Fix bug in SqlString.escape which caused the function to be recursively called w…

…ith the wrong parameters when passed an array of strings. This would cause the incorrect escape algorithm to be used on the strings within the array when the dialect was set to postgres, sqlite, or mssql.

Fix bug in SqlString.escape which caused the function to be recursively called w…
…ith the wrong parameters when passed an array of strings. This would cause the incorrect escape algorithm to be used on the strings within the array when the dialect was set to postgres, sqlite, or mssql.
Michael Buckley
Commit 23952a2b authored Feb 08, 2016 by Michael Buckley
Showing with 11 additions and 1 deletions
changelog.md
lib/sql-string.js
test/integration/sequelize.test.js
--- a/changelog.md
+++ b/changelog.md
@@ -3,6 +3,7 @@
 - [ADDED] `validationFailed` hook [#1626](https://github.com/sequelize/sequelize/issues/1626)
 - [FIXED] Mark index as `unique: true` when `type: 'UNIQUE'`. Fixes [#5351](https://github.com/sequelize/sequelize/issues/5351)
 - [ADDED[ Support for IEEE floating point literals in postgres and sqlite [#5194](https://github.com/sequelize/sequelize/issues/5194)
+- [FIXED] Improper escaping of bound arrays of strings on Postgres, SQLite, and Microsoft SQL Server
 # 3.19.3
 - [FIXED] `updatedAt` and `createdAt` values are now set before validation [#5367](https://github.com/sequelize/sequelize/pull/5367)

--- a/lib/sql-string.js
+++ b/lib/sql-string.js
@@ -48,7 +48,7 @@ SqlString.escape = function(val, timeZone, dialect, format) {
  }
  if (Array.isArray(val)) {
-    var escape = _.partialRight(SqlString.escape, timeZone, dialect);
+    var escape = _.partial(SqlString.escape, _, timeZone, dialect, format);
    if (dialect === 'postgres' && !format) {
      return dataTypes.ARRAY.prototype.stringify(val, {escape: escape});
    }

--- a/test/integration/sequelize.test.js
+++ b/test/integration/sequelize.test.js
@@ -583,6 +583,15 @@ describe(Support.getTestDialectTeaser('Sequelize'), function() {
      });
    });
+    if (dialect === 'postgres' || dialect === 'sqlite' || dialect === 'mssql') {
+      it ('does not improperly escape arrays of strings bound to named parameters', function() {
+        var logSql;
+        return this.sequelize.query('select :stringArray as foo', { raw: true, replacements: { stringArray: [ '"string"' ] }, logging: function(s) { logSql = s; } }).then(function(result) {
+          expect(result[0]).to.deep.equal([{ foo: '"string"' }]);
+        });
+      });
+    }
    it('throw an exception when binds passed with object and numeric $1 is also present', function() {
      var self = this;
      var typeCast = (dialect === 'postgres') ? '::int' : '';