├── .ruby-version ├── Gemfile ├── .gitignore ├── lib ├── arsi │ ├── version.rb │ ├── mysql2_adapter.rb │ ├── arel_tree_manager.rb │ ├── persistence.rb │ └── relation.rb └── arsi.rb ├── .github ├── CODEOWNERS └── workflows │ ├── codeql.yaml │ ├── publish.yml │ ├── actions.yml │ └── rails_main_testing.yml ├── gemfiles ├── rails7.0.gemfile ├── rails7.1.gemfile ├── rails7.2.gemfile ├── rails8.0.gemfile ├── common.rb ├── rails_main.gemfile ├── rails7.0.gemfile.lock ├── rails7.1.gemfile.lock ├── rails7.2.gemfile.lock └── rails8.0.gemfile.lock ├── test ├── helper.rb ├── relation_test.rb ├── database.rb └── arsi_test.rb ├── Rakefile ├── arsi.gemspec ├── Gemfile.lock ├── README.md └── LICENSE /.ruby-version: -------------------------------------------------------------------------------- 1 | 3.2.8 2 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | eval_gemfile 'gemfiles/rails7.0.gemfile' 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.log 2 | tmp/ 3 | 4 | gemfiles/rails_main*.lock 5 | -------------------------------------------------------------------------------- /lib/arsi/version.rb: -------------------------------------------------------------------------------- 1 | module Arsi 2 | VERSION = '1.3.0' 3 | end 4 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # CODEOWNERS file 2 | # This file defines who should review code changes in this repository. 3 | 4 | * @zendesk/core-gem-owners 5 | -------------------------------------------------------------------------------- /gemfiles/rails7.0.gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gemspec path: '..' 4 | 5 | gem 'activerecord', '~> 7.0.0' 6 | 7 | eval_gemfile 'common.rb' 8 | -------------------------------------------------------------------------------- /gemfiles/rails7.1.gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gemspec path: '..' 4 | 5 | gem 'activerecord', '~> 7.1.0' 6 | 7 | eval_gemfile 'common.rb' 8 | -------------------------------------------------------------------------------- /gemfiles/rails7.2.gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gemspec path: '..' 4 | 5 | gem 'activerecord', '~> 7.2.0' 6 | 7 | eval_gemfile 'common.rb' 8 | -------------------------------------------------------------------------------- /gemfiles/rails8.0.gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gemspec path: '..' 4 | 5 | gem 'activerecord', '~> 8.0.0' 6 | 7 | eval_gemfile 'common.rb' 8 | -------------------------------------------------------------------------------- /gemfiles/common.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | gem "debug" 4 | gem "rake" 5 | gem "minitest" 6 | gem "minitest-rg" 7 | gem "m" 8 | gem "mocha" 9 | gem "single_cov" 10 | -------------------------------------------------------------------------------- /gemfiles/rails_main.gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gemspec path: '..' 4 | 5 | gem 'activerecord', github: 'rails/rails', branch: 'main' 6 | 7 | eval_gemfile 'common.rb' 8 | -------------------------------------------------------------------------------- /test/helper.rb: -------------------------------------------------------------------------------- 1 | require 'bundler/setup' 2 | require 'single_cov' 3 | SingleCov.setup :minitest 4 | require 'arsi' 5 | 6 | require 'minitest/autorun' 7 | require 'minitest/rg' 8 | require 'mocha/minitest' 9 | 10 | require_relative 'database' 11 | -------------------------------------------------------------------------------- /lib/arsi/mysql2_adapter.rb: -------------------------------------------------------------------------------- 1 | module Arsi 2 | module Mysql2Adapter 3 | attr_accessor :arsi_relation 4 | 5 | def delete(arel, *) 6 | Arsi.arel_check!(arel, arsi_relation) 7 | super 8 | end 9 | 10 | def update(arel, *) 11 | Arsi.arel_check!(arel, arsi_relation) 12 | super 13 | end 14 | end 15 | end 16 | -------------------------------------------------------------------------------- /lib/arsi/arel_tree_manager.rb: -------------------------------------------------------------------------------- 1 | require 'arel' 2 | 3 | module Arsi 4 | module ArelTreeManager 5 | # This is inspired from Arel::SelectManager, a subclass of Arel::TreeManager 6 | # just like Arel::UpdateManager and Arel::DeleteManager. 