require 'spec_helper' class AddressSanitizer < InputSanitizer::V2::PayloadSanitizer string :city string :zip end class TagSanitizer < InputSanitizer::V2::PayloadSanitizer integer :id string :name nested :addresses, :sanitizer => AddressSanitizer, :collection => true end class TestedPayloadSanitizer < InputSanitizer::V2::PayloadSanitizer integer :array, :collection => true integer :array_nil, :collection => true, :allow_nil => true string :status, :allow => ['current', 'past'] string :status_with_empty, :allow => ['', 'current', 'past'] string :regexp_string, :regexp => /^#?([a-f0-9]{6}|[a-f0-9]{3})$/ string :utf8mb4_string, :strip_4byte_chars => true string :value_restricted_utf8mb4_string, :strip_4byte_chars => true, :allow => ['test'] string :non_blank_utf8mb4_string, :strip_4byte_chars => true, :allow_blank => false string :size_restricted_utf8mb4_string, :strip_4byte_chars => true, :minimum => 2, :maximum => 4 nested :address, :sanitizer => AddressSanitizer nested :nullable_address, :sanitizer => AddressSanitizer, :allow_nil => true nested :tags, :sanitizer => TagSanitizer, :collection => true float :float_attribute, :minimum => 1, :maximum => 100 integer :integer_attribute, :minimum => 1, :maximum => 100 string :string_attribute boolean :bool_attribute datetime :datetime_attribute date :date_attribute, :minimum => Date.new(-2015, 01, 01), :maximum => Date.new(2015, 12, 31) url :website string :limited_collection, :collection => { :minimum => 1, :maximum => 2 }, :minimum => 2, :maximum => 12 string :allow_collection, :collection => true, :allow => ['yes', 'no'] end class BlankValuesPayloadSanitizer < InputSanitizer::V2::PayloadSanitizer string :required_string, :required => true datetime :non_nil_datetime, :allow_nil => false url :non_blank_url, :allow_blank => false end class CustomConverterWithProvidedValue < InputSanitizer::V2::PayloadSanitizer integer :from custom :to, :provide => :from, :converter => lambda { |value, options| InputSanitizer::V2::Types::IntegerCheck.new.call(value) raise InputSanitizer::ValueError.new(value, options[:provided][:from], nil) if options[:provided][:from] > value value } end describe InputSanitizer::V2::PayloadSanitizer do let(:sanitizer) { TestedPayloadSanitizer.new(@params) } let(:cleaned) { sanitizer.cleaned } describe "collections" do it "is invalid if collection is not an array" do @params = { :array => {} } sanitizer.should_not be_valid end it "is valid if collection is an array" do @params = { :array => [] } sanitizer.should be_valid end it "is valid if collection is an nil and allow_nil is passed" do @params = { :array_nil => nil } sanitizer.should be_valid end it "is invalid if there are too few elements" do @params = { :limited_collection => [] } sanitizer.should_not be_valid end it "is invalid if there are too many elements" do @params = { :limited_collection => ['bear', 'bear', 'bear'] } sanitizer.should_not be_valid end it "is valid when there are just enough elements" do @params = { :limited_collection => ['goldilocks'] } sanitizer.should be_valid end it "is invalid when any of the elements are too long" do @params = { :limited_collection => ['more_than_the_limit'] } sanitizer.should_not be_valid end it "is invalid when any of the elements are too short" do @params = { :limited_collection => ['a'] } sanitizer.should_not be_valid end it "is invalid when given disallowed value in a collection" do @params = { :allow_collection => ['yes', 'no', 'whoa'] } sanitizer.should_not be_valid end it "is valid when given allowed values in a collection" do @params = { :allow_collection => ['yes', 'no'] } sanitizer.should be_valid end end describe "allow option" do it "is valid when given an allowed string" do @params = { :status => 'past' } sanitizer.should be_valid end it "is invalid when given an empty string" do @params = { :status => '' } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/status') end it "is valid when given an allowed empty string" do @params = { :status_with_empty => '' } sanitizer.should be_valid end it "is