Merge pull request #1 from Karlotcha/version-0.1.0

version 0.1.0
kalinchuk · Nov 14, 2016 · 45c57b3 · 45c57b3
2 parents 669f39c + 90d0ff4
commit 45c57b3
Show file tree

Hide file tree

Showing 13 changed files with 470 additions and 103 deletions.
diff --git a/.ruby-version b/.ruby-version
diff --git a/Gemfile b/Gemfile
@@ -5,7 +5,12 @@ gem 'rake', '~> 10.3.2'
 gem 'nokogiri', '~> 1.6.6.2'
 
 group :development, :test do
+  gem 'rb-readline'
+  gem 'pry', '~>  0.10.1'
+  gem 'pry-byebug', '~> 3.1'
   gem 'guard-rspec', '~> 4.3.1', require: false
   gem 'activerecord', '~> 4.2.1'
   gem 'simplecov', '~> 0.8.2'
-end
+  gem 'vcr', '~> 2.9'
+  gem 'webmock', '~> 1.24'
+end
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2012-2016 Artem Kalinchuk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/README.rdoc b/README.rdoc
@@ -44,13 +44,20 @@ or, in your Gemfile
   quickbase.api.delete_record(7)
 
 == Setting a proxy
-  
+
   quickbase = Quickbase::Connection.new(:apptoken => "apptoken", :dbid => "dbid", :http_proxy => "http://my.proxy.com:80")
 
   the sytem http_proxy, https_proxy and no_proxy environment variable will be respected if you don't explicity pass a proxy
 
 == Changes
 
+  11/11/2016 - version 0.1.0
+  - fix security vulnerabilities to xml injections
+  - add vcr to tests
+  - add MIT license
+  - remove deprecated classes
+  - fix warnings with gemspec
+
   04/01/2015
   - Added proxy support
 

diff --git a/lib/classes/api.rb b/lib/classes/api.rb
@@ -1,11 +1,11 @@
 module Quickbase
   class API
     attr_accessor :connection
-  
+
     def initialize(connection)
-      instance_variable_set "@connection", connection
+      @connection = connection
     end
-  
+
     # Documentation at http://www.quickbase.com/api-guide/do_query.html
     def do_query(params)
       params[:fmt] = 'structured' if params[:fmt].nil? or params[:fmt].empty?
@@ -17,49 +17,44 @@ def do_query(params)
       records = array_of_records.empty? ? response.xpath("//record") : array_of_records
       return [] if records.empty?
 
-      records.map{|record|
+      records.map do |record|
         array_of_fields = record.xpath("f[@type='array']/f")
         fields = array_of_fields.empty? ? record.xpath("f") : array_of_fields
-        Hash[fields.to_enum(:each_with_index).collect{|field,index|
+        Hash[fields.to_enum(:each_with_index).collect { |field,index|
           field_val = ""
           field_val_xpath = field.xpath("__content__").first
           field_val = field_val_xpath.content unless field_val_xpath.nil?
           Hash[keys[index],field_val]
         }.map(&:flatten)]
-      }
+      end
     end
-    
+
     def do_query_return_nokogiri_obj(params)
       #useful method for debugging
       params[:fmt] = 'structured' if params[:fmt].nil? or params[:fmt].empty?
       clist = params[:clist].to_s.split(".")
       friendly = params[:friendly].to_s.split(".")
       keys = friendly.empty? ? clist : friendly.map(&:to_sym)
-      response = connection.http.post("API_DoQuery", Quickbase::Helper.hash_to_xml(params))
-      return response
+      connection.http.post("API_DoQuery", Quickbase::Helper.hash_to_xml(params))
     end
-    
+
     # Documentation at http://www.quickbase.com/api-guide/add_record.html
     def add_record(fields)
       fields = Quickbase::Helper.generate_fields(fields)
       connection.http.post("API_AddRecord", fields)
     end
-    
+
     # Documentation at http://www.quickbase.com/api-guide/edit_record.html
     def edit_record(rid, fields)
       tags = Quickbase::Helper.generate_fields(fields)
       tags << Quickbase::Helper.hash_to_xml({:rid => rid.to_s})
       connection.http.post("API_EditRecord", tags)
     end
-    
+
     # Documentation at http://www.quickbase.com/api-guide/delete_record.html
     def delete_record(rid)
       tags = Quickbase::Helper.hash_to_xml({:rid => rid.to_s})
       connection.http.post("API_DeleteRecord", tags)
     end
   end
-
-  class Api < API
-    puts "Class Api will be deprecated. Please use API instead."
-  end
-end
+end
diff --git a/lib/classes/connection.rb b/lib/classes/connection.rb
@@ -23,14 +23,14 @@ def initialize(options = {})
     end
 
