rails--rails/activerecord/lib/active_record/sanitization.rb

# frozen_string_literal: true

module ActiveRecord
  module Sanitization
    extend ActiveSupport::Concern

    module ClassMethods
      private

        # Accepts an array or string of SQL conditions and sanitizes
        # them into a valid SQL fragment for a WHERE clause.
        #
        #   sanitize_sql_for_conditions(["name=? and group_id=?", "foo'bar", 4])
        #   # => "name='foo''bar' and group_id=4"
        #
        #   sanitize_sql_for_conditions(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])
        #   # => "name='foo''bar' and group_id='4'"
        #
        #   sanitize_sql_for_conditions(["name='%s' and group_id='%s'", "foo'bar", 4])
        #   # => "name='foo''bar' and group_id='4'"
        #
        #   sanitize_sql_for_conditions("name='foo''bar' and group_id='4'")
        #   # => "name='foo''bar' and group_id='4'"
        def sanitize_sql_for_conditions(condition) # :doc:
          return nil if condition.blank?

          case condition
          when Array; sanitize_sql_array(condition)
          else        condition
          end
        end
        alias :sanitize_sql :sanitize_sql_for_conditions

        # Accepts an array, hash, or string of SQL conditions and sanitizes
        # them into a valid SQL fragment for a SET clause.
        #
        #   sanitize_sql_for_assignment(["name=? and group_id=?", nil, 4])
        #   # => "name=NULL and group_id=4"
        #
        #   sanitize_sql_for_assignment(["name=:name and group_id=:group_id", name: nil, group_id: 4])
        #   # => "name=NULL and group_id=4"
        #
        #   Post.send(:sanitize_sql_for_assignment, { name: nil, group_id: 4 })
        #   # => "`posts`.`name` = NULL, `posts`.`group_id` = 4"
        #
        #   sanitize_sql_for_assignment("name=NULL and group_id='4'")
        #   # => "name=NULL and group_id='4'"
        def sanitize_sql_for_assignment(assignments, default_table_name = table_name) # :doc:
          case assignments
          when Array; sanitize_sql_array(assignments)
          when Hash;  sanitize_sql_hash_for_assignment(assignments, default_table_name)
          else        assignments
          end
        end

        # Accepts an array, or string of SQL conditions and sanitizes
        # them into a valid SQL fragment for an ORDER clause.
        #
        #   sanitize_sql_for_order(["field(id, ?)", [1,3,2]])
        #   # => "field(id, 1,3,2)"
        #
        #   sanitize_sql_for_order("id ASC")
        #   # => "id ASC"
        def sanitize_sql_for_order(condition) # :doc:
          if condition.is_a?(Array) && condition.first.to_s.include?("?")
            # Ensure we aren't dealing with a subclass of String that might
            # override methods we use (eg. Arel::Nodes::SqlLiteral).
            if condition.first.kind_of?(String) && !condition.first.instance_of?(String)
              condition = [String.new(condition.first), *condition[1..-1]]
            end

            sanitize_sql_array(condition)
          else
            condition
          end
        end

        # Accepts a hash of SQL conditions and replaces those attributes
        # that correspond to a {#composed_of}[rdoc-ref:Aggregations::ClassMethods#composed_of]
        # relationship with their expanded aggregate attribute values.
        #
        # Given:
        #
        #   class Person < ActiveRecord::Base
        #     composed_of :address, class_name: "Address",
        #       mapping: [%w(address_street street), %w(address_city city)]
        #   end
        #
        # Then:
        #
        #   { address: Address.new("813 abc st.", "chicago") }
        #   # => { address_street: "813 abc st.", address_city: "chicago" }
        def expand_hash_conditions_for_aggregates(attrs) # :doc:
          expanded_attrs = {}
          attrs.each do |attr, value|
            if aggregation = reflect_on_aggregation(attr.to_sym)
              mapping = aggregation.mapping
              mapping.each do |field_attr, aggregate_attr|
                if mapping.size == 1 && !value.respond_to?(aggregate_attr)
                  expanded_attrs[field_attr] = value
                else
                  expanded_attrs[field_attr] = value.send(aggregate_attr)
                end
              end
            else
              expanded_attrs[attr] = value
            end
          end
          expanded_attrs
        end