7 | def where_sql(engine = ::Arel::Table.engine) 8 | return if @ast.wheres.empty? 9 | 10 | ::Arel::Nodes::SqlLiteral.new("WHERE #{::Arel::Nodes::And.new(@ast.wheres).to_sql(engine)}") 11 | end 12 | end 13 | end 14 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yaml: -------------------------------------------------------------------------------- 1 | name: "CodeQL public repository scanning" 2 | 3 | on: 4 | push: 5 | schedule: 6 | - cron: "0 0 * * *" 7 | pull_request_target: 8 | types: [opened, synchronize, reopened] 9 | workflow_dispatch: 10 | 11 | permissions: 12 | contents: read 13 | security-events: write 14 | actions: read 15 | packages: read 16 | 17 | jobs: 18 | trigger-codeql: 19 | uses: zendesk/prodsec-code-scanning/.github/workflows/codeql_advanced_shared.yml@production 20 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require 'bundler/setup' 2 | require 'bundler/gem_tasks' 3 | require 'rake/testtask' 4 | 5 | Rake::TestTask.new do |test| 6 | test.pattern = 'test/*_test.rb' 7 | test.verbose = true 8 | end 9 | 10 | task default: :test 11 | 12 | desc "Bundle all gemfiles" 13 | task :bundle_all do 14 | extra = ENV["EXTRA"] 15 | Bundler.with_original_env do 16 | Dir["gemfiles/*.gemfile"].each do |gemfile| 17 | sh "BUNDLE_GEMFILE=#{gemfile} bundle #{extra}" 18 | end 19 | end 20 | end 21 | -------------------------------------------------------------------------------- /lib/arsi/persistence.rb: -------------------------------------------------------------------------------- 1 | module Arsi 2 | module Persistence 3 | def self.prepended(klass) 4 | klass.singleton_class.prepend(ClassMethods) 5 | end 6 | 7 | module ClassMethods 8 | def _update_record(*) 9 | with_relation_in_connection { super } 10 | end 11 | 12 | def _delete_record(*) 13 | with_relation_in_connection { super } 14 | end 15 | 16 | private 17 | 18 | def with_relation_in_connection 19 | connection.arsi_relation = self.unscoped 20 | yield 21 | ensure 22 | connection.arsi_relation = nil 23 | end 24 | end 25 | end 26 | end 27 | -------------------------------------------------------------------------------- /.github/workflows/publish.yml: -------------------------------------------------------------------------------- 1 | name: Publish to RubyGems.org 2 | 3 | on: 4 | push: 5 | branches: main 6 | paths: lib/arsi/version.rb 7 | workflow_dispatch: 8 | 9 | jobs: 10 | publish: 11 | runs-on: ubuntu-latest 12 | environment: rubygems-publish 13 | if: github.repository_owner == 'zendesk' 14 | permissions: 15 | id-token: write 16 | contents: write 17 | steps: 18 | - uses: actions/checkout@v4 19 | - name: Set up Ruby 20 | uses: ruby/setup-ruby@v1 21 | with: 22 | bundler-cache: false 23 | 24 | - name: Install dependencies 25 | run: bundle install 26 | - uses: rubygems/release-gem@v1 27 | -------------------------------------------------------------------------------- /arsi.gemspec: -------------------------------------------------------------------------------- 1 | require './lib/arsi/version' 2 | 3 | Gem::Specification.new do |spec| 4 | spec.name = "arsi" 5 | spec.version = Arsi::VERSION 6 | spec.authors = ["Christopher Kintner"] 7 | spec.email = ["ckintner@zendesk.com"] 8 | spec.summary = "ActiveRecord SQL Inspector" 9 | spec.description = "Puts your SQL under a microscope" 10 | spec.homepage = "https://github.com/zendesk/arsi" 11 | spec.license = "Apache License Version 2.0" 12 | 13 | spec.files = `git ls-files -z lib README.md`.split("\x0") 14 | 15 | spec.required_ruby_version = '>= 3.2.0' 16 | 17 | spec.add_runtime_dependency "mysql2" 18 | spec.add_runtime_dependency "activerecord", ">= 7.0" 19 | end 20 | -------------------------------------------------------------------------------- /test/relation_test.rb: -------------------------------------------------------------------------------- 1 | require_relative "helper" 2 | SingleCov.covered! file: 'lib/arsi/relation.rb', uncovered: 6 3 | 4 | describe ActiveRecord::Relation do 5 | let(:relation) { 6 | ActiveRecord::Relation.new(klass, table: stub, predicate_builder: stub) 7 | } 8 | let(:klass) { stub(name: 'Klass') } 9 | 10 | %w(account_id id guid uuid uid id).each do |column_name| 11 | it "knows that #{column_name} is a scopeable column" do 12 | klass.stubs(columns: [stub(name: column_name)]) 13 | assert relation.send(:arsi_scopeable?) 