invalid when given a disallowed string" do @params = { :status => 'current bad string' } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/status') end end describe "minimum and maximum options" do it "is invalid if integer is lower than the minimum" do @params = { :integer_attribute => 0 } sanitizer.should_not be_valid end it "is invalid if integer is greater than the maximum" do @params = { :integer_attribute => 101 } sanitizer.should_not be_valid end it "is valid when integer is within given range" do @params = { :limited_collection => ['goldilocks'] } sanitizer.should be_valid end it "is invalid if float is lower than the minimum" do @params = { :float_attribute => 0.0 } sanitizer.should_not be_valid end it "is invalid if float is greater than the maximum" do @params = { :float_attribute => 101.0 } sanitizer.should_not be_valid end end describe "strip_4byte_chars option" do it "is valid when given a string with 4-byte chars" do @params = { :utf8mb4_string => "test \u{1F435} value" } sanitizer.should be_valid end it "returns sanitized string without 4-byte chars" do @params = { :utf8mb4_string => "test\u{1F435}" } sanitizer[:utf8mb4_string].should eq "test" end it "properly handles string with 4-byte char at the beginning" do @params = { :utf8mb4_string => "\u{1F435} 4-byte char at the beginning" } sanitizer[:utf8mb4_string].should eq ' 4-byte char at the beginning' end it "properly handles string with 4-byte char in the middle" do @params = { :utf8mb4_string => "4-byte char\u{1F435} in the middle" } sanitizer[:utf8mb4_string].should eq '4-byte char in the middle' end it "properly handles string with 4-byte char at the end" do @params = { :utf8mb4_string => "4-byte char at the end \u{1F435}" } sanitizer[:utf8mb4_string].should eq '4-byte char at the end ' end it "does not strip 3-byte chars" do @params = { :utf8mb4_string => "Test \u{270A}" } sanitizer[:utf8mb4_string].should eq "Test \u{270A}" end describe "when used with other options" do describe "allow" do it "is valid when string matches any value in allowlist before stripping 4-byte chars" do @params = { :value_restricted_utf8mb4_string => "test" } sanitizer.should be_valid end it "is invalid when string doesn't match any value in allowlist before stripping 4-byte chars" do @params = { :value_restricted_utf8mb4_string => "test\u{1F435}" } sanitizer.should_not be_valid end end describe "allow_blank=false" do it "is invalid when string is already blank before stripping 4-byte chars" do @params = { :non_blank_utf8mb4_string => " " } sanitizer.should_not be_valid end it "is invalid when string becomes blank as a result of stripping 4-byte chars" do @params = { :non_blank_utf8mb4_string => " \u{1F435} " } sanitizer.should_not be_valid end end describe "minimum and maximum" do it "is invalid when string is already too long before stripping 4-byte chars" do @params = { :size_restricted_utf8mb4_string => "1234\u{1F435}" } sanitizer.should_not be_valid end it "is invalid when string becomes too short as a result of stripping 4-byte chars" do @params = { :size_restricted_utf8mb4_string => "1\u{1F435}" } sanitizer.should_not be_valid end end end end describe "strict param checking" do it "is invalid when given extra params" do @params = { :extra => 'test', :extra2 => 1 } sanitizer.should_not be_valid sanitizer.errors.count.should eq(2) end it "is invalid when given extra params in a nested sanitizer" do @params = { :address => { :extra => 0 }, :tags => [ { :extra2 => 1 } ] } sanitizer.should_not be_valid sanitizer.errors.map(&:field).should contain_exactly('/address/extra', '/tags/0/extra2') end end describe "converters with provided values" do let(:sanitizer) { CustomConverterWithProvidedValue.new(@params) } it "is valid when converter passes check with provided value" do @params = {from: 1, to: 3} sanitizer.should be_valid end it "is invalid when converter does not pass check with provided value" do @params = {from: 3, to: 1} sanitizer.should_not be_valid end end describe "strict type checking" do it "is invalid when