Merge branch 'api' into production

Ábner Silva de Oliveira
2 parents a1038fbb 16147043
Showing 2 changed files with 54 additions and 3 deletions Show diff stats
lib/noosfero/api/helpers.rb
test/unit/api/helpers_test.rb
@@ -160,8 +160,27 @@ require &#39;grape&#39;
         conditions
       end
-      def make_order_with_parameters(params)
-        params[:order] || "created_at DESC"
+      # changing make_order_with_parameters to avoid sql injection
+      def make_order_with_parameters(object, method, params)
+        order = "created_at DESC"
+        unless params[:order].blank?
+          if params[:order].include? '\'' or params[:order].include? '"'
+            order = "created_at DESC"
+          elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
+            order = 'RANDOM()'
+          else
+            field_name, direction = params[:order].split(' ')
+            assoc = object.class.reflect_on_association(method.to_sym)
+            if !field_name.blank? and assoc
+              if assoc.klass.attribute_names.include? field_name
+                if direction.present? and ['ASC','DESC'].include? direction.upcase
+                  order = "#{field_name} #{direction.upcase}"
+                end
+              end
+            end
+          end
+        end
+        return order
       end
       def by_reference(scope, params)
@@ -176,7 +195,7 @@ require &#39;grape&#39;
       def select_filtered_collection_of(object, method, params)
         conditions = make_conditions_with_parameter(params)
-        order = make_order_with_parameters(params)
+        order = make_order_with_parameters(object,method,params)
         objects = object.send(method)
         objects = by_reference(objects, params)
@@ -161,6 +161,38 @@ class APIHelpersTest &lt; ActiveSupport::TestCase
     assert_nil make_conditions_with_parameter[:type]
   end
+  #test_should_make_order_with_parameters_return_order_if attribute_is_found_at_object_association
+  should 'make_order_with_parameters return order if attribute is found at object association' do
+    environment = Environment.new
+    params = {:order => "name ASC"}
+    assert_equal "name ASC", make_order_with_parameters(environment, "articles", params)
+  end
+
+  # test added to check for eventual sql injection vunerabillity
+  #test_should_make_order_with_parameters_return_default_order_if_attributes_not_exists
+  should 'make_order_with_parameters return default order if attributes not exists' do
+    environment = Environment.new
+    params = {:order => "CRAZY_FIELD ASC"} # quote used to check sql injection vunerabillity
+    assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params)
+  end
+
+  should 'make_order_with_parameters return default order if sql injection detected' do
+    environment = Environment.new
+    params = {:order => "name' ASC"} # quote used to check sql injection vunerabillity
+    assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params)
+  end
+
+  should 'make_order_with_parameters return RANDOM() if random is passed' do
+    environment = Environment.new
+    params = {:order => "random"} # quote used to check sql injection vunerabillity
+    assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
+  end
+
+  should 'make_order_with_parameters return RANDOM() if random function is passed' do
+    environment = Environment.new
+    params = {:order => "random()"} # quote used to check sql injection vunerabillity
+    assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
+  end
   should 'render not_found if endpoint is unavailable' do
     Noosfero::API::API.stubs(:endpoint_unavailable?).returns(true)
	@@ -160,8 +160,27 @@ require 'grape'		@@ -160,8 +160,27 @@ require 'grape'
160	conditions	160	conditions
161	end	161	end
162		162
163	- def make_order_with_parameters(params)
164	- params[:order] \|\| "created_at DESC"	163	+ # changing make_order_with_parameters to avoid sql injection
		164	+ def make_order_with_parameters(object, method, params)
		165	+ order = "created_at DESC"
		166	+ unless params[:order].blank?
		167	+ if params[:order].include? '\'' or params[:order].include? '"'
		168	+ order = "created_at DESC"
		169	+ elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
		170	+ order = 'RANDOM()'
		171	+ else
		172	+ field_name, direction = params[:order].split(' ')
		173	+ assoc = object.class.reflect_on_association(method.to_sym)
		174	+ if !field_name.blank? and assoc
		175	+ if assoc.klass.attribute_names.include? field_name
		176	+ if direction.present? and ['ASC','DESC'].include? direction.upcase
		177	+ order = "#{field_name} #{direction.upcase}"
		178	+ end
		179	+ end
		180	+ end
		181	+ end
		182	+ end
		183	+ return order
165	end	184	end
166		185
167	def by_reference(scope, params)	186	def by_reference(scope, params)
	@@ -176,7 +195,7 @@ require 'grape'		@@ -176,7 +195,7 @@ require 'grape'
176		195
177	def select_filtered_collection_of(object, method, params)	196	def select_filtered_collection_of(object, method, params)
178	conditions = make_conditions_with_parameter(params)	197	conditions = make_conditions_with_parameter(params)
179	- order = make_order_with_parameters(params)	198	+ order = make_order_with_parameters(object,method,params)
180		199
181	objects = object.send(method)	200	objects = object.send(method)
182	objects = by_reference(objects, params)	201	objects = by_reference(objects, params)
	@@ -161,6 +161,38 @@ class APIHelpersTest < ActiveSupport::TestCase		@@ -161,6 +161,38 @@ class APIHelpersTest < ActiveSupport::TestCase
161	assert_nil make_conditions_with_parameter[:type]	161	assert_nil make_conditions_with_parameter[:type]
162	end	162	end
163		163
		164	+ #test_should_make_order_with_parameters_return_order_if attribute_is_found_at_object_association
		165	+ should 'make_order_with_parameters return order if attribute is found at object association' do
		166	+ environment = Environment.new
		167	+ params = {:order => "name ASC"}
		168	+ assert_equal "name ASC", make_order_with_parameters(environment, "articles", params)
		169	+ end
		170	+
		171	+ # test added to check for eventual sql injection vunerabillity
		172	+ #test_should_make_order_with_parameters_return_default_order_if_attributes_not_exists
		173	+ should 'make_order_with_parameters return default order if attributes not exists' do
		174	+ environment = Environment.new
		175	+ params = {:order => "CRAZY_FIELD ASC"} # quote used to check sql injection vunerabillity
		176	+ assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params)
		177	+ end
		178	+
		179	+ should 'make_order_with_parameters return default order if sql injection detected' do
		180	+ environment = Environment.new
		181	+ params = {:order => "name' ASC"} # quote used to check sql injection vunerabillity
		182	+ assert_equal "created_at DESC", make_order_with_parameters(environment, "articles", params)
		183	+ end
		184	+
		185	+ should 'make_order_with_parameters return RANDOM() if random is passed' do
		186	+ environment = Environment.new
		187	+ params = {:order => "random"} # quote used to check sql injection vunerabillity
		188	+ assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
		189	+ end
		190	+
		191	+ should 'make_order_with_parameters return RANDOM() if random function is passed' do
		192	+ environment = Environment.new
		193	+ params = {:order => "random()"} # quote used to check sql injection vunerabillity
		194	+ assert_equal "RANDOM()", make_order_with_parameters(environment, "articles", params)
		195	+ end
164		196
165	should 'render not_found if endpoint is unavailable' do	197	should 'render not_found if endpoint is unavailable' do
166	Noosfero::API::API.stubs(:endpoint_unavailable?).returns(true)	198	Noosfero::API::API.stubs(:endpoint_unavailable?).returns(true)