Packages tab completion info API #512

Merged
merged 8 commits into from Jun 12, 2012

Projects

None yet

3 participants

Contributor

This is an API endpoint for getting a complete list of package IDs and version for tab completion. It is cached in a distributed cached, and the cached data is evicted when a new package is created. The cache is in memory when local, and uses Windows Azure caching when hosted there. The JSON format of the API:

[
  {
    "Id":"AnglicanGeek.MarkdownMailer",
    "Versions":
    [
      {
        "IsLatestStable":true,
        "IsPrerelease":false,
        "Version":"1.2"
      }
    ]
  },
  {
    "Id":"AnglicanGeek.SimpleContainer",
    "Versions":
    [
      {
        "IsLatestStable":true,
        "IsPrerelease":false,
        "Version":"0.2.0.0"
      }
    ]
  }
]

NOTE: I've been working on a much larger change that would move all package data into the distributed cache, which along with @pranavkm's search changes of adding more data to the index, would make the site blazing fast. But I've run into enough problems with that change that I decided to break out just the tab completion stuff into this smaller commit, and I'll start a second PR for the larger caching changes.

Contributor

Ugh, I just noticed that this PR has a bunch of funky formatting. I'll see if I can fix.

Contributor

@half-ogre I think the implementation with raw SQL queries + string.Format() in PackageIdsQuery.cs and PackageVersionsQuery.cs is vulnerable to SQL injection.

Contributor

Thanks @akoeplinger. I have a to-do to look into whether SqlQuery handles that, and if not, I'll change the approach.

Contributor

SqlQuery just gets a plain string because string.Format() did the insertion of parameters into the format string, so it'll be vulnerable.
You can actually pass the format string directly into SqlQuery, as shown here: http://blogs.msdn.com/b/diego/archive/2012/01/10/how-to-execute-stored-procedures-sqlquery-in-the-dbcontext-api.aspx
This way, you can get rid of string.Format() and it should be safe.

Contributor

Thanks for catching @akoeplinger.

Contributor

@NuGet/core-team Can I get a review? I'd like to get this stuff into master today so Test folks can start using the client changes and server changes together.

@half-ogre half-ogre commented on the diff Jun 11, 2012
Website/Queries/PackageVersionsQuery.cs
+using System;
+using System.Collections.Generic;
+using System.Data.Entity;
+
+namespace NuGetGallery
+{
+ public interface IPackageVersionsQuery
+ {
+ IEnumerable<string> Execute(
+ string id,
+ bool? includePrerelease = false);
+ }
+
+ public class PackageVersionsQuery : IPackageVersionsQuery
+ {
+ const string _sqlFormat = @"SELECT p.[Version]
half-ogre
half-ogre Jun 11, 2012 Contributor

I'll take another stab at doing these through EF instead of SQL. I couldn't get the resulting SQL quite where I wanted it, but they're simple now, so maybe I can.

@half-ogre half-ogre commented on the diff Jun 11, 2012
Website/Queries/PackageIdsQuery.cs
@@ -0,0 +1,49 @@
+using System.Collections.Generic;
+using System.Data.Entity;
+
+namespace NuGetGallery
+{
+ public interface IPackageIdsQuery
+ {
+ IEnumerable<string> Execute(
+ string partialId,
+ bool? includePrerelease = false);
+ }
+
+ public class PackageIdsQuery : IPackageIdsQuery
+ {
+ const string _partialIdSqlFormat = @"SELECT TOP 30 pr.ID
half-ogre
half-ogre Jun 11, 2012 Contributor

I'll take another stab at doing these through EF instead of SQL. I couldn't get the resulting SQL quite where I wanted it, but they're simple now, so maybe I can.

Member

Ship It.

@half-ogre half-ogre merged commit 764a1f2 into master Jun 12, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment