fix: escape attributes

lib/dialects/abstract/query-generator.js

@@ -11,7 +11,8 @@ var Utils = require('../../utils')
   , BelongsToMany = require('../../associations/belongs-to-many')
   , BelongsToMany = require('../../associations/belongs-to-many')
   , HasMany = require('../../associations/has-many')
   , HasMany = require('../../associations/has-many')
   , uuid = require('uuid')
   , uuid = require('uuid')
-  , semver = require('semver');
+  , semver = require('semver')
+  , deprecate = require('depd')('sequelize');
 
 
 /* istanbul ignore next */
 /* istanbul ignore next */
 var throwMethodUndefined = function(methodName) {
 var throwMethodUndefined = function(methodName) {
@@ -1077,17 +1078,31 @@ var QueryGenerator = {
         if (attr[0]._isSequelizeMethod) {
         if (attr[0]._isSequelizeMethod) {
           attr[0] = self.handleSequelizeMethod(attr[0]);
           attr[0] = self.handleSequelizeMethod(attr[0]);
           addTable = false;
           addTable = false;
-        } else if (attr[0].indexOf('(') === -1 && attr[0].indexOf(')') === -1) {
+        } else if (
+          attr[0].indexOf('(') === -1 &&
+          attr[0].indexOf(')') === -1
+        ) {
           attr[0] = self.quoteIdentifier(attr[0]);
           attr[0] = self.quoteIdentifier(attr[0]);
+        } else {
+          deprecate('Use sequelize.fn / sequelize.literal to construct attributes');
         }
         }
+
         attr = [attr[0], self.quoteIdentifier(attr[1])].join(' AS ');
         attr = [attr[0], self.quoteIdentifier(attr[1])].join(' AS ');
       } else {
       } else {
-        attr = attr.indexOf(Utils.TICK_CHAR) < 0 && attr.indexOf('"') < 0 ? self.quoteIdentifiers(attr) : attr;
+        if (
+          attr.indexOf(Utils.TICK_CHAR) < 0 &&
+          attr.indexOf('"') < 0
+        ) {
+          attr = self.quoteIdentifiers(attr);
+        } else {
+          attr = self.escape(attr);
+        }
       }
       }
 
 
       if (options.include && attr.indexOf('.') === -1 && addTable) {
       if (options.include && attr.indexOf('.') === -1 && addTable) {
         attr = mainTableAs + '.' + attr;
         attr = mainTableAs + '.' + attr;
       }
       }
+
       return attr;
       return attr;
     });
     });
 
 
@@ -1158,13 +1173,16 @@ var QueryGenerator = {
             }
             }
 
 
             var prefix;
             var prefix;
+
             if (verbatim === true) {
             if (verbatim === true) {
               prefix = attr;
               prefix = attr;
             } else {
             } else {
               prefix = self.quoteIdentifier(as) + '.' + self.quoteIdentifier(attr);
               prefix = self.quoteIdentifier(as) + '.' + self.quoteIdentifier(attr);
             }
             }
+
             return prefix + ' AS ' + self.quoteIdentifier(as + '.' + attrAs, true);
             return prefix + ' AS ' + self.quoteIdentifier(as + '.' + attrAs, true);
           });
           });
+
           if (include.subQuery && subQuery) {
           if (include.subQuery && subQuery) {
             subQueryAttributes = subQueryAttributes.concat(attributes);
             subQueryAttributes = subQueryAttributes.concat(attributes);
           } else {
           } else {

