From 161470432e1753dfc561ebb4189624967a1e4cd7 Mon Sep 17 00:00:00 2001
From: Ábner Silva de Oliveira <abner.oliveira@serpro.gov.br>
Date: Mon, 27 Jul 2015 12:13:13 -0300
Subject: [PATCH] added random as a possible value for make_order_with_parameters

---
 lib/noosfero/api/helpers.rb   | 18 ++++++++++++------
 test/unit/api/helpers_test.rb | 11 +++++++++++
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/lib/noosfero/api/helpers.rb b/lib/noosfero/api/helpers.rb
index 9ca00ca..1cbca3a 100644
--- a/lib/noosfero/api/helpers.rb
+++ b/lib/noosfero/api/helpers.rb
@@ -164,12 +164,18 @@ require 'grape'
       def make_order_with_parameters(object, method, params)
         order = "created_at DESC"
         unless params[:order].blank?
-          field_name, direction = params[:order].split(' ')
-          assoc = object.class.reflect_on_association(method.to_sym)
-          if !field_name.blank? and assoc
-            if assoc.klass.attribute_names.include? field_name
-              if direction.present? and ['ASC','DESC'].include? direction.upcase
-                order = "#{field_name} #{direction.upcase}"
+          if params[:order].include? '\'' or params[:order].include? '"'
+            order = "created_at DESC"
+          elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
+            order = 'RANDOM()'
+          else
+            field_name, direction = params[:order].split(' ')
+            assoc = object.class.reflect_on_association(method.to_sym)
+            if !field_name.blank? and assoc
+              if assoc.klass.attribute_names.include? field_name
+                if direction.present? and ['ASC','DESC'].include? direction.upcase
+                  order = "#{field_name} #{direction.upcase}"
+                end
               end
             end
           end
diff --git a/test/unit/api/helpers_test.rb b/test/unit/api/helpers_test.rb
index a567ce9..35c9456 100644
--- a/test/unit/api/helpers_test.rb
+++ b/test/unit/api/helpers_test.rb
@@ -182,6 +182,17 @@ class APIHelpersTest < ActiveSupport::TestCase
     assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params)
   end
 
+  should 'make_order_with_parameters return RANDOM() if random is passed' do
+    environment = Environment.new
+    params = {:order => "random"} # quote used to check sql injection vunerabillity
+    assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
+  end
+
+  should 'make_order_with_parameters return RANDOM() if random function is passed' do
+    environment = Environment.new
+    params = {:order => "random()"} # quote used to check sql injection vunerabillity
+    assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
+  end
 
   should 'render not_found if endpoint is unavailable' do
     Noosfero::API::API.stubs(:endpoint_unavailable?).returns(true)
--
libgit2 0.21.2