Commit 161470432e1753dfc561ebb4189624967a1e4cd7
1 parent
b6d92d25
Exists in
theme-brasil-digital-from-staging
and in
9 other branches
added random as a possible value for make_order_with_parameters
Showing
2 changed files
with
23 additions
and
6 deletions
Show diff stats
lib/noosfero/api/helpers.rb
| @@ -164,12 +164,18 @@ require 'grape' | @@ -164,12 +164,18 @@ require 'grape' | ||
| 164 | def make_order_with_parameters(object, method, params) | 164 | def make_order_with_parameters(object, method, params) |
| 165 | order = "created_at DESC" | 165 | order = "created_at DESC" |
| 166 | unless params[:order].blank? | 166 | unless params[:order].blank? |
| 167 | - field_name, direction = params[:order].split(' ') | ||
| 168 | - assoc = object.class.reflect_on_association(method.to_sym) | ||
| 169 | - if !field_name.blank? and assoc | ||
| 170 | - if assoc.klass.attribute_names.include? field_name | ||
| 171 | - if direction.present? and ['ASC','DESC'].include? direction.upcase | ||
| 172 | - order = "#{field_name} #{direction.upcase}" | 167 | + if params[:order].include? '\'' or params[:order].include? '"' |
| 168 | + order = "created_at DESC" | ||
| 169 | + elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase | ||
| 170 | + order = 'RANDOM()' | ||
| 171 | + else | ||
| 172 | + field_name, direction = params[:order].split(' ') | ||
| 173 | + assoc = object.class.reflect_on_association(method.to_sym) | ||
| 174 | + if !field_name.blank? and assoc | ||
| 175 | + if assoc.klass.attribute_names.include? field_name | ||
| 176 | + if direction.present? and ['ASC','DESC'].include? direction.upcase | ||
| 177 | + order = "#{field_name} #{direction.upcase}" | ||
| 178 | + end | ||
| 173 | end | 179 | end |
| 174 | end | 180 | end |
| 175 | end | 181 | end |
test/unit/api/helpers_test.rb
| @@ -182,6 +182,17 @@ class APIHelpersTest < ActiveSupport::TestCase | @@ -182,6 +182,17 @@ class APIHelpersTest < ActiveSupport::TestCase | ||
| 182 | assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params) | 182 | assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params) |
| 183 | end | 183 | end |
| 184 | 184 | ||
| 185 | + should 'make_order_with_parameters return RANDOM() if random is passed' do | ||
| 186 | + environment = Environment.new | ||
| 187 | + params = {:order => "random"} # quote used to check sql injection vunerabillity | ||
| 188 | + assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params) | ||
| 189 | + end | ||
| 190 | + | ||
| 191 | + should 'make_order_with_parameters return RANDOM() if random function is passed' do | ||
| 192 | + environment = Environment.new | ||
| 193 | + params = {:order => "random()"} # quote used to check sql injection vunerabillity | ||
| 194 | + assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params) | ||
| 195 | + end | ||
| 185 | 196 | ||
| 186 | should 'render not_found if endpoint is unavailable' do | 197 | should 'render not_found if endpoint is unavailable' do |
| 187 | Noosfero::API::API.stubs(:endpoint_unavailable?).returns(true) | 198 | Noosfero::API::API.stubs(:endpoint_unavailable?).returns(true) |