given string instead of integer" do @params = { :integer_attribute => '1' } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/integer_attribute') end it "is valid when given an integer" do @params = { :integer_attribute => 50 } sanitizer.should be_valid sanitizer[:integer_attribute].should eq(50) end it "is invalid when given a float" do @params = { :integer_attribute => 50.99 } sanitizer.should_not be_valid end it "is valid when given nil for an integer" do @params = { :integer_attribute => nil } sanitizer.should be_valid sanitizer[:integer_attribute].should be_nil end it "is invalid when given string instead of float" do @params = { :float_attribute => '1' } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/float_attribute') end it "is valid when given a float" do @params = { :float_attribute => 50.0 } sanitizer.should be_valid sanitizer[:float_attribute].should eq(50.0) end it "is valid when given nil for a float" do @params = { :float_attribute => nil } sanitizer.should be_valid sanitizer[:float_attribute].should be_nil end it "is valid when given string is matching regexp" do @params = { :regexp_string => "#8bd635" } sanitizer.should be_valid sanitizer[:regexp_string].should eq('#8bd635') end it "is invalid when given string is not matching regexp" do @params = { :regexp_string => "not a hex value" } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/regexp_string') end it "is invalid when given integer instead of string" do @params = { :string_attribute => 0 } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/string_attribute') end it "is invalid when given float instead of string" do @params = { :string_attribute => 3.1415 } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/string_attribute') end it "is valid when given a string" do @params = { :string_attribute => '#@!#%#$@#ad' } sanitizer.should be_valid sanitizer[:string_attribute].should eq('#@!#%#$@#ad') end it "is invalid when given 'yes' as a bool" do @params = { :bool_attribute => 'yes' } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/bool_attribute') end it "is valid when given true as a bool" do @params = { :bool_attribute => true } sanitizer.should be_valid end it "is valid when given false as a bool" do @params = { :bool_attribute => false } sanitizer.should be_valid end it "is invalid when given an incorrect datetime" do @params = { :datetime_attribute => "2014-08-2716:32:56Z" } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/datetime_attribute') end it "is valid when given a correct datetime" do @params = { :datetime_attribute => "2014-08-27T16:32:56Z" } sanitizer.should be_valid end it "is valid when given a 'forever' timestamp" do @params = { :datetime_attribute => "9999-12-31T00:00:00Z" } sanitizer.should be_valid end it "is invalid when given an incorrect date" do @params = { :date_attribute => "invalid" } sanitizer.should_not be_valid sanitizer.errors[0].field.should eq('/date_attribute') end it "is valid when given a correct date" do @params = { :date_attribute => "2015-08-27" } sanitizer.should be_valid end it "is valid when given a correct negative date" do @params = { :date_attribute => "-2014-08-27" } sanitizer.should be_valid end it "is valid when given a correct URL" do @params = { :website => "https://google.com" } sanitizer.should be_valid sanitizer[:website].should eq("https://google.com") end it "is invalid when given an invalid URL" do @params = { :website => "ht:/google.com" } sanitizer.should_not be_valid end it "is invalid when given an invalid URL that contains a valid URL" do @params = { :website => "watwat http://google.com wat" } sanitizer.should_not be_valid end describe "blank and required values" do let(:sanitizer) { BlankValuesPayloadSanitizer.new(@params) } let(:defaults) { { :required_string => 'zz' } } it "is invalid if required string is missing" do @params = {} sanitizer.should_not be_valid sanitizer.errors[0].should be_an_instance_of(InputSanitizer::ValueMissingError) sanitizer.errors[0].field.should eq('/required_string') end it "is invalid if