Cleaned up scopes/smartwhere, added another spec to make sure SQL is escaped, an…

…d fixed potential SQL injection problem with sqlite

Cleaned up scopes/smartwhere, added another spec to make sure SQL is escaped, an…
…d fixed potential SQL injection problem with sqlite
Daniel Durante
Commit 36546551 authored Jul 16, 2013 by Daniel Durante
Showing with 23 additions and 12 deletions
lib/dialects/mysql/query-generator.js
lib/query-interface.js
lib/utils.js
spec/dao-factory.spec.js
--- a/lib/dialects/mysql/query-generator.js
+++ b/lib/dialects/mysql/query-generator.js
@@ -415,7 +415,7 @@ module.exports = (function() {
      } else if (typeof smth === "string") {
        result = smth
      } else if (Array.isArray(smth)) {
-        result = Utils.format(smth)
+        result = Utils.format(smth, 'sqlite')
      }

      return result ? result : '1=1'

--- a/lib/query-interface.js
+++ b/lib/query-interface.js
@@ -298,7 +298,6 @@ module.exports = (function() {

      var scopeObj = buildScope.call(factory)
      Object.keys(scopeObj).forEach(function(method) {
-
        if (typeof scopeObj[method] === "number" || !Utils._.isEmpty(scopeObj[method])) {
          options[method] = scopeObj[method]
        }
@@ -405,15 +404,11 @@ module.exports = (function() {
  // private

  var buildScope = function() {
-    var where = []
-      , format
-      , smart
-      , arr = this.scopeObj.where || []
+    var smart

    // Use smartWhere to convert several {where} objects into a single where object
-    smart = Utils.smartWhere(this.scopeObj.where || [])
-    smart = Utils.compileSmartWhere.call(this, smart)
-
+    smart = Utils.smartWhere(this.scopeObj.where || [], this.daoFactoryManager.sequelize.options.dialect)
+    smart = Utils.compileSmartWhere.call(this, smart, this.daoFactoryManager.sequelize.options.dialect)
    return {limit: this.scopeObj.limit || null, offset: this.scopeObj.offset || null, where: smart, order: (this.scopeObj.order || []).join(', ')}
  }


--- a/lib/utils.js
+++ b/lib/utils.js
@@ -91,9 +91,9 @@ var Utils = module.exports = {
        self.scopeObj.where.push(scope.where)
      }
      else if (typeof scope.where === "object") {
-        for (var i in scope.where) {
+        Object.keys(scope.where).forEach(function(){
          self.scopeObj.where.push(scope.where)
-        }
+        })
      } else { // Assume the value is a string
        self.scopeObj.where.push([scope.where])
      }
@@ -250,7 +250,6 @@ var Utils = module.exports = {
            break
          default: // lazy
            text = text.concat(obj[column].lazy.conditions.map(function(val){ return columnName + ' ' + val }))
-            obj[column].lazy.bindings = obj[column].lazy.bindings.map(function(v) { return SqlString.escape(v, false, null, dialect) })
            whereArgs = whereArgs.concat(obj[column].lazy.bindings)
          }
        })

--- a/spec/dao-factory.spec.js
+++ b/spec/dao-factory.spec.js
@@ -2079,6 +2079,11 @@ describe(Helpers.getTestDialectTeaser("DAOFactory"), function() {
                lte: 5
              }
            }
+          },
+          escape: {
+            where: {
+              username: "escape'd"
+            }
          }
        }
      })
@@ -2095,6 +2100,18 @@ describe(Helpers.getTestDialectTeaser("DAOFactory"), function() {
      }.bind(this))
    })

+    it("should have no problems with escaping SQL", function(done) {
+      var self = this
+      this.ScopeMe.create({username: 'escape\'d', email: 'fake@fakemail.com'}).success(function(){
+        self.ScopeMe.scope('escape').all().success(function(users){
+          expect(users).toBeArray()
+          expect(users.length).toEqual(1)
+          expect(users[0].username).toEqual('escape\'d');
+          done()
+        })
+      })
+    })
+
    it("should be able to use a defaultScope if declared", function(done) {
      this.ScopeMe.all().success(function(users) {
        expect(users).toBeArray()