From 9f9751b614f317993c2c66b7b8cd0ba247f981a3 Mon Sep 17 00:00:00 2001 From: Olaf Alders Date: Fri, 5 Mar 2021 10:40:08 -0500 Subject: [PATCH 1/4] v2.000001 - Bump minimum PPI version to 1.222 (GH#1) (Olaf Alders) --- Changes | 2 +- META.json | 19 ++++++++++++++++--- Makefile.PL | 5 +++-- README.md | 2 +- cpanfile | 3 ++- 5 files changed, 23 insertions(+), 8 deletions(-) diff --git a/Changes b/Changes index 11c3093..51d53f8 100644 --- a/Changes +++ b/Changes @@ -1,5 +1,5 @@ Revision history for Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection -{{$NEXT}} +2.000001 2021-03-05 15:39:11Z - Bump minimum PPI version to 1.222 (GH#1) (Olaf Alders) 2.000000 2021-03-04 22:59:36Z diff --git a/META.json b/META.json index b5a6ab4..c32077b 100644 --- a/META.json +++ b/META.json @@ -57,6 +57,7 @@ "runtime" : { "requires" : { "Carp" : "0", + "PPI" : "1.222", "PPIx::QuoteLike" : "0.015", "Perl::Critic::Policy" : "0", "Perl::Critic::Utils" : "0", @@ -76,7 +77,7 @@ "requires" : { "ExtUtils::MakeMaker" : "0", "File::Spec" : "0", - "PPI" : "0", + "PPI" : "1.222", "Test::FailWarnings" : "0", "Test::More" : "0", "Test::Perl::Critic" : "0", @@ -97,7 +98,7 @@ "web" : "https://github.com/oalders/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection" } }, - "version" : "2.000000", + "version" : "2.000001", "x_Dist_Zilla" : { "perl" : { "version" : "5.030002" @@ -655,7 +656,7 @@ "branch" : null, "changelog" : "Changes", "signed" : 0, - "tag" : "v2.000000", + "tag" : "v2.000001", "tag_format" : "v%V", "tag_message" : "v%V" }, @@ -749,6 +750,17 @@ "name" : "StaticInstall", "version" : "0.012" }, + { + "class" : "Dist::Zilla::Plugin::Prereqs", + "config" : { + "Dist::Zilla::Plugin::Prereqs" : { + "phase" : "runtime", + "type" : "requires" + } + }, + "name" : "RuntimeRequires", + "version" : "6.017" + }, { "class" : "Dist::Zilla::Plugin::FinderCode", "name" : ":InstallModules", @@ -812,6 +824,7 @@ "Charlie Garrison ", "Guillaume Aubert ", "Nelson Ferraz ", + "Olaf Alders ", "Olaf Alders ", "Victor " ], diff --git a/Makefile.PL b/Makefile.PL index cc9dac9..9fe5363 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -18,6 +18,7 @@ my %WriteMakefileArgs = ( "NAME" => "Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection", "PREREQ_PM" => { "Carp" => 0, + "PPI" => "1.222", "PPIx::QuoteLike" => "0.015", "Perl::Critic::Policy" => 0, "Perl::Critic::Utils" => 0, @@ -31,7 +32,7 @@ my %WriteMakefileArgs = ( "TEST_REQUIRES" => { "ExtUtils::MakeMaker" => 0, "File::Spec" => 0, - "PPI" => 0, + "PPI" => "1.222", "Test::FailWarnings" => 0, "Test::More" => 0, "Test::Perl::Critic" => 0, @@ -48,7 +49,7 @@ my %FallbackPrereqs = ( "Carp" => 0, "ExtUtils::MakeMaker" => 0, "File::Spec" => 0, - "PPI" => 0, + "PPI" => "1.222", "PPIx::QuoteLike" => "0.015", "Perl::Critic::Policy" => 0, "Perl::Critic::Utils" => 0, diff --git a/README.md b/README.md index 2271c65..17352e6 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection - Prevent SQL in # VERSION -version 2.000000 +version 2.000001 # DESCRIPTION diff --git a/cpanfile b/cpanfile index c19e137..9e2a0bc 100644 --- a/cpanfile +++ b/cpanfile @@ -2,6 +2,7 @@ # Do not edit this file directly. To change prereqs, edit the `dist.ini` file. requires "Carp" => "0"; +requires "PPI" => "1.222"; requires "PPIx::QuoteLike" => "0.015"; requires "Perl::Critic::Policy" => "0"; requires "Perl::Critic::Utils" => "0"; @@ -16,7 +17,7 @@ requires "warnings" => "0"; on 'test' => sub { requires "ExtUtils::MakeMaker" => "0"; requires "File::Spec" => "0"; - requires "PPI" => "0"; + requires "PPI" => "1.222"; requires "Test::FailWarnings" => "0"; requires "Test::More" => "0"; requires "Test::Perl::Critic" => "0"; From 931be80c7ec5f3e68a7137231e2af07e10b82111 Mon Sep 17 00:00:00 2001 From: Olaf Alders Date: Fri, 5 Mar 2021 10:40:09 -0500 Subject: [PATCH 2/4] increment $VERSION after 2.000001 release --- Changes | 2 ++ Makefile.PL | 2 +- .../Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Changes b/Changes index 51d53f8..d259a0f 100644 --- a/Changes +++ b/Changes @@ -1,4 +1,6 @@ Revision history for Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection +{{$NEXT}} + 2.000001 2021-03-05 15:39:11Z - Bump minimum PPI version to 1.222 (GH#1) (Olaf Alders) diff --git a/Makefile.PL b/Makefile.PL index 9fe5363..984b8e7 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -38,7 +38,7 @@ my %WriteMakefileArgs = ( "Test::Perl::Critic" => 0, "Test::Perl::Critic::Policy" => 0 }, - "VERSION" => "2.000001", + "VERSION" => "2.000002", "test" => { "TESTS" => "t/*.t" } diff --git a/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm b/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm index 9df7973..d69e202 100644 --- a/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm +++ b/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm @@ -4,7 +4,7 @@ use 5.006001; use strict; use warnings; -our $VERSION = '2.000001'; +our $VERSION = '2.000002'; use base 'Perl::Critic::Policy'; From aea1fb75b30c1dbf4a6a5e425a62af5d0480e0a5 Mon Sep 17 00:00:00 2001 From: Steve Rogerson Date: Fri, 19 Jul 2024 16:59:03 +0100 Subject: [PATCH 3/4] Allow list of variables to be passed --- README.md | 8 +++++- .../PreventSQLInjection.pm | 25 ++++++++++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 17352e6..0b88cee 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection - Prevent SQL in # VERSION -version 2.000001 +version 2.000002 # DESCRIPTION @@ -62,6 +62,12 @@ For example, to declare `quote_function()` and By default, no functions are considered safe. + +## safe_variables + +A space separated string of variables we know are safe. + + ## prefer\_upper\_case\_keywords A boolean indicating whether you'd prefer to detect only SELECT, INSERT, UPDATE diff --git a/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm b/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm index d69e202..a91153c 100644 --- a/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm +++ b/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm @@ -215,6 +215,11 @@ Readonly::Scalar my $QUOTING_METHODS_DEFAULT => q| Readonly::Scalar my $SAFE_FUNCTIONS_DEFAULT => q| |; +# Default for the name of the variables that are safe to +# concatenate to SQL strings. +Readonly::Scalar my $SAFE_VARIABLES_DEFAULT => q| +|; + # Default for the name of the functions that are generally safe to use (because they # are not expected to generate SQL calls -- unless you are doing something really, # really weird.) @@ -281,6 +286,13 @@ sub supported_parameters { default_string => '0', behavior => 'boolean', }, + { + name => 'safe_variables', + description => + 'A space-separated string listing the variables that are a safely quoted value', + default_string => $SAFE_VARIABLES_DEFAULT, + behavior => 'string', + }, ); } @@ -791,10 +803,13 @@ sub get_safe_elements { # If there's nothing in the cache for that line, return immediately. return {} - if !exists( $self->{'_sqlsafe'}->{$line_number} ); + if !exists( $self->{'_sqlsafe'}->{$line_number} ) && !exists( $self->{_safe_variables}); # Return a hash of safe element names. - return { map { $_ => 1 } @{ $self->{'_sqlsafe'}->{$line_number} } }; + my %hash = map { $_ => 1 } @{ $self->{'_sqlsafe'}->{$line_number} }; + # Return a hash of safe element names. + map {$hash{$_} = 1 } split( /[,\s]+/, $self->{'_safe_variables'} ); + return \%hash; } =head2 parse_comments() @@ -889,7 +904,11 @@ sub parse_config_parameters { $self->{'_safe_context_regex'} = undef; } } - + # Strip surrounding quotes. + if ( exists( $self->{'_safe_variables'} ) ) { + $self->{'_safe_variables'} =~ s/^['" ]+//; + $self->{'_safe_variables'} =~ s/['" ]+$//; + } return; } From 85b6a908285a457080288023e557e7cc3de01e32 Mon Sep 17 00:00:00 2001 From: Steve Rogerson Date: Fri, 19 Jul 2024 17:03:27 +0100 Subject: [PATCH 4/4] Add some more perl versions and bump some action versions to prevent deprecation warnings. --- .github/workflows/dzil-build-and-test.yml | 34 ++++++++++++++++------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dzil-build-and-test.yml b/.github/workflows/dzil-build-and-test.yml index 30058c1..26db23b 100644 --- a/.github/workflows/dzil-build-and-test.yml +++ b/.github/workflows/dzil-build-and-test.yml @@ -10,6 +10,7 @@ on: - "*" schedule: - cron: "15 4 * * 0" # Every Sunday morning + workflow_dispatch: jobs: build-job: @@ -18,7 +19,7 @@ jobs: container: image: perldocker/perl-tester:5.32 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Run Tests env: AUTHOR_TESTING: 1 @@ -26,7 +27,7 @@ jobs: EXTENDED_TESTING: 1 RELEASE_TESTING: 1 run: auto-build-and-test-dist - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@v4 with: name: build_dir path: build_dir @@ -37,8 +38,8 @@ jobs: container: image: perldocker/perl-tester:5.32 steps: - - uses: actions/checkout@v2 # codecov wants to be inside a Git repository - - uses: actions/download-artifact@v2 + - uses: actions/checkout@v4 # codecov wants to be inside a Git repository + - uses: actions/download-artifact@v4 with: name: build_dir path: . @@ -54,7 +55,7 @@ jobs: matrix: os: [ubuntu-20.04] perl-version: - - "5.8" + # - "5.8" Won't build - "5.10" - "5.12" - "5.14" @@ -67,13 +68,17 @@ jobs: - "5.28" - "5.30" - "5.32" + - "5.34" + - "5.36" + - "5.38" + - "5.40" name: perl ${{ matrix.perl-version }} on ${{ matrix.os }} steps: - name: set up perl uses: shogo82148/actions-setup-perl@v1 with: perl-version: ${{ matrix.perl-version }} - - uses: actions/download-artifact@v2 + - uses: actions/download-artifact@v4 with: name: build_dir path: . @@ -94,7 +99,7 @@ jobs: matrix: os: [macos-latest] perl-version: - - "5.8" + # - "5.8" - "5.10" - "5.12" - "5.14" @@ -107,13 +112,17 @@ jobs: - "5.28" - "5.30" - "5.32" + - "5.34" + - "5.36" + - "5.38" + - "5.40" name: perl ${{ matrix.perl-version }} on ${{ matrix.os }} steps: - name: set up perl uses: shogo82148/actions-setup-perl@v1 with: perl-version: ${{ matrix.perl-version }} - - uses: actions/download-artifact@v2 + - uses: actions/download-artifact@v4 with: name: build_dir path: . @@ -135,7 +144,7 @@ jobs: os: [windows-latest] perl-version: - "5.14" - - "5.16" + # - "5.16" Doesn't work - "5.18" - "5.20" - "5.22" @@ -143,6 +152,11 @@ jobs: - "5.26" - "5.28" - "5.30" + - "5.32" + # - "5.34" + - "5.36" + - "5.38" + # - "5.40" name: perl ${{ matrix.perl-version }} on ${{ matrix.os }} steps: - name: set up perl @@ -150,7 +164,7 @@ jobs: with: perl-version: ${{ matrix.perl-version }} distribution: strawberry # this option only used on windows - - uses: actions/download-artifact@v2 + - uses: actions/download-artifact@v4 with: name: build_dir path: .