refactor(sql): change .field$ to {: model.field} for security reasons, closes #4680

docs/docs/querying.md

@@ -133,7 +133,7 @@ $contains: [1, 2]      // @> [1, 2] (PG array contains operator)
 $contained: [1, 2]     // <@ [1, 2] (PG array contained by operator)
 $any: [2,3]            // ANY ARRAY[2, 3]::INTEGER (PG only)
 
-$eq: '$user.organization_id$' // = "user"."organization_id", with dialect specific column identifiers, PG in this example
+$col: '$user.organization_id$' // = "user"."organization_id", with dialect specific column identifiers, PG in this example
 ```
 
 ### Combinations

lib/dialects/abstract/query-generator.js

@@ -2161,18 +2161,29 @@ var QueryGenerator = {
       }).join(' AND ');
     } else if (value && value.$raw) {
       value = value.$raw;
+    } else if (value && value.$col) {
+      value = value.$col.split('.').map(this.quoteIdentifier.bind(this)).join('.');
     } else {
+      var escapeValue = true;
+
       if (_.isPlainObject(value)) {
         _.forOwn(value, function (item, key) {
           if (comparatorMap[key]) {
             comparator = comparatorMap[key];
             value = item;
-            if (_.isPlainObject(value) && value.$any){
+
+            if (_.isPlainObject(value) && value.$any) {
               comparator += ' ANY';
               value = value.$any;
+            } else if (_.isPlainObject(value) && value.$all) {
+              comparator += ' ALL';
+              value = value.$all;
+            } else if (value && value.$col) {
+              escapeValue = false;
+              value = this.whereItemQuery(null, value);
             }
           }
-        });
+        }, this);
       }
 
       if (comparator === '=' && value === null) {
@@ -2181,9 +2192,7 @@ var QueryGenerator = {
         comparator = 'IS NOT';
       }
 
-      if (Utils.isColString(value)) {
-        value = value.substr(1, value.length - 2).split('.').map(this.quoteIdentifier.bind(this)).join('.');
-      } else {
+      if (escapeValue) {
         value = this.escape(value, field);
       }
     }

test/unit/sql/join-include-query.test.js

@@ -270,7 +270,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
         include: [
           {association: User.Tasks, on: {
             $or: [
-              {'$User.id_user$': '$Tasks.user_id$'},
+              {'$User.id_user$': {$col: 'Tasks.user_id'}},
               {'$Tasks.user_id$': 2}
             ]
           }}
@@ -286,7 +286,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
       include: Sequelize.Model.$validateIncludedElements({
         model: User,
         include: [
-          {association: User.Tasks, on: {'user_id': '$User.alternative_id$'}}
+          {association: User.Tasks, on: {'user_id': {$col: 'User.alternative_id'}}}
         ]
       }).include[0]
     }, {

test/unit/sql/where.test.js

@@ -307,18 +307,38 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
     });
 
     suite('$col', function () {
-      testsql('userId', '$user.id$', {
+      testsql('userId', {
+        $col: 'user.id'
+      }, {
+        default: '[userId] = [user].[id]'
+      });
+
+      testsql('userId', {
+        $eq: {
+          $col: 'user.id'
+        }
+      }, {
         default: '[userId] = [user].[id]'
       });
 
+      testsql('userId', {
+        $gt: {
+          $col: 'user.id'
+        }
+      }, {
+        default: '[userId] > [user].[id]'
+      });
+
       testsql('$or', [
-        {'ownerId': '$user.id$'},
-        {'ownerId': '$organization.id$'}
+        {'ownerId': {$col: 'user.id'}},
+        {'ownerId': {$col: 'organization.id'}}
       ], {
         default: '([ownerId] = [user].[id] OR [ownerId] = [organization].[id])'
       });
 
-      testsql('$organization.id$', '$user.organizationId$', {
+      testsql('$organization.id$', {
+        $col: 'user.organizationId'
+      }, {
         default: '[organization].[id] = [user].[organizationId]'
       });
     });
@@ -331,7 +351,9 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
       });
 
       testsql('created_at', {
-        $lt: '$updated_at$'
+        $lt: {
+          $col: 'updated_at'
+        }
       }, {
         default: '[created_at] < [updated_at]'
       });
@@ -510,6 +532,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
           }, {
             postgres: "\"userId\" LIKE ANY ARRAY['foo','bar','baz']"
           });
+
           testsql('userId', {
             $iLike: {
               $any: ['foo', 'bar', 'baz']
@@ -517,6 +540,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
           }, {
             postgres: "\"userId\" ILIKE ANY ARRAY['foo','bar','baz']"
           });
+
           testsql('userId', {
             $notLike: {
               $any: ['foo', 'bar', 'baz']
@@ -524,6 +548,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
           }, {
             postgres: "\"userId\" NOT LIKE ANY ARRAY['foo','bar','baz']"
           });
+
           testsql('userId', {
             $notILike: {
               $any: ['foo', 'bar', 'baz']
@@ -531,6 +556,14 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
           }, {
             postgres: "\"userId\" NOT ILIKE ANY ARRAY['foo','bar','baz']"
           });
+
+          testsql('userId', {
+            $notILike: {
+              $all: ['foo', 'bar', 'baz']
+            }
+          }, {
+            postgres: "\"userId\" NOT ILIKE ALL ARRAY['foo','bar','baz']"
+          });
         });
       });
     }