Fix 628 CSV parsing errors (#937)

lgebhardt · lgebhardt · commit de7e7d349c3a · 2017-01-17T11:08:48.000-05:00
* Added test and potential fix for #628. * Add handling for CSV parsing errors. (cherry picked from commit 9306ec0)
diff --git a/lib/jsonapi/request_parser.rb b/lib/jsonapi/request_parser.rb
@@ -210,23 +210,28 @@ def check_include(resource_klass, include_parts)
       end
     end
 
-    def parse_include_directives(include)
-      return if include.nil?
+    def parse_include_directives(raw_include)
+      return unless raw_include
 
       unless JSONAPI.configuration.allow_include
         fail JSONAPI::Exceptions::ParametersNotAllowed.new([:include])
       end
 
-      included_resources = CSV.parse_line(include)
-      return if included_resources.nil?
+      included_resources = []
+      begin
+        included_resources += CSV.parse_line(raw_include)
+      rescue CSV::MalformedCSVError
+        fail JSONAPI::Exceptions::InvalidInclude.new(format_key(@resource_klass._type), raw_include)
+      end
+
+      return if included_resources.empty?
 
-      include = []
-      included_resources.each do |included_resource|
+      result = included_resources.map do |included_resource|
         check_include(@resource_klass, included_resource.partition('.'))
-        include.push(unformat_key(included_resource).to_s)
+        unformat_key(included_resource).to_s
       end
 
-      @include_directives = JSONAPI::IncludeDirectives.new(@resource_klass, include)
+      @include_directives = JSONAPI::IncludeDirectives.new(@resource_klass, result)
     end
 
     def parse_filters(filters)
@@ -265,7 +270,15 @@ def parse_sort_criteria(sort_criteria)
         fail JSONAPI::Exceptions::ParametersNotAllowed.new([:sort])
       end
 
-      @sort_criteria = CSV.parse_line(URI.unescape(sort_criteria)).collect do |sort|
+      sorts = []
+      begin
+        raw = URI.unescape(sort_criteria)
+        sorts += CSV.parse_line(raw)
+      rescue CSV::MalformedCSVError
+        fail JSONAPI::Exceptions::InvalidSortCriteria.new(format_key(@resource_klass._type), raw)
+      end
+
+      @sort_criteria = sorts.collect do |sort|
         if sort.start_with?('-')
           sort_criteria = { field: unformat_key(sort[1..-1]).to_s }
           sort_criteria[:direction] = :desc
diff --git a/lib/jsonapi/resource.rb b/lib/jsonapi/resource.rb
@@ -820,7 +820,11 @@ def is_filter_relationship?(filter)
       def verify_filter(filter, raw, context = nil)
         filter_values = []
         if raw.present?
-          filter_values += raw.is_a?(String) ? CSV.parse_line(raw) : [raw]
+          begin
+            filter_values += raw.is_a?(String) ? CSV.parse_line(raw) : [raw]
+          rescue CSV::MalformedCSVError
+            filter_values << raw
+          end
         end
 
         strategy = _allowed_filters.fetch(filter, Hash.new)[:verify]
diff --git a/test/integration/requests/request_test.rb b/test/integration/requests/request_test.rb
@@ -45,6 +45,15 @@ def test_get_underscored_key
     JSONAPI.configuration = original_config
   end
 
+  def test_filter_with_value_containing_double_quote
+    original_config = JSONAPI.configuration.dup
+    JSONAPI.configuration.json_key_format = :underscored_key
+    get '/iso_currencies?filter[country_name]=%22'
+    assert_jsonapi_response 200
+  ensure
+    JSONAPI.configuration = original_config
+  end
+
   def test_get_underscored_key_filtered
     original_config = JSONAPI.configuration.dup
     JSONAPI.configuration.json_key_format = :underscored_key
@@ -1063,6 +1072,26 @@ def test_sort_parameter_not_allowed
     JSONAPI.configuration.allow_sort = true
   end
 
+  def test_sort_parameter_quoted
+    get '/api/v2/books?sort=%22title%22', headers: { 'Accept' => JSONAPI::MEDIA_TYPE }
+    assert_jsonapi_response 200
+  end
+
+  def test_sort_parameter_openquoted
+    get '/api/v2/books?sort=%22title', headers: { 'Accept' => JSONAPI::MEDIA_TYPE }
+    assert_jsonapi_response 400
+  end
+
+  def test_include_parameter_quoted
+    get '/api/v2/posts?include=%22author%22', headers: { 'Accept' => JSONAPI::MEDIA_TYPE }
+    assert_jsonapi_response 200
+  end
+
+  def test_include_parameter_openquoted
+    get '/api/v2/posts?include=%22author', headers: { 'Accept' => JSONAPI::MEDIA_TYPE }
+    assert_jsonapi_response 400
+  end
+
   def test_getting_different_resources_when_sti
     assert_cacheable_jsonapi_get '/vehicles'
     types = json_response['data'].map{|r| r['type']}.sort
