lib/groupdate/relation_builder.rb in groupdate-5.1.0 vs lib/groupdate/relation_builder.rb in groupdate-5.2.0

@@ -1,10 +1,13 @@
 module Groupdate
   class RelationBuilder
     attr_reader :period, :column, :day_start, :week_start, :n_seconds
 
     def initialize(relation, column:, period:, time_zone:, time_range:, week_start:, day_start:, n_seconds:)
+      # very important
+      validate_column(column)
+
       @relation = relation
       @column = resolve_column(relation, column)
       @period = period
       @time_zone = time_zone
       @time_range = time_range
@@ -186,13 +189,30 @@
       clause.gsub(/ (\-|\+) INTERVAL 0 second/, "")
     end
 
     def where_clause
       if @time_range.is_a?(Range)
-        op = @time_range.exclude_end? ? "<" : "<="
-        ["#{column} >= ? AND #{column} #{op} ?", @time_range.first, @time_range.last]
+        if @time_range.end
+          op = @time_range.exclude_end? ? "<" : "<="
+          if @time_range.begin
+            ["#{column} >= ? AND #{column} #{op} ?", @time_range.first, @time_range.last]
+          else
+            ["#{column} #{op} ?", @time_range.last]
+          end
+        else
+          ["#{column} >= ?", @time_range.first]
+        end
       else
         ["#{column} IS NOT NULL"]
+      end
+    end
+
+    # basic version of Active Record disallow_raw_sql!
+    # symbol = column (safe), Arel node = SQL (safe), other = untrusted
+    def validate_column(column)
+      # matches table.column and column
+      unless column.is_a?(Symbol) || column.is_a?(Arel::Nodes::SqlLiteral) || /\A\w+(\.\w+)?\z/i.match(column.to_s)
+        warn "[groupdate] Non-attribute argument: #{column}. Use Arel.sql() for known-safe values. This will raise an error in Groupdate 6"
       end
     end
 
     # resolves eagerly
     # need to convert both where_clause (easy)