b8ab303fe749ea80ae8022737325
 SHA512:
-  metadata.gz: a474871843140b6871e998e583bfe4222a89dc43db85f4a121379438eaf80bb648a36749166f91da4fffa69e8eff9d103f278a39860bf78960eb06e7916c2405
-  data.tar.gz: 994cf90b1c734b301f7fb4c09bdedfe55a8c00bb5ec38530874be625c3f939d7f94c33cea071dae1b6062868d6e4dbcf21decd932978f86c10b8456e1ea517a3
+  metadata.gz: 26c0a612e3bb5a35709ba269a2e775a10923cc0f628ff333d9226a2183947cc7bf034bd24b974271078150eb84fa18a6b29b9f48a4b194048d7628db1c0eac39
+  data.tar.gz: aadebe81d0678883500fc8dae3f2a66b7e799e7cebf23ef2a58f70e5f2be1de80dfb2cef5c850230f540c5d2a2fa3bd9bca4afc24762fa5d5e33667dbd3787dd

data/CHANGELOG.md CHANGED

@@ -1,3 +1,9 @@
+## 0.0.4 (2014/09/14)
+Fixes:
+* Fixed strict mode for insert/update (thanks to memememomo)
 ## 0.0.3 (2014/06/21)
 Fixes:

data/README.md CHANGED

@@ -42,6 +42,44 @@ builder.add_select(sql_raw('COUNT(*)')).add_from('books').as_sql
 Please see the [doc](./doc) directory.
+## The JSON SQL Injection Vulnerability
+Both perl and ruby verion of SQL::Maker has a JSON SQL Injection Vulnerability if not used in `strict` mode.
+Therefore, I strongly recommend to use SQL::Maker in `strict` mode.
+You can turn on the `strict` mode by passing `:strict => true` as:
+```ruby
+SQL::Maker.new(...., :strict => true)
+SQL::Maker::Select.new(...., :strict => true)
+```
+In strict mode, array or hash conditions are not accepted anymore. A sample usage snippet is shown in below:
+```ruby
+require 'sql-maker'
+include SQL::Maker::Helper # adds SQL::QueryMaker functions such as sql_le, etc
+builder = SQL::Maker::Select.new(:strict => true)
+builder.select('user', ['*'], {:name => json['name']})
+#=> SELECT * FROM `user` WHERE `name` = ?
+builder.select('user', ['*'], {:name => ['foo', 'bar']})
+#=> SQL::Maker::Error! Will not generate SELECT * FROM `name` IN (?, ?) any more
+builder.select('user', ['*'], {:name => sql_in(['foo', 'bar'])})
+#=> SELECT * FROM `user` WHERE `name` IN (?, ?)
+builder.select('fruit', ['*'], {:price => sql_le(json['max_price'])})
+#=> SELECT * FROM `fruit` WHERE `price` <= ?
+```
+See following articles for more details (perl version)
+* http://blog.kazuhooku.com/2014/07/the-json-sql-injection-vulnerability.html (English)
+* http://developers.mobage.jp/blog/2014/7/3/jsonsql-injection (Japanese)
 ## ChangeLog
 See [CHANGELOG.md](CHANGELOG.md) for details.

data/Rakefile CHANGED

@@ -3,7 +3,7 @@ require "bundler/gem_tasks"
 require 'rspec/core'
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec) do |spec|
-  spec.pattern = FileList['spec/**/*_spec.rb']
+  spec.pattern = 'spec/**{,/*/**}/*_spec.rb'
 end
 task :default => :spec

data/doc/README.md CHANGED

@@ -5,4 +5,4 @@
 * [sql/maker/condition.md](./sql/maker/condition.md)
 * [sql/maker/helper.md](./sql/maker/helper.md)
 * [sql/maker/select_set.md](./sql/maker/select_set.md)
-* [sql/queyr_maker.md](./sql/maker.md)
+* [sql/query_maker.md](./sql/query_maker.md)

data/lib/sql/maker.rb CHANGED

@@ -84,11 +84,12 @@ class SQL::Maker
         columns += [val.as_sql(nil, Proc.new {|e| self._quote(e) })]
         bind_columns += val.bind
       else
-        croak("cannot pass in an unblessed ref as an argument in strict mode") if self.strict
-        if val.is_a?(Hash)
-          # builder.insert(:foo => { :created_on => ["NOW()"] })
-          columns += [val]
-        elsif val.is_a?(Array)
+        if val.is_a?(Array) && self.strict
+          croak("cannot pass in an unblessed ref as an argument in strict mode")
+        end
+        if val.is_a?(Array)
+          # builder.insert( :foo => { :created_on => ["NOW()"] })
           # builder.insert( :foo => [ 'UNIX_TIMESTAMP(?)', '2011-04-12 00:34:12' ] )
           stmt, sub_bind = [val.first, val[1..-1]]
           columns += [stmt]
@@ -181,14 +182,13 @@ class SQL::Maker
         columns += ["#{quoted_col} = " + val.as_sql(nil, Proc.new {|label| self._quote(label) })]
         bind_columns += val.bind
       else
-        if self.strict
+        if val.is_a?(Array) && self.strict
           croak("cannot pass in an unblessed ref as an argument in strict mode")
-          if val.is_a?(Hash)
-            # builder.update(:foo => { :created_on => \"NOW()" })
-            # columns += ["quoted_col = " + $val
-          end
-        elsif val.is_a?(Array)
-          # builder.update( :foo => \[ 'VALUES(foo) + ?', 10 ] )
+        end
+        if val.is_a?(Array)
+          # builder.update( :foo => [ 'NOW()' ] )
+          # builder.update( :foo => [ 'VALUES(foo) + ?', 10 ] )
           stmt, sub_bind = [val.first, val[1..-1]]
           columns += ["#{quoted_col} = " + stmt]
           bind_columns += sub_bind