        # Sanitizes a hash of attribute/value pairs into SQL conditions for a SET clause.
        #
        #   sanitize_sql_hash_for_assignment({ status: nil, group_id: 1 }, "posts")
        #   # => "`posts`.`status` = NULL, `posts`.`group_id` = 1"
        def sanitize_sql_hash_for_assignment(attrs, table) # :doc:
          c = connection
          attrs.map do |attr, value|
            value = type_for_attribute(attr.to_s).serialize(value)
            "#{c.quote_table_name_for_assignment(table, attr)} = #{c.quote(value)}"
          end.join(", ")
        end

        # Sanitizes a +string+ so that it is safe to use within an SQL
        # LIKE statement. This method uses +escape_character+ to escape all occurrences of "\", "_" and "%".
        #
        #   sanitize_sql_like("100%")
        #   # => "100\\%"
        #
        #   sanitize_sql_like("snake_cased_string")
        #   # => "snake\\_cased\\_string"
        #
        #   sanitize_sql_like("100%", "!")
        #   # => "100!%"
        #
        #   sanitize_sql_like("snake_cased_string", "!")
        #   # => "snake!_cased!_string"
        def sanitize_sql_like(string, escape_character = "\\") # :doc:
          pattern = Regexp.union(escape_character, "%", "_")
          string.gsub(pattern) { |x| [escape_character, x].join }
        end

        # Accepts an array of conditions. The array has each value
        # sanitized and interpolated into the SQL statement.
        #
        #   sanitize_sql_array(["name=? and group_id=?", "foo'bar", 4])
        #   # => "name='foo''bar' and group_id=4"
        #
        #   sanitize_sql_array(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])
        #   # => "name='foo''bar' and group_id=4"
        #
        #   sanitize_sql_array(["name='%s' and group_id='%s'", "foo'bar", 4])
        #   # => "name='foo''bar' and group_id='4'"
        def sanitize_sql_array(ary) # :doc:
          statement, *values = ary
          if values.first.is_a?(Hash) && /:\w+/.match?(statement)
            replace_named_bind_variables(statement, values.first)
          elsif statement.include?("?")
            replace_bind_variables(statement, values)
          elsif statement.blank?
            statement
          else
            statement % values.collect { |value| connection.quote_string(value.to_s) }
          end
        end

        def replace_bind_variables(statement, values)
          raise_if_bind_arity_mismatch(statement, statement.count("?"), values.size)
          bound = values.dup
          c = connection
          statement.gsub(/\?/) do
            replace_bind_variable(bound.shift, c)
          end
        end

        def replace_bind_variable(value, c = connection)
          if ActiveRecord::Relation === value
            value.to_sql
          else
            quote_bound_value(value, c)
          end
        end

        def replace_named_bind_variables(statement, bind_vars)
          statement.gsub(/(:?):([a-zA-Z]\w*)/) do |match|
            if $1 == ":" # skip postgresql casts
              match # return the whole match
            elsif bind_vars.include?(match = $2.to_sym)
              replace_bind_variable(bind_vars[match])
            else
              raise PreparedStatementInvalid, "missing value for :#{match} in #{statement}"
            end
          end
        end

        def quote_bound_value(value, c = connection)
          if value.respond_to?(:map) && !value.acts_like?(:string)
            if value.respond_to?(:empty?) && value.empty?
              c.quote(nil)
            else
              value.map { |v| c.quote(v) }.join(",")
            end
          else
            c.quote(value)
          end
        end

        def raise_if_bind_arity_mismatch(statement, expected, provided)
          unless expected == provided
            raise PreparedStatementInvalid, "wrong number of bind variables (#{provided} for #{expected}) in: #{statement}"
          end
        end
    end
  end
end
Use frozen-string-literal in ActiveRecord 2017-07-09 13:41:28 -04:00			`# frozen_string_literal: true`

Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`module ActiveRecord`
			`module Sanitization`
			`extend ActiveSupport::Concern`

