Commit 627bae9

authored

Merge pull request #1268 from json-api-dotnet/harden-attributes

Harden Attr/Relationship attributes against invalid input

2 parents 5301d04 + 338c63e commit 627bae9Copy full SHA for 627bae9

File tree

14 files changed

+536

-13

lines changed

src
- JsonApiDotNetCore.Annotations/Resources/Annotations
- JsonApiDotNetCore
  - Queries
    - FieldSelectors.cs
    - Internal
      - Parsing
        FilterParser.cs
      - QueryableBuilding
        SelectClauseBuilder.cs
  - Repositories
    - EntityFrameworkCoreRepository.cs
test
- JsonApiDotNetCoreTests
  - IntegrationTests/QueryStrings/SparseFieldSets
    - SparseFieldSetTests.cs
  - UnitTests/ResourceGraph
- TestBuildingBlocks
  - DbContextExtensions.cs

14 files changed

+536

-13

lines changed

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/AttrAttribute.cs‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ public AttrCapabilities Capabilities`
`31`	`31`	`set => _capabilities = value;`
`32`	`32`	`}`
`33`	`33`
	`34`	`+ /// <inheritdoc />`
`34`	`35`	`public override bool Equals(object? obj)`
`35`	`36`	`{`
`36`	`37`	`if (ReferenceEquals(this, obj))`
`@@ -48,6 +49,7 @@ public override bool Equals(object? obj)`
`48`	`49`	`return Capabilities == other.Capabilities && base.Equals(other);`
`49`	`50`	`}`
`50`	`51`
	`52`	`+ /// <inheritdoc />`
`51`	`53`	`public override int GetHashCode()`
`52`	`54`	`{`
`53`	`55`	`return HashCode.Combine(Capabilities, base.GetHashCode());`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/HasManyAttribute.cs‎`

Lines changed: 30 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+using System.Collections;`
`1`	`2`	`using JetBrains.Annotations;`
`2`	`3`
`3`	`4`	`// ReSharper disable NonReadonlyMemberInGetHashCode`
`@@ -65,6 +66,34 @@ private bool EvaluateIsManyToMany()`
`65`	`66`	`return false;`
`66`	`67`	`}`
`67`	`68`
	`69`	`+ /// <inheritdoc />`
	`70`	`+ public override void SetValue(object resource, object? newValue)`
	`71`	`+ {`
	`72`	`+ ArgumentGuard.NotNull(newValue);`
	`73`	`+ AssertIsIdentifiableCollection(newValue);`
	`74`	`+`
	`75`	`+ base.SetValue(resource, newValue);`
	`76`	`+ }`
	`77`	`+`
	`78`	`+ private void AssertIsIdentifiableCollection(object newValue)`
	`79`	`+ {`
	`80`	`+ if (newValue is not IEnumerable enumerable)`
	`81`	`+ {`
	`82`	`+ throw new InvalidOperationException($"Resource of type '{newValue.GetType()}' must be a collection.");`
	`83`	`+ }`
	`84`	`+`
	`85`	`+ foreach (object? element in enumerable)`
	`86`	`+ {`
	`87`	`+ if (element == null)`
	`88`	`+ {`
	`89`	`+ throw new InvalidOperationException("Resource collection must not contain null values.");`
	`90`	`+ }`
	`91`	`+`
	`92`	`+ AssertIsIdentifiable(element);`
	`93`	`+ }`
	`94`	`+ }`
	`95`	`+`
	`96`	`+ /// <inheritdoc />`
`68`	`97`	`public override bool Equals(object? obj)`
`69`	`98`	`{`
`70`	`99`	`if (ReferenceEquals(this, obj))`
`@@ -82,6 +111,7 @@ public override bool Equals(object? obj)`
`82`	`111`	`return _capabilities == other._capabilities && base.Equals(other);`
`83`	`112`	`}`
`84`	`113`
	`114`	`+ /// <inheritdoc />`
`85`	`115`	`public override int GetHashCode()`
`86`	`116`	`{`
`87`	`117`	`return HashCode.Combine(_capabilities, base.GetHashCode());`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/HasOneAttribute.cs‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,14 @@ private bool EvaluateIsOneToOne()`
`64`	`64`	`return false;`
`65`	`65`	`}`
`66`	`66`
	`67`	`+ /// <inheritdoc />`
	`68`	`+ public override void SetValue(object resource, object? newValue)`
	`69`	`+ {`
	`70`	`+ AssertIsIdentifiable(newValue);`
	`71`	`+ base.SetValue(resource, newValue);`
	`72`	`+ }`
	`73`	`+`
	`74`	`+ /// <inheritdoc />`
`67`	`75`	`public override bool Equals(object? obj)`
`68`	`76`	`{`
`69`	`77`	`if (ReferenceEquals(this, obj))`
`@@ -81,6 +89,7 @@ public override bool Equals(object? obj)`
`81`	`89`	`return _capabilities == other._capabilities && base.Equals(other);`
`82`	`90`	`}`
`83`	`91`
	`92`	`+ /// <inheritdoc />`
`84`	`93`	`public override int GetHashCode()`
`85`	`94`	`{`
`86`	`95`	`return HashCode.Combine(_capabilities, base.GetHashCode());`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/RelationshipAttribute.cs‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@ public bool CanInclude`
`86`	`86`	`set => _canInclude = value;`
`87`	`87`	`}`
`88`	`88`
	`89`	`+ /// <inheritdoc />`
`89`	`90`	`public override bool Equals(object? obj)`
`90`	`91`	`{`
`91`	`92`	`if (ReferenceEquals(this, obj))`
`@@ -103,6 +104,7 @@ public override bool Equals(object? obj)`
`103`	`104`	`return _rightType?.ClrType == other._rightType?.ClrType && Links == other.Links && base.Equals(other);`
`104`	`105`	`}`
`105`	`106`
	`107`	`+ /// <inheritdoc />`
`106`	`108`	`public override int GetHashCode()`
`107`	`109`	`{`
`108`	`110`	`return HashCode.Combine(_rightType?.ClrType, Links, base.GetHashCode());`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/ResourceFieldAttribute.cs‎`