14 | end 15 | end 16 | 17 | %w(android ggguid).each do |column_name| 18 | it "knows that #{column_name} is not a scopeable column" do 19 | klass.stubs(columns: [stub(name: column_name)]) 20 | refute relation.send(:arsi_scopeable?) 21 | end 22 | end 23 | end 24 | -------------------------------------------------------------------------------- /.github/workflows/actions.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: push 3 | 4 | jobs: 5 | build: 6 | name: "Ruby ${{ matrix.ruby }}, Rails ${{ matrix.rails }}: Tests" 7 | strategy: 8 | fail-fast: false 9 | matrix: 10 | ruby: ['3.2', '3.3', '3.4'] 11 | rails: ['7.1', '7.2', '8.0'] 12 | include: 13 | - {ruby: '3.2', rails: '7.0'} 14 | - {ruby: '3.3', rails: '7.0'} 15 | env: 16 | BUNDLE_GEMFILE: gemfiles/rails${{ matrix.rails }}.gemfile 17 | runs-on: ubuntu-latest 18 | services: 19 | mysql: 20 | image: mysql:8.0 21 | env: 22 | MYSQL_ALLOW_EMPTY_PASSWORD: yes 23 | ports: 24 | - 3306:3306 25 | options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 26 | steps: 27 | - uses: actions/checkout@v4 28 | - uses: ruby/setup-ruby@v1 29 | with: 30 | ruby-version: ${{ matrix.ruby }} 31 | bundler-cache: true 32 | - run: bundle exec rake test 33 | -------------------------------------------------------------------------------- /.github/workflows/rails_main_testing.yml: -------------------------------------------------------------------------------- 1 | name: Test against Rails main 2 | 3 | on: 4 | push: 5 | schedule: 6 | - cron: "0 0 * * *" # Run every day at 00:00 UTC 7 | workflow_dispatch: 8 | 9 | jobs: 10 | build: 11 | name: "Ruby ${{ matrix.ruby }}, ${{ matrix.rails }}: Tests" 12 | strategy: 13 | fail-fast: false 14 | matrix: 15 | ruby: 16 | - '3.3' 17 | - '3.4' 18 | rails: 19 | - 'rails_main' 20 | env: 21 | BUNDLE_GEMFILE: gemfiles/${{ matrix.rails }}.gemfile 22 | runs-on: ubuntu-latest 23 | services: 24 | mysql: 25 | image: mysql:8.0 26 | env: 27 | MYSQL_ALLOW_EMPTY_PASSWORD: yes 28 | ports: 29 | - 3306:3306 30 | options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 31 | steps: 32 | - uses: actions/checkout@v4 33 | - uses: ruby/setup-ruby@v1 34 | with: 35 | ruby-version: ${{ matrix.ruby }} 36 | bundler-cache: true 37 | - run: bundle exec rake test 38 | -------------------------------------------------------------------------------- /lib/arsi/relation.rb: -------------------------------------------------------------------------------- 1 | require 'active_record' 2 | 3 | module Arsi 4 | module Relation 5 | attr_writer :without_arsi 6 | 7 | def without_arsi 8 | if block_given? 9 | raise "Use without_arsi in a chain. Don't pass it a block" 10 | end 11 | dup.tap(&:without_arsi!) 12 | end 13 | 14 | def without_arsi! 15 | @without_arsi = true 16 | end 17 | 18 | def without_arsi? 19 | return @without_arsi if defined?(@without_arsi) && @without_arsi 20 | !arsi_scopeable? 21 | end 22 | 23 | def delete_all(*) 24 | with_relation_in_connection { super } 25 | end 26 | 27 | def update_all(*) 28 | with_relation_in_connection { super } 29 | end 30 | 31 | private 32 | 33 | if ActiveRecord.gem_version >= Gem::Version.new("8.0") 34 | def arsi_scopeable? 35 | @model.columns.any? { |c| Arsi::SCOPEABLE_REGEX.match?(c.name) } 36 | end 37 | 38 | def with_relation_in_connection 39 | @model.connection.arsi_relation = self 40 | yield 41 | ensure 42 | @model.connection.arsi_relation = nil 43 | end 44 | else 45 | def arsi_scopeable? 46 | @klass.columns.any? { |c| Arsi::SCOPEABLE_REGEX.match?(c.name) } 47 | end 48 | 49 | def with_relation_in_connection 50 | @klass.connection.arsi_relation = self 51 | yield 52 | ensure 53 | @klass.connection.arsi_relation = nil 54 | end 55 | end 56 | end 57 | end 58 | -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | PATH 2 | remote: . 