     def instantiate
-      config = {
-          :username => username,
-          :password => password,
-          :hours => hours,
-          :apptoken => apptoken,
-          :dbid => dbid,
-          :org => org,
-          :http_proxy => http_proxy
+      {
+        username: username,
+        password: password,
+        hours: hours,
+        apptoken: apptoken,
+        dbid: dbid,
+        org: org,
+        http_proxy: http_proxy
       }
     end
 
@@ -42,4 +42,4 @@ def api
       Quickbase::API.new(self)
     end
   end
-end
+end
diff --git a/lib/classes/helper.rb b/lib/classes/helper.rb
@@ -1,21 +1,24 @@
 module Quickbase
   class Helper
-    def self.hash_to_xml(hash)
-      hash.map{|key,value|
+    def self.hash_to_xml(my_hash)
+      my_hash.map do |k,v|
+        key = k.to_s.encode(xml: :text)
+        value = v.to_s.encode(xml: :text)
         "<#{key}>#{value}</#{key}>"
-      }
+      end
     end
-
-    def self.generate_xml(params)
-      Nokogiri::XML("<qdbapi>#{params.join}</qdbapi>")
+
+    def self.generate_xml(xml_input)
+      # xml_input is an array of xml strings
+      # you can use hash_to_xml to generate it
+      Nokogiri::XML("<qdbapi>#{xml_input.join}</qdbapi>")
     end
-    
+
     def self.generate_fields(fields)
-      fields.map{|key,value|
-        field = "<field "
-        fid = (key =~ /^[-+]?[0-9]+$/) ? field.concat('fid="'+key.to_s+'"') : field.concat('name="'+key.to_s+'"')
-        field.concat(">#{value}</field>")
-      }
+      fields.map do |key,value|
+        attr_name = (key =~ /^[-+]?[0-9]+$/) ? 'fid' : 'name'
+        "<field #{attr_name}=#{key.to_s.encode(xml: :attr)}>#{value.to_s.encode(xml: :text)}</field>"
+      end
     end
   end
-end
+end
diff --git a/lib/classes/http.rb b/lib/classes/http.rb
@@ -59,8 +59,4 @@ def error_handler(response)
       end
     end
   end
-
-  class Http < HTTP
-    puts "Class Http will be deprecated. Please use HTTP instead."
-  end
-end
+end
diff --git a/quickbase.gemspec b/quickbase.gemspec
@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = %q{quickbase}
-  s.version = "0.0.12"
+  s.version = "0.1.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Artem Kalinchuk"]
@@ -13,6 +13,8 @@ Gem::Specification.new do |s|
   s.rubyforge_project = %q{quickbase}
   s.rubygems_version = %q{1.8.5}
   s.summary = %q{Quickbase Ruby Gem}
+  s.homepage = 'https://github.com/kalinchuk/quickbase'
+  s.license = 'MIT'
   s.add_dependency(%q<nokogiri>, [">= 0"])
   s.add_dependency(%q<httparty>, [">= 0"])
   s.add_dependency(%q<activesupport>, [">= 0"])

diff --git a/spec/cassettes/do_query.yml b/spec/cassettes/do_query.yml