external/aspnetwebstack/src/System.Web.Http/Query/QueryValidator.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

// Copyright (c) Microsoft Corporation. All rights reserved. See License.txt in the project root for license information.

using System.Linq;
using System.Linq.Expressions;
using System.Reflection;
using System.Runtime.Serialization;
using System.Web.Http.Properties;
using System.Xml.Serialization;

namespace System.Web.Http.Query
{
    /// <summary>
    /// This class is used to do validation on the query generated by the ODataQueryDeserializer. The default implementation 
    /// validates that the query is not accessing members hidden through attributes like <see cref="XmlIgnoreAttribute"/>, <see cref="IgnoreDataMemberAttribute" /> and 
    /// <c ref="NonSerializedAttribute" />
    /// </summary>
    internal class QueryValidator
    {
        private static QueryValidator _instance = new QueryValidator();

        protected QueryValidator()
        {
        }

        public static QueryValidator Instance
        {
            get { return _instance; }
        }

        public virtual void Validate(IQueryable query)
        {
            QueryValidationVisitor.Validate(query);
        }

        private class QueryValidationVisitor : ExpressionVisitor
        {
            public static void Validate(IQueryable query)
            {
                QueryValidationVisitor visitor = new QueryValidationVisitor();
                visitor.Visit(query.Expression);
            }

            protected override Expression VisitMember(MemberExpression node)
            {
                if (!IsVisible(node.Member))
                {
                    throw Error.InvalidOperation(SRResources.InaccessiblePropertyOrField, node.Member.Name, node.Member.DeclaringType.Name);
                }

                return base.VisitMember(node);
            }

            private static bool IsVisible(MemberInfo member)
            {
                switch (member.MemberType)
                {
                    case MemberTypes.Field:
                        FieldInfo field = member as FieldInfo;
                        if (!field.IsPublic)
                        {
                            return false;
                        }
                        break;

                    case MemberTypes.Property:
                        PropertyInfo property = member as PropertyInfo;
                        MethodInfo propertyGetter = property.GetGetMethod();

                        if (propertyGetter == null || !propertyGetter.IsPublic)
                        {
                            return false;
                        }
                        break;

                    default:
                        return false;
                }

                object[] attributes = member.GetCustomAttributes(inherit: true);
                object[] parentAttributes = member.ReflectedType.GetCustomAttributes(inherit: true);

                return !(
                            (HasAttribute<DataContractAttribute>(parentAttributes) && !HasAttribute<DataMemberAttribute>(attributes)) // isDataContractAndNotDataMember
                            || HasAttribute<XmlIgnoreAttribute>(attributes)
                            || HasAttribute<IgnoreDataMemberAttribute>(attributes)
                            || HasAttribute<NonSerializedAttribute>(attributes));
            }

            private static bool HasAttribute<T>(object[] attribs)
            {
                return attribs.Length != 0 && attribs.OfType<T>().Any();
            }
        }
    }
}