3 | specs: 4 | arsi (1.3.0) 5 | activerecord (>= 7.0) 6 | mysql2 7 | 8 | GEM 9 | remote: https://rubygems.org/ 10 | specs: 11 | activemodel (7.0.8.7) 12 | activesupport (= 7.0.8.7) 13 | activerecord (7.0.8.7) 14 | activemodel (= 7.0.8.7) 15 | activesupport (= 7.0.8.7) 16 | activesupport (7.0.8.7) 17 | concurrent-ruby (~> 1.0, >= 1.0.2) 18 | i18n (>= 1.6, < 2) 19 | minitest (>= 5.1) 20 | tzinfo (~> 2.0) 21 | concurrent-ruby (1.1.9) 22 | date (3.4.1) 23 | debug (1.10.0) 24 | irb (~> 1.10) 25 | reline (>= 0.3.8) 26 | erb (5.0.1) 27 | i18n (1.10.0) 28 | concurrent-ruby (~> 1.0) 29 | io-console (0.8.0) 30 | irb (1.15.2) 31 | pp (>= 0.6.0) 32 | rdoc (>= 4.0.0) 33 | reline (>= 0.4.2) 34 | m (1.6.2) 35 | method_source (>= 0.6.7) 36 | rake (>= 0.9.2.2) 37 | method_source (1.1.0) 38 | minitest (5.14.4) 39 | minitest-rg (5.3.0) 40 | minitest (~> 5.0) 41 | mocha (2.7.1) 42 | ruby2_keywords (>= 0.0.5) 43 | mysql2 (0.5.6) 44 | pp (0.6.2) 45 | prettyprint 46 | prettyprint (0.2.0) 47 | psych (5.2.6) 48 | date 49 | stringio 50 | rake (13.2.1) 51 | rdoc (6.14.0) 52 | erb 53 | psych (>= 4.0.0) 54 | reline (0.6.1) 55 | io-console (~> 0.5) 56 | ruby2_keywords (0.0.5) 57 | single_cov (1.11.0) 58 | stringio (3.1.7) 59 | tzinfo (2.0.6) 60 | concurrent-ruby (~> 1.0) 61 | 62 | PLATFORMS 63 | ruby 64 | 65 | DEPENDENCIES 66 | activerecord (~> 7.0.0) 67 | arsi! 68 | debug 69 | m 70 | minitest 71 | minitest-rg 72 | mocha 73 | rake 74 | single_cov 75 | 76 | BUNDLED WITH 77 | 2.6.9 78 | -------------------------------------------------------------------------------- /gemfiles/rails7.0.gemfile.lock: -------------------------------------------------------------------------------- 1 | PATH 2 | remote: .. 3 | specs: 4 | arsi (1.3.0) 5 | activerecord (>= 7.0) 6 | mysql2 7 | 8 | GEM 9 | remote: https://rubygems.org/ 10 | specs: 11 | activemodel (7.0.4) 12 | activesupport (= 7.0.4) 13 | activerecord (7.0.4) 14 | activemodel (= 7.0.4) 15 | activesupport (= 7.0.4) 16 | activesupport (7.0.4) 17 | concurrent-ruby (~> 1.0, >= 1.0.2) 18 | i18n (>= 1.6, < 2) 19 | minitest (>= 5.1) 20 | tzinfo (~> 2.0) 21 | concurrent-ruby (1.1.10) 22 | date (3.4.1) 23 | debug (1.10.0) 24 | irb (~> 1.10) 25 | reline (>= 0.3.8) 26 | erb (5.0.1) 27 | i18n (1.12.0) 28 | concurrent-ruby (~> 1.0) 29 | io-console (0.8.0) 30 | irb (1.15.2) 31 | pp (>= 0.6.0) 32 | rdoc (>= 4.0.0) 33 | reline (>= 0.4.2) 34 | m (1.6.2) 35 | method_source (>= 0.6.7) 36 | rake (>= 0.9.2.2) 37 | method_source (1.1.0) 38 | minitest (5.14.4) 39 | minitest-rg (5.3.0) 40 | minitest (~> 5.0) 41 | mocha (2.7.1) 42 | ruby2_keywords (>= 0.0.5) 43 | mysql2 (0.5.6) 44 | pp (0.6.2) 45 | prettyprint 46 | prettyprint (0.2.0) 47 | psych (5.2.6) 48 | date 49 | stringio 50 | rake (13.2.1) 51 | rdoc (6.14.0) 52 | erb 53 | psych (>= 4.0.0) 54 | reline (0.6.1) 55 | io-console (~> 0.5) 56 | ruby2_keywords (0.0.5) 57 | single_cov (1.11.0) 58 | stringio (3.1.7) 59 | tzinfo (2.0.5) 60 | concurrent-ruby (~> 1.0) 61 | 62 | PLATFORMS 63 | ruby 64 | 65 | DEPENDENCIES 66 | activerecord (~> 7.0.0) 67 | arsi! 68 | debug 69 | m 70 | minitest 71 | minitest-rg 72 | mocha 73 | rake 74 | single_cov 75 | 76 | BUNDLED WITH 77 | 2.6.9 78 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ARSI - ActiveRecord SQL Inspector [![CI](https://github.com/zendesk/arsi/actions/workflows/actions.yml/badge.svg)](https://github.com/zendesk/arsi/actions/workflows/actions.yml) 2 | 3 | Block sql statements that are not scoped by id in `.update_all` and `.delete_all`. 4 | 5 | ID Columns: 6 | 7 | - *_id 8 | - id 9 | - guid 10 | - uuid 11 | - uid 12 | 13 | Operators: 14 | 15 | - = 16 | - <> 17 | - IN 18 | - IS 19 | 20 | Triggers the `Arsi.violation_callback` with SQL and relation object.By default raise `Arsi::UnscopedSQL`. 21 | 22 | ## Disabling 23 | 24 | via `.without_arsi` 25 | 26 | ```ruby 27 | User.where(active: false).without_arsi.delete_all # I know what I'm doing... 28 | ``` 29 | 30 | via `ARSI.disable` 31 | 32 | ```ruby 33 | class ApplicationController < ActionController::Base 34 | around_filter :without_arsi 35 | def without_arsi(&block) 36 | Arsi.disable(&block) 37 | end 38 | end 39 | 40 | Arsi.disable do 41 | User.update_all name: "Pete" # will be ignored 42 | end 43 | ``` 44 | 45 | ## Limitations 46 | 47 | - MySQL 48 | - uses regexs on SQL, false negatives with specially crafted SQL statements can occur 49 | 50 | ### Releasing a new version 51 | A new version is published to RubyGems.org every time a change to `version.rb` is pushed to the `main` branch. 