data/lib/sql/maker/condition.rb CHANGED

@@ -44,7 +44,7 @@ class SQL::Maker::Condition
     if val.is_a?(SQL::QueryMaker)
       return [val.as_sql(col, self.method(:_quote)), val.bind]
     elsif self.strict
-      croak("can pass only SQL::QueryMaker as an argument in strict mode")
+      croak("Condition#add: can pass only SQL::QueryMaker object as an argument in strict mode")
     end
     if val.is_a?(Array)
@@ -57,18 +57,17 @@ class SQL::Maker::Condition
       end
     elsif val.is_a?(Hash)
       op, v = val.each.first
-      op = op.upcase.to_s
+      op = op.to_s.upcase
       if ( op == 'AND' || op == 'OR' ) && v.is_a?(Array)
-        # {'foo'=>[{'>' => 'bar'},{'<' => 'baz'}]} => (`foo` > ?) OR (`foo` < ?)
+        # {'foo'=>{'or' => [{'>' => 'bar'},{'<' => 'baz'}]}} => (`foo` > ?) OR (`foo` < ?)
         return self._make_or_term(col, op, v)
       elsif ( op == 'IN' || op == 'NOT IN' )
+        # {'foo'=>{'in' => ['bar','baz']}} => `foo` IN (?, ?)
         return self._make_in_term(col, op, v)
       elsif ( op == 'BETWEEN' ) && v.is_a?(Array)
-        croak("USAGE: make_term(foo => {BETWEEN => [a, b]})") if v.size != 2
+        croak("USAGE: add(foo => {BETWEEN => [a, b]})") if v.size != 2
         return [self._quote(col) + " BETWEEN ? AND ?", v]
       else
-        # make_term(foo => { '<' => \"DATE_SUB(NOW(), INTERVAL 3 DAY)"}) => 'foo < DATE_SUB(NOW(), INTERVAL 3 DAY)'
-        # return [self._quote(col) + " op " + v, []]
         # make_term(foo => { '<' => 3 }) => foo < 3
         return [self._quote(col) + " #{op} ?", [v]]
       end

data/spec/maker/strict_spec.rb CHANGED

@@ -2,6 +2,8 @@ require_relative '../spec_helper'
 require 'sql/maker'
 describe 'SQL::Maker' do
+  include SQL::Maker::Helper
   let(:maker) do
     SQL::Maker.new(
       :driver => 'SQLite',
@@ -13,6 +15,7 @@ describe 'SQL::Maker' do
   it "maker.new_condition" do
     expect { maker.new_condition.add(:foo => [1]) }.to raise_error(SQL::Maker::Error)
+    expect { maker.new_condition.add(:foo => {'!=' => ''}) }.to raise_error(SQL::Maker::Error)
   end
   it "select.new_condition" do
@@ -25,21 +28,37 @@ describe 'SQL::Maker' do
     expect { maker.select("user", ['*'], { :name => ["John", "Tom" ]}) }.to raise_error(SQL::Maker::Error)
   end
-  it "maker.insert" do
-    expect { maker.insert(
-      :user, { :name => "John", :created_on => "datetime(now)" }
-    ) }.to raise_error(SQL::Maker::Error)
+  context "maker.insert" do
+    it "raise error by strict mode" do
+      expect { maker.insert(
+          :user, { :name => "John", :created_on => ["datetime(now)"] }
+      ) }.to raise_error(SQL::Maker::Error)
+    end
+    it "using term" do
+      sql, binds = maker.insert(:user, { :name => "John", :created_on => sql_raw("datetime(now)") })
+      expect(sql).to be == %Q{INSERT INTO "user"\n("name", "created_on")\nVALUES (?, datetime(now))}
+      expect(binds.join(',')).to be == 'John'
+    end
   end
   it "maker.delete" do
     expect { maker.delete(:user, { :name => ["John", "Tom"]}) }.to raise_error(SQL::Maker::Error)
   end
-  it "maker.update where" do
-    expect { maker.update(:user, {:name => "John"}, { :user_id => [1, 2] }) }.to raise_error(SQL::Maker::Error)
+  context "maker.update where" do
+    it "raise error by strict mode" do
+      expect { maker.update(:user, {:name => "John"}, { :user_id => [1, 2] }) }.to raise_error(SQL::Maker::Error)
+    end
+    it "using term" do
+      sql, binds = maker.update(:user, {:name => "John"}, { :user_id => sql_in([1, 2]) })
+      expect(sql).to be == %Q{UPDATE "user" SET "name" = ? WHERE ("user_id" IN (?,?))}
+      expect(binds.join(',')).to be == 'John,1,2'
+    end
   end
   it "maker.update set" do
-    expect { maker.update(:user, {:name => "select *"}) }.to raise_error(SQL::Maker::Error)
+    expect { sql, bind = maker.update(:user, {:name => ["select *"]}) }.to raise_error(SQL::Maker::Error)
   end
 end

data/sql-maker.gemspec CHANGED

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 Gem::Specification.new do |spec|
   spec.name          = "sql-maker"
-  spec.version       = "0.0.3"
+  spec.version       = "0.0.4"
   spec.authors       = ["Naotoshi Seo"]
   spec.email         = ["sonots@gmail.com"]
   spec.summary       = %q{SQL Builder for Ruby}

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sql-maker
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Naotoshi Seo
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-06-21 00:00:00.000000000 Z
+date: 2014-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler