Merge pull request #13 from kettasoft/2.2.1

kettasoft · web-flow · commit 6bbeb997f74a · 2025-08-28T19:31:46.000+03:00
Fix: enforce sanitizing across all filter engines
diff --git a/src/Contracts/FilterableContext.php b/src/Contracts/FilterableContext.php
@@ -8,5 +8,13 @@
   ExpressionEngineContext,
   InvokableEngineContext
 };
+use Kettasoft\Filterable\Sanitization\Sanitizer;
 
-interface FilterableContext extends TreeFilterableContext, RulesetFilterableContect, ExpressionEngineContext, InvokableEngineContext {}
+interface FilterableContext extends TreeFilterableContext, RulesetFilterableContect, ExpressionEngineContext, InvokableEngineContext
+{
+  /**
+   * Get sanitizer instance.
+   * @return Sanitizer
+   */
+  public function getSanitizerInstance(): Sanitizer;
+}
diff --git a/src/Engines/Expression.php b/src/Engines/Expression.php
@@ -42,7 +42,7 @@ public function execute(Builder $builder)
       $dissector = Dissector::parse($condition, $this->defaultOperator());
 
       $clause = (new ClauseFactory($this))->make(
-        new Payload($field, $dissector->operator, $dissector->value, null)
+        new Payload($field, $dissector->operator, $this->sanitizeValue($field, $dissector->value), $dissector->value)
       );
 
       if (! $clause->validated) {
diff --git a/src/Engines/Foundation/Engine.php b/src/Engines/Foundation/Engine.php
@@ -97,4 +97,17 @@ public function getResources(): Resources
   {
     return $this->context->getResources();
   }
+
+  /**
+   * Sanitize the given value using the sanitizer instance.
+   *
+   * @param mixed $filed
+   * @param mixed $value
+   */
+  final protected function sanitizeValue($filed, $value)
+  {
+    $sanitizer = $this->context->getSanitizerInstance();
+
+    return $sanitizer->handle($filed, $value);
+  }
 }
diff --git a/src/Engines/Invokeable.php b/src/Engines/Invokeable.php
@@ -64,29 +64,12 @@ protected function initializeFilters(string $key, string $method, mixed $value):
 
     if (method_exists($this->context, $method)) {
 
-      $payload = new Payload($key, $operator, $this->resolveValueSanitizer($key, $val), $val);
+      $payload = new Payload($key, $operator, $this->sanitizeValue($key, $val), $val);
 
       $this->forwardCallTo($this->context, $method, [$payload]);
     }
   }
 
-  /**
-   * Run the filter value sanitizer if exist.
-   * @param string $key
-   * @param string $method
-   * @param mixed $value
-   */
-  protected function resolveValueSanitizer(string $key, mixed $value)
-  {
-    $sanitizer = $this->context->getSanitizerInstance();
-
-    if (!empty($sanitizer->getSanitizers())) {
-      $value = $sanitizer->handle($key, $value);
-    }
-
-    return $value;
-  }
-
   /**
    * Get method name.
    * @param string $filter
diff --git a/src/Engines/Ruleset.php b/src/Engines/Ruleset.php
@@ -37,7 +37,7 @@ public function execute(Builder $builder): Builder
       $dissector = Dissector::parse($dissector, $this->defaultOperator());
 
       $clause = (new ClauseFactory($this))->make(
-        new Payload($field, $dissector->operator, $dissector->value, null)
+        new Payload($field, $dissector->operator, $this->sanitizeValue($field, $dissector->value), $dissector->value)
       );
 
       if (! $clause->validated) continue;
diff --git a/src/Engines/Tree.php b/src/Engines/Tree.php
@@ -10,8 +10,10 @@
 use Kettasoft\Filterable\Engines\Foundation\Engine;
 use Kettasoft\Filterable\Support\RelationPathParser;
 use Kettasoft\Filterable\Support\AllowedFieldChecker;
+use Kettasoft\Filterable\Engines\Foundation\ClauseApplier;
 use Kettasoft\Filterable\Engines\Foundation\ClauseFactory;
 use Kettasoft\Filterable\Support\TreeBasedRelationsResolver;
+use Kettasoft\Filterable\Engines\Foundation\Appliers\Applier;
 use Kettasoft\Filterable\Engines\Contracts\TreeFilterableContext;
 use Kettasoft\Filterable\Engines\Contracts\HasAllowedFieldChecker;
 use Kettasoft\Filterable\Support\TreeBasedSignelConditionResolver;
@@ -54,27 +56,17 @@ private function applyNode(Builder $builder, TreeNode $node)
     } else {
 