52 | In short, follow these steps: 53 | 1. Update `version.rb`, 54 | 2. update version in all `Gemfile.lock` files, 55 | 3. merge this change into `main`, and 56 | 4. look at [the action](https://github.com/zendesk/arsi/actions/workflows/publish.yml) for output. 57 | 58 | To create a pre-release from a non-main branch: 59 | 1. change the version in `version.rb` to something like `1.2.0.pre.1` or `2.0.0.beta.2`, 60 | 2. push this change to your branch, 61 | 3. go to [Actions → “Publish to RubyGems.org” on GitHub](https://github.com/zendesk/arsi/actions/workflows/publish.yml), 62 | 4. click the “Run workflow” button, 63 | 5. pick your branch from a dropdown. 64 | -------------------------------------------------------------------------------- /test/database.rb: -------------------------------------------------------------------------------- 1 | require 'uri' 2 | mysql_url = URI(ENV['MYSQL_URL'] || 'mysql://root@127.0.0.1') 3 | connection_options = { 4 | adapter: "mysql2", 5 | host: mysql_url.host, 6 | port: mysql_url.port, 7 | username: mysql_url.user, 8 | password: mysql_url.password 9 | } 10 | database = 'arsi_test' 11 | ActiveRecord::Base.establish_connection(connection_options) 12 | begin 13 | ActiveRecord::Base.connection.create_database(database) 14 | rescue ActiveRecord::StatementInvalid 15 | # already exists ... 16 | end 17 | ActiveRecord::Base.establish_connection(connection_options.merge(database: database)) 18 | 19 | ActiveRecord::Schema.verbose = false 20 | ActiveRecord::Schema.define(:version => 1) do 21 | create_table :users, :force => true do |t| 22 | t.column :name, :string 23 | t.column :email, :string 24 | t.column :password, :string 25 | t.column :account_id, :integer 26 | t.column :android, :integer 27 | t.column :guid, :string 28 | t.column :uuid, :string 29 | t.column :uid, :string 30 | end 31 | 32 | create_table :entries, :force => true do |t| 33 | t.column :title, :string 34 | t.column :body, :string 35 | t.column :user_id, :integer 36 | end 37 | 38 | create_table :accounts, :force => true do |t| 39 | t.column :name, :string 40 | end 41 | 42 | create_table :heads, :force => true do |t| 43 | t.column :nose_count, :integer 44 | t.column :user_id, :integer 45 | end 46 | 47 | create_table :migrations, :id => false, :force => true do |t| 48 | t.column :name, :string 49 | end 50 | end 51 | 52 | class User < ActiveRecord::Base 53 | belongs_to :account 54 | has_many :entries 55 | has_one :head 56 | end 57 | 58 | class Entry < ActiveRecord::Base 59 | belongs_to :user 60 | end 61 | 62 | class Account < ActiveRecord::Base 63 | has_many :users 64 | end 65 | 66 | class Head < ActiveRecord::Base 67 | belongs_to :user 68 | end 69 | 70 | class Migration < ActiveRecord::Base 71 | end 72 | -------------------------------------------------------------------------------- /gemfiles/rails7.1.gemfile.lock: -------------------------------------------------------------------------------- 1 | PATH 2 | remote: .. 3 | specs: 4 | arsi (1.3.0) 5 | activerecord (>= 7.0) 6 | mysql2 7 | 8 | GEM 9 | remote: https://rubygems.org/ 10 | specs: 11 | activemodel (7.1.3.2) 12 | activesupport (= 7.1.3.2) 13 | activerecord (7.1.3.2) 14 | activemodel (= 7.1.3.2) 15 | activesupport (= 7.1.3.2) 16 | timeout (>= 0.4.0) 17 | activesupport (7.1.3.2) 18 | base64 19 | bigdecimal 20 | concurrent-ruby (~> 1.0, >= 1.0.2) 21 | connection_pool (>= 2.2.5) 22 | drb 23 | i18n (>= 1.6, < 2) 24 | minitest (>= 5.1) 25 | mutex_m 26 | tzinfo (~> 2.0) 27 | base64 (0.2.0) 28 | bigdecimal (3.1.8) 29 | concurrent-ruby (1.2.3) 30 | connection_pool (2.4.1) 31 | date (3.4.1) 32 | debug (1.10.0) 33 | irb (~> 1.10) 34 | reline (>= 0.3.8) 35 | drb (2.2.1) 36 | erb (5.0.1) 37 | i18n (1.14.5) 38 | concurrent-ruby (~> 1.0) 39 | io-console (0.8.0) 40 | irb (1.15.2) 41 | pp (>= 0.6.0) 42 | rdoc (>= 4.0.0) 43 | reline (>= 0.4.2) 44 | m (1.6.2) 45 | method_source (>= 0.6.7) 46 | rake (>= 0.9.2.2) 47 | method_source (1.1.0) 48 | minitest (5.18.1) 49 | minitest-rg (5.3.0) 50 | minitest (~> 5.0) 51 | mocha (2.2.0) 52 | ruby2_keywords (>= 0.0.5) 53 | mutex_m (0.2.0) 54 | mysql2 (0.5.6) 55 | pp (0.6.2) 56 | prettyprint 57 | prettyprint (0.2.0) 58 | psych (5.2.6) 59 | date 60 | stringio 61 | rake (13.2.1) 62 | rdoc (6.14.0) 63 | erb 64 | psych (>= 4.0.0) 65 | reline (0.6.1) 66 | io-console (~> 0.5) 67 | ruby2_keywords (0.0.5) 68 | single_cov (1.11.0) 69 | stringio (3.1.7) 70 | timeout (0.4.1) 71 | tzinfo (2.0.6) 72 | concurrent-ruby (~> 1.0) 73 | 74 | PLATFORMS 75 | ruby 76 | 77 | DEPENDENCIES 78 | activerecord (~> 7.1.0) 79 | arsi! 80 | debug 81 | m 82 | minitest 83 | minitest-rg 84 | mocha 85 | rake 86 | single_cov 87 | 88 | BUNDLED WITH 89 | 2.6.9 90 | -------------------------------------------------------------------------------- /gemfiles/rails7.2.gemfile.lock: -------------------------------------------------------------------------------- 1 | PATH 2 | remote: .. 3 | specs: 4 | arsi (1.3.0) 5 | activerecord (>= 7.0) 6 | mysql2 7 | 8 | GEM 9 | remote: https://rubygems.org/ 10 | specs: 11 | activemodel (7.2.2.1) 12 | activesupport (= 7.2.2.1) 13 | activerecord (7.2.2.1) 14 | activemodel (= 7.2.2.1) 15 | activesupport (= 7.2.2.1) 16 | timeout (>= 0.4.0) 17 | activesupport (7.2.2.1) 18 | base64 19 | benchmark (>= 0.3) 20 | bigdecimal 21 | concurrent-ruby (~> 1.0, >= 1.3.1) 22 | connection_pool (>= 2.2.5) 23 | drb 24 | i18n (>= 1.6, < 2) 25 | logger (>= 1.4.2) 26 | minitest (>= 5.1) 27 | securerandom (>= 0.3) 28 | tzinfo (~> 2.0, >= 2.0.5) 29 | base64 (0.2.0) 30 | benchmark (0.4.0) 31 | bigdecimal (3.1.9) 32 | concurrent-ruby (1.3.5) 33 | connection_pool (2.5.3) 34 | date (3.4.1) 35 | debug (1.10.0) 36 | irb (~> 1.10) 37 | reline (>= 0.3.8) 38 | drb (2.2.1) 39 | erb (5.0.1) 40 | i18n (1.14.7) 41 | concurrent-ruby (~> 1.0) 42 | io-console (0.8.0) 43 | irb (1.15.2) 44 | pp (>= 0.6.0) 45 | rdoc (>= 4.0.0) 46 | reline (>= 0.4.2) 47 | logger (1.7.0) 48 | m (1.6.2) 49 | method_source (>= 0.6.7) 50 | rake (>= 0.9.2.2) 51 | method_source (1.1.0) 52 | minitest (5.25.5) 53 | minitest-rg (5.3.0) 54 | minitest (~> 5.0) 55 | mocha (2.7.1) 56 | ruby2_keywords (>= 0.0.5) 57 | mysql2 (0.5.6) 58 | pp (0.6.2) 59 | prettyprint 60 | prettyprint (0.2.0) 61 | psych (5.2.6) 62 | date 63 | stringio 64 | rake (13.2.1) 65 | rdoc (6.14.0) 66 | erb 67 | psych (>= 4.0.0) 68 | reline (0.6.1) 69 | io-console (~> 0.5) 70 | ruby2_keywords (0.0.5) 71 | securerandom (0.4.1) 72 | single_cov (1.11.0) 73 | stringio (3.1.7) 74 | timeout (0.4.3) 75 | tzinfo (2.0.6) 76 | concurrent-ruby (~> 1.0) 77 | 78 | PLATFORMS 79 | ruby 80 | 81 | DEPENDENCIES 82 | activerecord (~> 7.2.0) 83 | arsi! 84 | debug 85 | m 86 | minitest 87 | minitest-rg 88 | mocha 89 | rake 90 | single_cov 91 | 92 | BUNDLED WITH 93 | 2.6.9 94 | -------------------------------------------------------------------------------- /gemfiles/rails8.0.gemfile.lock: -------------------------------------------------------------------------------- 1 | PATH 2 | remote: .. 3 | specs: 4 | arsi (1.3.0) 5 | activerecord (>= 7.0) 6 | mysql2 7 | 8 | GEM 9 | remote: https://rubygems.org/ 10 | specs: 11 | activemodel (8.0.2) 12 | activesupport (= 8.0.2) 13 | activerecord (8.0.2) 14 | activemodel (= 8.0.2) 15 | activesupport (= 8.0.2) 16 | timeout (>= 0.4.0) 17 | activesupport (8.0.2) 18 | base64 19 | benchmark (>= 0.3) 20 | bigdecimal 21 | concurrent-ruby (~> 1.0, >= 1.3.1) 22 | connection_pool (>= 2.2.5) 23 | drb 24 | i18n (>= 1.6, < 2) 25 | logger (>= 1.4.2) 26 | minitest (>= 5.1) 27 | securerandom (>= 0.3) 28 | tzinfo (~> 2.0, >= 2.0.5) 29 | uri (>= 0.13.1) 30 | base64 (0.2.0) 31 | benchmark (0.4.0) 32 | bigdecimal (3.1.9) 33 | concurrent-ruby (1.3.5) 34 | connection_pool (2.5.3) 35 | date (3.4.1) 36 | debug (1.10.0) 37 | irb (~> 1.10) 38 | reline (>= 0.3.8) 39 | drb (2.2.1) 40 | erb (5.0.1) 41 | i18n (1.14.7) 42 | concurrent-ruby (~> 1.0) 43 | io-console (0.8.0) 44 | irb (1.15.2) 45 | pp (>= 0.6.0) 46 | rdoc (>= 4.0.0) 47 | reline (>= 0.4.2) 48 | logger (1.7.0) 49 | m (1.6.2) 50 | method_source (>= 0.6.7) 51 | rake (>= 0.9.2.2) 52 | method_source (1.1.0) 53 | minitest (5.25.5) 54 | minitest-rg (5.3.0) 55 | minitest (~> 5.0) 56 | mocha (2.7.1) 57 | ruby2_keywords (>= 0.0.5) 58 | mysql2 (0.5.6) 59 | pp (0.6.2) 60 | prettyprint 61 | prettyprint (0.2.0) 62 | psych (5.2.6) 63 | date 64 | stringio 65 | rake (13.2.1) 66 | rdoc (6.14.0) 67 | erb 68 | psych (>= 4.0.0) 69 | reline (0.6.1) 70 | io-console (~> 0.5) 71 | ruby2_keywords (0.0.5) 72 | securerandom (0.4.1) 73 | single_cov (1.11.0) 74 | stringio (3.1.7) 75 | timeout (0.4.3) 76 | tzinfo (2.0.6) 77 | concurrent-ruby (~> 1.0) 78 | uri (1.0.3) 79 | 80 | PLATFORMS 81 | ruby 82 | 83 | DEPENDENCIES 84 | activerecord (~> 8.0.0) 85 | arsi! 86 | debug 87 | m 88 | minitest 89 | minitest-rg 90 | mocha 91 | rake 92 | single_cov 93 | 94 | BUNDLED WITH 95 | 2.6.9 96 | -------------------------------------------------------------------------------- /lib/arsi.rb: -------------------------------------------------------------------------------- 1 | require 'arsi/arel_tree_manager' 2 | require 'arsi/mysql2_adapter' 3 | require 'arsi/persistence' 4 | require 'arsi/relation' 5 | require 'active_record' 6 | require 'active_record/connection_adapters/mysql2_adapter' 7 | 8 | module Arsi 9 | class UnscopedSQL < StandardError; end 10 | Arel::UpdateManager.include(ArelTreeManager) 11 | Arel::DeleteManager.include(ArelTreeManager) 12 | ActiveRecord::ConnectionAdapters::Mysql2Adapter.prepend(Mysql2Adapter) 13 | ActiveRecord::Base.prepend(Persistence) 14 | ActiveRecord::Relation.prepend(Relation) 15 | ActiveRecord::Querying.delegate(:without_arsi, :to => :relation) 16 | 17 | @enabled = true 18 | 19 | ID_MATCH = "(gu|uu|u)?id" 20 | SCOPEABLE_REGEX = /(^|_)#{ID_MATCH}$/i # http://rubular.com/r/hPVpG9jyoC 21 | SQL_MATCHER = /[\s_`(]#{ID_MATCH}`?\s+(=|<>|IN|IS)/i # http://rubular.com/r/7xuhnBiOgs 22 | DEFAULT_CALLBACK = lambda do |sql, relation| 23 | raise UnscopedSQL, "Missing ID in the where sql:\n#{sql}\nAdd id or use without_arsi" 24 | end 25 | 26 | class << self 27 | attr_reader :enabled 28 | attr_accessor :violation_callback 29 | 30 | def arel_check!(arel, relation) 31 | return unless @enabled 32 | return if relation && relation.without_arsi? 33 | 34 | # ::Arel::TreeManager, String, nil or ... ? 35 | sql = arel.respond_to?(:where_sql) ? arel_where_sql(arel, relation) : arel.to_s 36 | sql_check!(sql, relation) 37 | end 38 | 39 | def disable! 40 | @enabled = false 41 | end 42 | 43 | def enable! 44 | @enabled = true 45 | end 46 | 47 | def disable(&block) 48 | run_with_arsi(false, &block) 49 | end 50 | 51 | def enable(&block) 52 | run_with_arsi(true, &block) 53 | end 54 | 55 | private 56 | 57 | def arel_where_sql(arel, relation) 58 | if relation.nil? 59 | arel.where_sql 60 | else 61 | arel.where_sql(relation.model) 62 | end 63 | end 64 | 65 | def sql_check!(sql, relation) 66 | return if SQL_MATCHER.match?(sql) 67 | report_violation(sql, relation) 68 | end 69 | 70 | def run_with_arsi(with_arsi) 71 | previous, @enabled = @enabled, with_arsi 72 | yield 73 | ensure 74 | @enabled = previous 75 | end 76 | 77 | def report_violation(sql, relation) 78 | (violation_callback || DEFAULT_CALLBACK).call(sql, relation) 79 | end 80 | end 81 | end 82 | -------------------------------------------------------------------------------- /test/arsi_test.rb: -------------------------------------------------------------------------------- 1 | require_relative "helper" 2 | SingleCov.covered! uncovered: 2 3 | 4 | describe Arsi do 5 | def with_arsi_disabled 6 | Arsi.disable! 7 | yield 8 | ensure 9 | Arsi.enable! 10 | end 11 | 12 | it "works with has_one relationship" do 13 | user = User.create!(name: "Benjamin") 14 | user.create_head! 15 | 16 | # Change an attribute on the has_one relation and then save it 17 | user.head.nose_count = 1 18 | user.head.save! 19 | end 20 | 21 | it "fail without an account_id" do 22 | assert_raises Arsi::UnscopedSQL do 23 | assert User.where(:password => 'hello').delete_all 24 | end 25 | 26 | assert_raises Arsi::UnscopedSQL do 27 | assert User.update_all(:password => 'hello') 28 | end 29 | end 30 | 31 | it "not fail with an account_id" do 32 | assert User.where(account_id: 1).update_all(:password => 'hello' ) 33 | assert User.where(account_id: 1).delete_all 34 | end 35 | 36 | it "not fail with an id" do 37 | e = Entry.create!