X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/72d7d41944006d1f48f570784dafe56b9812b0c8..49dabf8a44770ab79960ceb91b08c2cb19eb2730:/services/api/lib/record_filters.rb diff --git a/services/api/lib/record_filters.rb b/services/api/lib/record_filters.rb index 409e48a6f0..b15207b14e 100644 --- a/services/api/lib/record_filters.rb +++ b/services/api/lib/record_filters.rb @@ -136,21 +136,38 @@ module RecordFilters raise ArgumentError.new("Invalid operator for subproperty search '#{operator}'") end elsif operator == "exists" - if col.type != :jsonb + if col.nil? or col.type != :jsonb raise ArgumentError.new("Invalid attribute '#{attr}' for operator '#{operator}' in filter") end cond_out << "jsonb_exists(#{attr_table_name}.#{attr}, ?)" param_out << operand + elsif expr = /^ *\( *(\w+) *(<=?|>=?|=) *(\w+) *\) *$/.match(attr) + if operator != '=' || ![true,"true"].index(operand) + raise ArgumentError.new("Invalid expression filter '#{attr}': subsequent elements must be [\"=\", true]") + end + operator = expr[2] + attr1, attr2 = expr[1], expr[3] + allowed = attr_model_class.searchable_columns(operator) + [attr1, attr2].each do |tok| + if !allowed.index(tok) + raise ArgumentError.new("Invalid attribute in expression: '#{tok}'") + end + col = attr_model_class.columns.select { |c| c.name == tok }.first + if col.type != :integer + raise ArgumentError.new("Non-numeric attribute in expression: '#{tok}'") + end + end + cond_out << "#{attr1} #{operator} #{attr2}" else if !attr_model_class.searchable_columns(operator).index(attr) && !(col.andand.type == :jsonb && ['contains', '=', '<>', '!='].index(operator)) raise ArgumentError.new("Invalid attribute '#{attr}' in filter") end + attr_type = attr_model_class.attribute_column(attr).type case operator when '=', '<', '<=', '>', '>=', '!=', 'like', 'ilike' - attr_type = attr_model_class.attribute_column(attr).type operator = '<>' if operator == '!=' if operand.is_a? String if attr_type == :boolean @@ -164,8 +181,8 @@ module RecordFilters when '0', 'f', 'false', 'n', 'no' operand = false else - raise ArgumentError("Invalid operand '#{operand}' for " \ - "boolean attribute '#{attr}'") + raise ArgumentError.new("Invalid operand '#{operand}' for " \ + "boolean attribute '#{attr}'") end end if operator == '<>' @@ -189,6 +206,10 @@ module RecordFilters cond_out << "#{attr_table_name}.#{attr} #{operator} ?" param_out << operand elsif (attr_type == :integer) + if !operand.is_a?(Integer) || operand.bit_length > 64 + raise ArgumentError.new("Invalid operand '#{operand}' "\ + "for integer attribute '#{attr}'") + end cond_out << "#{attr_table_name}.#{attr} #{operator} ?" param_out << operand else @@ -196,17 +217,24 @@ module RecordFilters "for '#{operator}' operator in filters") end when 'in', 'not in' - if operand.is_a? Array - cond_out << "#{attr_table_name}.#{attr} #{operator} (?)" - param_out << operand - if operator == 'not in' and not operand.include?(nil) - # explicitly allow NULL - cond_out[-1] = "(#{cond_out[-1]} OR #{attr_table_name}.#{attr} IS NULL)" - end - else + if !operand.is_a? Array raise ArgumentError.new("Invalid operand type '#{operand.class}' "\ "for '#{operator}' operator in filters") end + if attr_type == :integer + operand.each do |el| + if !el.is_a?(Integer) || el.bit_length > 64 + raise ArgumentError.new("Invalid element '#{el}' in array "\ + "for integer attribute '#{attr}'") + end + end + end + cond_out << "#{attr_table_name}.#{attr} #{operator} (?)" + param_out << operand + if operator == 'not in' and not operand.include?(nil) + # explicitly allow NULL + cond_out[-1] = "(#{cond_out[-1]} OR #{attr_table_name}.#{attr} IS NULL)" + end when 'is_a' operand = [operand] unless operand.is_a? Array cond = []