       $clause = (new ClauseFactory($this))->make(
-        new Payload($node->field, $node->operator ?? $this->defaultOperator(), $node->value, null)
+        new Payload($node->field, $node->operator ?? $this->defaultOperator(), $this->sanitizeValue($node->field, $node->value), $node->value)
       );
 
       if (! $clause->validated) {
         return $builder; // skip disallowed field
       }
 
-      [$_, $field] = RelationPathParser::resolve($node->field);
-
-      $field = $clause->field;
-      $operator = $clause->operator;
-      $value = $clause->value;
-
       if ($clause->isRelational()) {
         $clause->relation($this->getResources()->relations)->resolve($builder, $clause);
       } else {
-        if (! AllowedFieldChecker::check($this, $field)) {
-          return;
-        }
-
-        TreeBasedSignelConditionResolver::resolve($builder, $field, $operator, $value);
+        Applier::apply(new ClauseApplier($clause), $builder);
       }
     }
 
diff --git a/tests/Unit/Engines/ExpressionEngineTest.php b/tests/Unit/Engines/ExpressionEngineTest.php
@@ -204,7 +204,24 @@ public function it_can_sent_json_data_to_filtering_operate()
       ->strict()
       ->apply(Post::query());
 
-    // dd($filter->toRawSql());
+    $this->assertEquals(15, $filter->count());
+  }
+
+  public function test_it_sanitize_value_before_applying_to_query()
+  {
+    $request = Request::create('/posts');
+
+    $request->setJson(new InputBag([
+      'status' => 'PENDING'
+    ]));
+
+    $filter = Filterable::withRequest($request)
+      ->setAllowedFields(['status'])
+      ->useEngin(Expression::class)
+      ->setSanitizers([
+        'status' => fn($value) => strtolower($value)
+      ])
+      ->apply(Post::query());
 
     $this->assertEquals(15, $filter->count());
   }
diff --git a/tests/Unit/Engines/RulesetEngineTest.php b/tests/Unit/Engines/RulesetEngineTest.php
@@ -186,4 +186,19 @@ public function it_can_sent_json_data_to_filtering_operate()
 
     $this->assertEquals(15, $filter->count());
   }
+
+  public function test_it_sanitize_value_before_applying_to_query()
+  {
+    $request = Request::create('/posts?status=eq:PENDING');
+
+    $filter = Filterable::withRequest($request)
+      ->setAllowedFields(['status'])
+      ->useEngin(Ruleset::class)
+      ->setSanitizers([
+        'status' => fn($value) => strtolower($value)
+      ])
+      ->apply(Post::query());
+
+    $this->assertEquals(15, $filter->count());
+  }
 }
diff --git a/tests/Unit/Engines/TreeEngineTest.php b/tests/Unit/Engines/TreeEngineTest.php
@@ -336,4 +336,27 @@ public function it_can_filter_with_or_and_logical_operator()
 
     $this->assertEquals(45, $filter->count());
   }
+
+  public function test_it_sanitize_value_before_applying_to_query()
+  {
+    $data = [
+      "filter" => [
+        "and" => [
+          ["field" => "status", "operator" => "eq", "value" => "STOPPED"],
+          ['or' => []]
+        ]
+      ]
+    ];
+
+    $filter = Filterable::create()
+      ->setData($data, true)
+      ->setAllowedFields(['status'])
+      ->useEngin(Tree::class)
+      ->setSanitizers([
+        'status' => fn($value) => strtolower($value)
+      ])
+      ->apply(Post::query());
+
+    $this->assertEquals(15, $filter->count());
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -97,4 +97,17 @@ public function getResources(): Resources`
`97`	`97`	`{`
`98`	`98`	`return $this->context->getResources();`
`99`	`99`	`}`
	`100`	`+`
	`101`	`+ /**`
	`102`	`+ * Sanitize the given value using the sanitizer instance.`
	`103`	`+ *`
	`104`	`+ * @param mixed $filed`
	`105`	`+ * @param mixed $value`
	`106`	`+ */`
	`107`	`+ final protected function sanitizeValue($filed, $value)`
	`108`	`+ {`
	`109`	`+ $sanitizer = $this->context->getSanitizerInstance();`
	`110`	`+`
	`111`	`+ return $sanitizer->handle($filed, $value);`
	`112`	`+ }`
`100`	`113`	`}`