(:title => 'test') 38 | assert e.update(:title => 'hello') 39 | assert e.destroy 40 | end 41 | 42 | it "not fail with without_arsi" do 43 | assert User.without_arsi.update_all(:password => 'hello') 44 | assert User.without_arsi.where(:password => 'hello').delete_all 45 | end 46 | 47 | it "does not modify relations with without_arsi" do 48 | relation = User.where("1=1") 49 | relation.without_arsi 50 | 51 | refute relation.without_arsi? 52 | end 53 | 54 | it "does not allow columns ending with id" do 55 | assert_raises Arsi::UnscopedSQL do 56 | assert User.where(:android => 5).delete_all 57 | end 58 | end 59 | 60 | it "does not allow a simple delete ending with id" do 61 | assert_raises Arsi::UnscopedSQL do 62 | assert User.connection.delete("delete from users where android = 5") 63 | end 64 | end 65 | 66 | it "allows a unqouted id column" do 67 | assert User.where("id = -1").delete_all 68 | end 69 | 70 | it "allows a simple delete with an id" do 71 | assert User.connection.delete("delete from users where id = -1") 72 | end 73 | 74 | it "allows guid column" do 75 | assert User.where(:guid => 5).delete_all 76 | end 77 | 78 | it "allows uuid columns" do 79 | assert User.where(:uuid => 5).delete_all 80 | end 81 | 82 | it "allows uid columns" do 83 | assert User.where(:uid => 5).delete_all 84 | end 85 | 86 | it "does not persist changes to the connection" do 87 | assert User.without_arsi.update_all(:password => 'hello') 88 | assert_raises Arsi::UnscopedSQL do 89 | assert User.connection.delete("delete from users where false;") 90 | end 91 | end 92 | 93 | it "allows ActiveRecord::Base#columns" do 94 | assert User.columns 95 | end 96 | 97 | it "has info in the violations callback" do 98 | assert_with_violations_callback do |sql, relation| 99 | assert sql 100 | assert relation 101 | end 102 | end 103 | 104 | it "does not call sql_check if disabled" do 105 | with_arsi_disabled do 106 | Arsi::UnscopedSQL.expects(:sql_check!).never 107 | assert User.where(:password => 'hello').delete_all 108 | end 109 | end 110 | 111 | it "can be disabled in a block" do 112 | Arsi.disable do 113 | assert User.where(:password => 'hello').delete_all 114 | end 115 | assert Arsi.enabled 116 | end 117 | 118 | it "can be enabled in a block" do 119 | with_arsi_disabled do 120 | Arsi.enable do 121 | assert User.where(id: 1, :password => 'hello').delete_all 122 | end 123 | refute Arsi.enabled 124 | end 125 | end 126 | 127 | it "ignores tables without a scopeable column" do 128 | assert Migration.delete_all 129 | end 130 | 131 | it "prevents frustration when using without_arsi" do 132 | assert_raises(RuntimeError) { User.without_arsi { User.delete_all } } 133 | end 134 | 135 | it "passes the correct engine when updating a record" do 136 | e = Entry.create!(title: 'test') 137 | Arel::UpdateManager.any_instance.expects(:where_sql).with(Entry).returns('WHERE `entries`.`id` = ?') 138 | assert e.update(title: 'hello') 139 | end 140 | 141 | it "passes the correct engine when updating a relation" do 142 | e = Entry.create!(title: 'test') 143 | Arel::UpdateManager.any_instance.expects(:where_sql).with(Entry).returns('WHERE `entries`.`id` = ?') 144 | assert Entry.where(id: e.id).update_all(title: 'hello') 145 | end 146 | 147 | it "passes the correct engine when deleting a record" do 148 | e = Entry.create!(title: 'test') 149 | Arel::DeleteManager.any_instance.expects(:where_sql).with(Entry).returns('WHERE `entries`.`id` = ?') 150 | assert e.destroy 151 | end 152 | 153 | it "passes the correct engine when updating a relation" do 154 | e = Entry.create!(title: 'test') 155 | Arel::DeleteManager.any_instance.expects(:where_sql).with(Entry).returns('WHERE `entries`.`id` = ?') 156 | assert Entry.where(id: e.id).delete_all 157 | end 158 | 159 | # it "should not use update values as scoping columns" do 160 | # assert_raises Arsi::UnscopedSQL do 161 | # assert User.where("1=0").update_all(:account_id => 5) 162 | # end 163 | # end 164 | 165 | def assert_with_violations_callback(&block) 166 | old, Arsi.violation_callback = Arsi.violation_callback, block 167 | assert User.where(:password => 'hello').delete_all 168 | ensure 169 | Arsi.violation_callback = old 170 | end 171 | end 172 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------