			`module ClassMethods`
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`private`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00
Fix broken comments indentation caused by rubocop auto-correct [ci skip] All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency. 2016-09-14 04:57:52 -04:00			`# Accepts an array or string of SQL conditions and sanitizes`
			`# them into a valid SQL fragment for a WHERE clause.`
			`#`
			`# sanitize_sql_for_conditions(["name=? and group_id=?", "foo'bar", 4])`
			`# # => "name='foo''bar' and group_id=4"`
			`#`
			`# sanitize_sql_for_conditions(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])`
			`# # => "name='foo''bar' and group_id='4'"`
			`#`
			`# sanitize_sql_for_conditions(["name='%s' and group_id='%s'", "foo'bar", 4])`
			`# # => "name='foo''bar' and group_id='4'"`
			`#`
			`# sanitize_sql_for_conditions("name='foo''bar' and group_id='4'")`
			`# # => "name='foo''bar' and group_id='4'"`
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def sanitize_sql_for_conditions(condition) # :doc:`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`return nil if condition.blank?`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`case condition`
			`when Array; sanitize_sql_array(condition)`
			`else condition`
			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`
Deprecate `sanitize_conditions`. Use `sanitize_sql` instead Because `sanitize_conditions` protected method is only used in one place. 2016-07-31 00:11:30 -04:00			`alias :sanitize_sql :sanitize_sql_for_conditions`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00
Fix broken comments indentation caused by rubocop auto-correct [ci skip] All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency. 2016-09-14 04:57:52 -04:00			`# Accepts an array, hash, or string of SQL conditions and sanitizes`
			`# them into a valid SQL fragment for a SET clause.`
			`#`
			`# sanitize_sql_for_assignment(["name=? and group_id=?", nil, 4])`
			`# # => "name=NULL and group_id=4"`
			`#`
			`# sanitize_sql_for_assignment(["name=:name and group_id=:group_id", name: nil, group_id: 4])`
			`# # => "name=NULL and group_id=4"`
			`#`
			`# Post.send(:sanitize_sql_for_assignment, { name: nil, group_id: 4 })`
			# # => "`posts`.`name` = NULL, `posts`.`group_id` = 4"
			`#`
			`# sanitize_sql_for_assignment("name=NULL and group_id='4'")`
			`# # => "name=NULL and group_id='4'"`
`self.` is not needed when calling its own instance method Actually, private methods cannot be called with `self.`, so it's not just redundant, it's a bad habit in Ruby 2017-01-05 03:20:57 -05:00			`def sanitize_sql_for_assignment(assignments, default_table_name = table_name) # :doc:`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`case assignments`
			`when Array; sanitize_sql_array(assignments)`
			`when Hash; sanitize_sql_hash_for_assignment(assignments, default_table_name)`
			`else assignments`
			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`

Fix broken comments indentation caused by rubocop auto-correct [ci skip] All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency. 2016-09-14 04:57:52 -04:00			`# Accepts an array, or string of SQL conditions and sanitizes`
			`# them into a valid SQL fragment for an ORDER clause.`
			`#`
			`# sanitize_sql_for_order(["field(id, ?)", [1,3,2]])`
			`# # => "field(id, 1,3,2)"`
			`#`
			`# sanitize_sql_for_order("id ASC")`
			`# # => "id ASC"`
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def sanitize_sql_for_order(condition) # :doc:`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`if condition.is_a?(Array) && condition.first.to_s.include?("?")`
deal with Array arguments to #order 2017-10-12 13:48:48 -04:00			`# Ensure we aren't dealing with a subclass of String that might`
			`# override methods we use (eg. Arel::Nodes::SqlLiteral).`
			`if condition.first.kind_of?(String) && !condition.first.instance_of?(String)`
			`condition = [String.new(condition.first), *condition[1..-1]]`
			`end`

normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`sanitize_sql_array(condition)`
			`else`
			`condition`
			`end`
Define `sanitize_sql_for_order` for AR and use it inside `preprocess_order_args` This commit follows up of 6a6dbb4c51fb0c58ba1a810eaa552774167b758a. 2015-10-30 21:04:38 -04:00			`end`