required string is nil" do @params = { :required_string => nil } sanitizer.should_not be_valid sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError) sanitizer.errors[0].field.should eq('/required_string') end it "is invalid if required string is blank" do @params = { :required_string => ' ' } sanitizer.should_not be_valid sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError) sanitizer.errors[0].field.should eq('/required_string') end it "is invalid if non-nil datetime is null" do @params = defaults.merge({ :non_nil_datetime => nil }) sanitizer.should_not be_valid sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError) sanitizer.errors[0].field.should eq('/non_nil_datetime') end it "is valid if non-nil datetime is blank" do @params = defaults.merge({ :non_nil_datetime => '' }) sanitizer.should be_valid end it "is invalid if non-blank url is nil" do @params = defaults.merge({ :non_blank_url => nil }) sanitizer.should_not be_valid sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError) sanitizer.errors[0].field.should eq('/non_blank_url') end it "is invalid if non-blank url is blank" do @params = defaults.merge({ :non_blank_url => '' }) sanitizer.should_not be_valid sanitizer.errors[0].should be_an_instance_of(InputSanitizer::BlankValueError) sanitizer.errors[0].field.should eq('/non_blank_url') end end describe "nested checking" do describe "simple array" do it "returns JSON pointer for invalid fields" do @params = { :array => [1, 'z', '3', 4] } sanitizer.errors.length.should eq(2) sanitizer.errors.map(&:field).should contain_exactly('/array/1', '/array/2') end end describe "nested object" do it "returns an error when given a nil for a nested value" do @params = { :address => nil } sanitizer.should_not be_valid end it "returns an error when given a string for a nested value" do @params = { :address => 'nope' } sanitizer.should_not be_valid end it "returns an error when given an array for a nested value" do @params = { :address => ['a'] } sanitizer.should_not be_valid end it "returns JSON pointer for invalid fields" do @params = { :address => { :city => 0, :zip => 1 } } sanitizer.errors.length.should eq(2) sanitizer.errors.map(&:field).should contain_exactly('/address/city', '/address/zip') end it "allows nil with `allow_nil` flag" do @params = { :nullable_address => nil } sanitizer.should be_valid sanitizer.cleaned.fetch(:nullable_address).should eq(nil) end end describe "array of nested objects" do it "is valid when given a collection of nested objects" do @params = { :tags => [{:id => 1, :name => "crm", :addresses => []}]} sanitizer.should be_valid end it "returns an error when given a nil for a collection" do @params = { :tags => nil } sanitizer.should_not be_valid end it "returns an error when given a string for a collection" do @params = { :tags => 'nope' } sanitizer.should_not be_valid end it "returns an error when given an collection of raw values" do @params = { :tags => ['nope'] } sanitizer.should_not be_valid sanitizer.errors.length.should eq(1) sanitizer.errors.map(&:field).should contain_exactly('/tags/0') end it "returns an error when given a hash for a collection" do @params = { :tags => { :a => 1 } } sanitizer.should_not be_valid end it "returns JSON pointer for invalid fields" do @params = { :tags => [ { :id => 'n', :name => 1 }, { :id => 10, :name => 2 } ] } sanitizer.errors.length.should eq(3) sanitizer.errors.map(&:field).should contain_exactly( '/tags/0/id', '/tags/0/name', '/tags/1/name' ) end end describe "array of nested objects that have array of nested objects" do it "returns JSON pointer for invalid fields" do @params = { :tags => [ { :id => 'n', :addresses => [ { :city => 0 }, { :city => 1 } ] }, { :name => 2, :addresses => [ { :city => 3 } ] }, ] } sanitizer.errors.length.should eq(5) sanitizer.errors.map(&:field).should contain_exactly( '/tags/0/id', '/tags/0/addresses/0/city', '/tags/0/addresses/1/city', '/tags/1/name', '/tags/1/addresses/0/city' ) ec = sanitizer.error_collection ec.length.should eq(5) end end end end end