Lines changed: 16 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,7 @@ internal set`
`68`	`68`	`public object? GetValue(object resource)`
`69`	`69`	`{`
`70`	`70`	`ArgumentGuard.NotNull(resource);`
	`71`	`+ AssertIsIdentifiable(resource);`
`71`	`72`
`72`	`73`	`if (Property.GetMethod == null)`
`73`	`74`	`{`
`@@ -82,17 +83,18 @@ internal set`
`82`	`83`	`{`
`83`	`84`	`throw new InvalidOperationException(`
`84`	`85`	`$"Unable to get property value of '{Property.DeclaringType!.Name}.{Property.Name}' on instance of type '{resource.GetType().Name}'.",`
`85`		`- exception);`
	`86`	`+ exception.InnerException??exception);`
`86`	`87`	`}`
`87`	`88`	`}`
`88`	`89`
`89`	`90`	`/// <summary>`
`90`	`91`	`/// Sets the value of this field on the specified resource instance. Throws if the property is read-only or if the field does not belong to the specified`
`91`	`92`	`/// resource instance.`
`92`	`93`	`/// </summary>`
`93`		`- public void SetValue(object resource, object? newValue)`
	`94`	`+ public virtualvoid SetValue(object resource, object? newValue)`
`94`	`95`	`{`
`95`	`96`	`ArgumentGuard.NotNull(resource);`
	`97`	`+ AssertIsIdentifiable(resource);`
`96`	`98`
`97`	`99`	`if (Property.SetMethod == null)`
`98`	`100`	`{`
`@@ -107,15 +109,25 @@ public void SetValue(object resource, object? newValue)`
`107`	`109`	`{`
`108`	`110`	`throw new InvalidOperationException(`
`109`	`111`	`$"Unable to set property value of '{Property.DeclaringType!.Name}.{Property.Name}' on instance of type '{resource.GetType().Name}'.",`
`110`		`- exception);`
	`112`	`+ exception.InnerException??exception);`
`111`	`113`	`}`
`112`	`114`	`}`
`113`	`115`
	`116`	`+ protected void AssertIsIdentifiable(object? resource)`
	`117`	`+ {`
	`118`	`+ if (resource != null && resource is not IIdentifiable)`
	`119`	`+ {`
	`120`	`+ throw new InvalidOperationException($"Resource of type '{resource.GetType()}' does not implement {nameof(IIdentifiable)}.");`
	`121`	`+ }`
	`122`	`+ }`
	`123`	`+`
	`124`	`+ /// <inheritdoc />`
`114`	`125`	`public override string? ToString()`
`115`	`126`	`{`
`116`	`127`	`return _publicName ?? (_property != null ? _property.Name : base.ToString());`
`117`	`128`	`}`
`118`	`129`
	`130`	`+ /// <inheritdoc />`
`119`	`131`	`public override bool Equals(object? obj)`
`120`	`132`	`{`
`121`	`133`	`if (ReferenceEquals(this, obj))`
`@@ -133,6 +145,7 @@ public override bool Equals(object? obj)`
`133`	`145`	`return _publicName == other._publicName && _property == other._property;`
`134`	`146`	`}`
`135`	`147`
	`148`	`+ /// <inheritdoc />`
`136`	`149`	`public override int GetHashCode()`
`137`	`150`	`{`
`138`	`151`	`return HashCode.Combine(_publicName, _property);`