Fix broken comments indentation caused by rubocop auto-correct [ci skip] All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency. 2016-09-14 04:57:52 -04:00			`# Accepts a hash of SQL conditions and replaces those attributes`
			`# that correspond to a {#composed_of}[rdoc-ref:Aggregations::ClassMethods#composed_of]`
			`# relationship with their expanded aggregate attribute values.`
			`#`
			`# Given:`
			`#`
			`# class Person < ActiveRecord::Base`
			`# composed_of :address, class_name: "Address",`
			`# mapping: [%w(address_street street), %w(address_city city)]`
			`# end`
			`#`
			`# Then:`
			`#`
			`# { address: Address.new("813 abc st.", "chicago") }`
			`# # => { address_street: "813 abc st.", address_city: "chicago" }`
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def expand_hash_conditions_for_aggregates(attrs) # :doc:`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`expanded_attrs = {}`
			`attrs.each do \|attr, value\|`
			`if aggregation = reflect_on_aggregation(attr.to_sym)`
			`mapping = aggregation.mapping`
			`mapping.each do \|field_attr, aggregate_attr\|`
			`if mapping.size == 1 && !value.respond_to?(aggregate_attr)`
			`expanded_attrs[field_attr] = value`
			`else`
			`expanded_attrs[field_attr] = value.send(aggregate_attr)`
			`end`
Revert "Removing composed_of from ActiveRecord." This reverts commit 14fc8b34521f8354a17e50cd11fa3f809e423592. Reason: we need to discuss a better path from this removal. Conflicts: activerecord/lib/active_record/reflection.rb activerecord/test/cases/base_test.rb activerecord/test/models/developer.rb 2012-07-27 17:21:29 -04:00			`end`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`else`
			`expanded_attrs[attr] = value`
Revert "Removing composed_of from ActiveRecord." This reverts commit 14fc8b34521f8354a17e50cd11fa3f809e423592. Reason: we need to discuss a better path from this removal. Conflicts: activerecord/lib/active_record/reflection.rb activerecord/test/cases/base_test.rb activerecord/test/models/developer.rb 2012-07-27 17:21:29 -04:00			`end`
			`end`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`expanded_attrs`
Revert "Removing composed_of from ActiveRecord." This reverts commit 14fc8b34521f8354a17e50cd11fa3f809e423592. Reason: we need to discuss a better path from this removal. Conflicts: activerecord/lib/active_record/reflection.rb activerecord/test/cases/base_test.rb activerecord/test/models/developer.rb 2012-07-27 17:21:29 -04:00			`end`