test/unit/sql/select.test.js

@@ -371,6 +371,134 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
         default: 'SELECT [User].[name], [User].[age], [Posts].[id] AS [Posts.id], [Posts].[title] AS [Posts.title] FROM [User] AS [User] LEFT OUTER JOIN [Post] AS [Posts] ON [User].[id] = [Posts].[user_id];'
         default: 'SELECT [User].[name], [User].[age], [Posts].[id] AS [Posts.id], [Posts].[title] AS [Posts.title] FROM [User] AS [User] LEFT OUTER JOIN [Post] AS [Posts] ON [User].[id] = [Posts].[user_id];'
       });
       });
     });
     });
+
+    suite('attribute escaping', function () {
+      test('plain attributes (1)', function () {
+        expectsql(sql.selectQuery('User', {
+          attributes: ['* FROM [User]; DELETE FROM [User];SELECT [id]'.replace(/\[/g, Support.sequelize.dialect.TICK_CHAR_LEFT).replace(/\]/g, Support.sequelize.dialect.TICK_CHAR_RIGHT)]
+        }), {
+          default: 'SELECT \'* FROM [User]; DELETE FROM [User];SELECT [id]\' FROM [User];'
+        });
+      });
+
+      test('plain attributes (2)', function () {
+        expectsql(sql.selectQuery('User', {
+          attributes: ['* FROM User; DELETE FROM User;SELECT id']
+        }), {
+          default: 'SELECT [* FROM User; DELETE FROM User;SELECT id] FROM [User];'
+        });
+      });
+
+      test('plain attributes (3)', function () {
+        expectsql(sql.selectQuery('User', {
+          attributes: ['a\', * FROM User; DELETE FROM User;SELECT id']
+        }), {
+          default: "SELECT [a\', * FROM User; DELETE FROM User;SELECT id] FROM [User];"
+        });
+      });
+
+      test('plain attributes (4)', function () {
+        expectsql(sql.selectQuery('User', {
+          attributes: ['*, COUNT(*) FROM User; DELETE FROM User;SELECT id']
+        }), {
+          default: "SELECT [*, COUNT(*) FROM User; DELETE FROM User;SELECT id] FROM [User];"
+        });
+      });
+
+      test('aliased attributes (1)', function () {
+        expectsql(sql.selectQuery('User', {
+          attributes: [
+            ['* FROM [User]; DELETE FROM [User];SELECT [id]'.replace(/\[/g, Support.sequelize.dialect.TICK_CHAR_LEFT).replace(/\]/g, Support.sequelize.dialect.TICK_CHAR_RIGHT), 'myCol']
+          ]
+        }), {
+          default: 'SELECT [* FROM User; DELETE FROM User;SELECT id] AS [myCol] FROM [User];'
+        });
+      });
+
+      test('aliased attributes (2)', function () {
+        expectsql(sql.selectQuery('User', {
+          attributes: [
+            ['* FROM User; DELETE FROM User;SELECT id', 'myCol']
+          ]
+        }), {
+          default: 'SELECT [* FROM User; DELETE FROM User;SELECT id] AS [myCol] FROM [User];'
+        });
+      });
+
+      test('aliased attributes (3)', function () {
+        expectsql(sql.selectQuery('User', {
+          attributes: [
+            ['id', '* FROM User; DELETE FROM User;SELECT id']
+          ]
+        }), {
+          default: "SELECT [id] AS [* FROM User; DELETE FROM User;SELECT id] FROM [User];"
+        });
+      });
+
+      test('attributes from includes', function () {
+        var User = Support.sequelize.define('User', {
+          name: DataTypes.STRING,
+          age: DataTypes.INTEGER
+        },
+        {
+          freezeTableName: true
+        });
+        var Post = Support.sequelize.define('Post', {
+          title: DataTypes.STRING
+        },
+        {
+          freezeTableName: true
+        });
+
+        User.Posts = User.hasMany(Post, {foreignKey: 'user_id'});
+
+        expectsql(sql.selectQuery('User', {
+          attributes: ['name', 'age'],
+          include: Model.$validateIncludedElements({
+            include: [{
+              attributes: ['* FROM [User]; DELETE FROM [User];SELECT [id]'.replace(/\[/g, Support.sequelize.dialect.TICK_CHAR_LEFT).replace(/\]/g, Support.sequelize.dialect.TICK_CHAR_RIGHT)],
+              association: User.Posts
+            }],
+            model: User
+          }).include,
+          model: User
+        }, User), {
+          default: 'SELECT [User].[name], [User].[age], [Posts].[id] AS [Posts.id], [Posts].[* FROM User; DELETE FROM User;SELECT id] AS [Posts.* FROM User; DELETE FROM User;SELECT id] FROM [User] AS [User] LEFT OUTER JOIN [Post] AS [Posts] ON [User].[id] = [Posts].[user_id];'
+        });
+
+        expectsql(sql.selectQuery('User', {
+          attributes: ['name', 'age'],
+          include: Model.$validateIncludedElements({
+            include: [{
+              attributes: [
+                ['* FROM [User]; DELETE FROM [User];SELECT [id]'.replace(/\[/g, Support.sequelize.dialect.TICK_CHAR_LEFT).replace(/\]/g, Support.sequelize.dialect.TICK_CHAR_RIGHT), 'data']
+              ],
+              association: User.Posts
+            }],
+            model: User
+          }).include,
+          model: User
+        }, User), {
+          default: 'SELECT [User].[name], [User].[age], [Posts].[id] AS [Posts.id], [Posts].[* FROM User; DELETE FROM User;SELECT id] AS [Posts.data] FROM [User] AS [User] LEFT OUTER JOIN [Post] AS [Posts] ON [User].[id] = [Posts].[user_id];'
+        });
+
+        expectsql(sql.selectQuery('User', {
+          attributes: ['name', 'age'],
+          include: Model.$validateIncludedElements({
+            include: [{
+              attributes: [
+                ['* FROM User; DELETE FROM User;SELECT id', 'data']
+              ],
+              association: User.Posts
+            }],
+            model: User
+          }).include,
+          model: User
+        }, User), {
+          default: 'SELECT [User].[name], [User].[age], [Posts].[id] AS [Posts.id], [Posts].[* FROM User; DELETE FROM User;SELECT id] AS [Posts.data] FROM [User] AS [User] LEFT OUTER JOIN [Post] AS [Posts] ON [User].[id] = [Posts].[user_id];'
+        });
+      });
+    });
   });
   });
 
 
   suite('queryIdentifiersFalse', function () {
   suite('queryIdentifiersFalse', function () {
@@ -429,7 +557,6 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
         postgres: 'SELECT User.name, User.age, Posts.id AS "Posts.id", Posts.title AS "Posts.title" FROM User AS User LEFT OUTER JOIN Post AS Posts ON User.id = Posts.user_id;'
         postgres: 'SELECT User.name, User.age, Posts.id AS "Posts.id", Posts.title AS "Posts.title" FROM User AS User LEFT OUTER JOIN Post AS Posts ON User.id = Posts.user_id;'
       });
       });
     });
     });
-
   });
   });
 
 
   suite('raw query', function () {
   suite('raw query', function () {