`‎src/JsonApiDotNetCore/Queries/FieldSelectors.cs‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -52,9 +52,10 @@ public void IncludeAttributes(IEnumerable<AttrAttribute> attributes)`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`
`55`		`- public void IncludeRelationship(RelationshipAttribute relationship, QueryLayer? queryLayer)`
	`55`	`+ public void IncludeRelationship(RelationshipAttribute relationship, QueryLayer queryLayer)`
`56`	`56`	`{`
`57`	`57`	`ArgumentGuard.NotNull(relationship);`
	`58`	`+ ArgumentGuard.NotNull(queryLayer);`
`58`	`59`
`59`	`60`	`this[relationship] = queryLayer;`
`60`	`61`	`}`

`‎src/JsonApiDotNetCore/Queries/Internal/Parsing/FilterParser.cs‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -420,7 +420,7 @@ private object ConvertStringToType(string value, Type type)`
`420`	`420`
`421`	`421`	`private Converter<string, object> GetConstantValueConverterForAttribute(AttrAttribute attribute)`
`422`	`422`	`{`
`423`		`- return stringValue => attribute.Property.Name == nameof(IIdentifiable<object>.Id)`
	`423`	`+ return stringValue => attribute.Property.Name == nameof(Identifiable<object>.Id)`
`424`	`424`	`? DeObfuscateStringId(attribute.Type.ClrType, stringValue)`
`425`	`425`	`: ConvertStringToType(stringValue, attribute.Property.PropertyType);`
`426`	`426`	`}`

`‎src/JsonApiDotNetCore/Queries/Internal/QueryableBuilding/SelectClauseBuilder.cs‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -162,9 +162,9 @@ private void IncludeAllScalarProperties(Type elementType, Dictionary<PropertyInf`
`162`	`162`
`163`	`163`	`private static void IncludeFields(FieldSelectors fieldSelectors, Dictionary<PropertyInfo, PropertySelector> propertySelectors)`
`164`	`164`	`{`
`165`		`- foreach ((ResourceFieldAttribute resourceField, QueryLayer? queryLayer) in fieldSelectors)`
	`165`	`+ foreach ((ResourceFieldAttribute resourceField, QueryLayer? nextLayer) in fieldSelectors)`
`166`	`166`	`{`
`167`		`- var propertySelector = new PropertySelector(resourceField.Property, queryLayer);`
	`167`	`+ var propertySelector = new PropertySelector(resourceField.Property, nextLayer);`
`168`	`168`	`IncludeWritableProperty(propertySelector, propertySelectors);`
`169`	`169`	`}`
`170`	`170`	`}`

`‎src/JsonApiDotNetCore/Repositories/EntityFrameworkCoreRepository.cs‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,8 @@ public virtual Task<TResource> GetForCreateAsync(Type resourceClrType, TId id, C`
`163`	`163`	`id`
`164`	`164`	`});`
`165`	`165`
	`166`	`+ ArgumentGuard.NotNull(resourceClrType);`
	`167`	`+`
`166`	`168`	`var resource = (TResource)_resourceFactory.CreateInstance(resourceClrType);`
`167`	`169`	`resource.Id = id;`
`168`	`170`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/QueryStrings/SparseFieldSets/SparseFieldSetTests.cs‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -791,7 +791,7 @@ public async Task Cannot_select_ToMany_relationship_with_blocked_capability()`
`791`	`791`	`}`
`792`	`792`
`793`	`793`	`[Fact]`
`794`		`- public async Task Retrieves_all_properties_when_fieldset_contains_readonly_attribute()`
	`794`	`+ public async Task Fetches_all_scalar_properties_when_fieldset_contains_readonly_attribute()`
`795`	`795`	`{`
`796`	`796`	`// Arrange`
`797`	`797`	`var store = _testContext.Factory.Services.GetRequiredService<ResourceCaptureStore>();`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 627bae9

File tree

14 files changed

14 files changed

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/AttrAttribute.cs‎`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/HasManyAttribute.cs‎`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/HasOneAttribute.cs‎`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/RelationshipAttribute.cs‎`

`‎src/JsonApiDotNetCore.Annotations/Resources/Annotations/ResourceFieldAttribute.cs‎`

`‎src/JsonApiDotNetCore/Queries/FieldSelectors.cs‎`

`‎src/JsonApiDotNetCore/Queries/Internal/Parsing/FilterParser.cs‎`

`‎src/JsonApiDotNetCore/Queries/Internal/QueryableBuilding/SelectClauseBuilder.cs‎`

`‎src/JsonApiDotNetCore/Repositories/EntityFrameworkCoreRepository.cs‎`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/QueryStrings/SparseFieldSets/SparseFieldSetTests.cs‎`

0 commit comments