Fix broken comments indentation caused by rubocop auto-correct [ci skip] All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency. 2016-09-14 04:57:52 -04:00			`# Sanitizes a hash of attribute/value pairs into SQL conditions for a SET clause.`
			`#`
			`# sanitize_sql_hash_for_assignment({ status: nil, group_id: 1 }, "posts")`
			# # => "`posts`.`status` = NULL, `posts`.`group_id` = 1"
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def sanitize_sql_hash_for_assignment(attrs, table) # :doc:`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`c = connection`
			`attrs.map do \|attr, value\|`
			`value = type_for_attribute(attr.to_s).serialize(value)`
			`"#{c.quote_table_name_for_assignment(table, attr)} = #{c.quote(value)}"`
			`end.join(", ")`
			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00
Fix broken comments indentation caused by rubocop auto-correct [ci skip] All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency. 2016-09-14 04:57:52 -04:00			`# Sanitizes a +string+ so that it is safe to use within an SQL`
			`# LIKE statement. This method uses +escape_character+ to escape all occurrences of "\", "_" and "%".`
			`#`
			`# sanitize_sql_like("100%")`
			`# # => "100\\%"`
			`#`
			`# sanitize_sql_like("snake_cased_string")`
			`# # => "snake\\_cased\\_string"`
			`#`
			`# sanitize_sql_like("100%", "!")`
			`# # => "100!%"`
			`#`
			`# sanitize_sql_like("snake_cased_string", "!")`
			`# # => "snake!_cased!_string"`
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def sanitize_sql_like(string, escape_character = "\\") # :doc:`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`pattern = Regexp.union(escape_character, "%", "_")`
			`string.gsub(pattern) { \|x\| [escape_character, x].join }`
			`end`
SQL Like escaping helper method. [Rob Gilson & Yves Senn] Closes #14222. This is a follow up to #6104 This does not have the backwards compatibility issues brought up in implementation to break. 2014-02-27 13:34:21 -05:00
Fix broken comments indentation caused by rubocop auto-correct [ci skip] All indentation was normalized by rubocop auto-correct at 80e66cc4d90bf8c15d1a5f6e3152e90147f00772. But comments was still kept absolute position. This commit aligns comments with method definitions for consistency. 2016-09-14 04:57:52 -04:00			`# Accepts an array of conditions. The array has each value`
			`# sanitized and interpolated into the SQL statement.`
			`#`
			`# sanitize_sql_array(["name=? and group_id=?", "foo'bar", 4])`
			`# # => "name='foo''bar' and group_id=4"`
			`#`
			`# sanitize_sql_array(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])`
			`# # => "name='foo''bar' and group_id=4"`
			`#`
			`# sanitize_sql_array(["name='%s' and group_id='%s'", "foo'bar", 4])`
			`# # => "name='foo''bar' and group_id='4'"`
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def sanitize_sql_array(ary) # :doc:`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`statement, *values = ary`
			`if values.first.is_a?(Hash) && /:\w+/.match?(statement)`
			`replace_named_bind_variables(statement, values.first)`
			`elsif statement.include?("?")`
			`replace_bind_variables(statement, values)`
			`elsif statement.blank?`
			`statement`
			`else`
			`statement % values.collect { \|value\| connection.quote_string(value.to_s) }`
			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`

Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def replace_bind_variables(statement, values)`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`raise_if_bind_arity_mismatch(statement, statement.count("?"), values.size)`
			`bound = values.dup`
			`c = connection`
			`statement.gsub(/\?/) do`
			`replace_bind_variable(bound.shift, c)`
			`end`
Generate subquery for Relation passed as array condition for where Instead of executing 2 queries for fetching records filtered by array condition with Relation, added generation of subquery to current query. This behaviour will be consistent when passes Relation as hash condition to where Closes: #12415 2013-10-12 07:38:37 -04:00			`end`

Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def replace_bind_variable(value, c = connection)`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`if ActiveRecord::Relation === value`
			`value.to_sql`
			`else`
			`quote_bound_value(value, c)`
			`end`
Generate subquery for Relation passed as array condition for where Instead of executing 2 queries for fetching records filtered by array condition with Relation, added generation of subquery to current query. This behaviour will be consistent when passes Relation as hash condition to where Closes: #12415 2013-10-12 07:38:37 -04:00			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00
Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def replace_named_bind_variables(statement, bind_vars)`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`statement.gsub(/(:?):([a-zA-Z]\w*)/) do \|match\|`
			`if $1 == ":" # skip postgresql casts`
			`match # return the whole match`
			`elsif bind_vars.include?(match = $2.to_sym)`
			`replace_bind_variable(bind_vars[match])`
			`else`
			`raise PreparedStatementInvalid, "missing value for :#{match} in #{statement}"`
			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`
			`end`

Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def quote_bound_value(value, c = connection)`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`if value.respond_to?(:map) && !value.acts_like?(:string)`
			`if value.respond_to?(:empty?) && value.empty?`
			`c.quote(nil)`
			`else`
			`value.map { \|v\| c.quote(v) }.join(",")`
			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`else`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`c.quote(value)`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`
			`end`

Privatize unneededly protected methods in Active Record 2016-12-23 01:51:11 -05:00			`def raise_if_bind_arity_mismatch(statement, expected, provided)`
normalizes indentation and whitespace across the project 2016-08-06 13:55:02 -04:00			`unless expected == provided`
			`raise PreparedStatementInvalid, "wrong number of bind variables (#{provided} for #{expected}) in: #{statement}"`
			`end`
Split out most of the AR::Base code into separate modules :cake: 2011-12-15 15:07:41 -05:00			`end`
			`end`
			`end`
			`end`