refactor(sql): change .field$ to {: model.field} for security reasons, closes #4680

Mick Hansen
Commit 3f11bd97 authored Oct 19, 2015 by Mick Hansen
Showing with 55 additions and 13 deletions
docs/docs/querying.md
lib/dialects/abstract/query-generator.js
test/unit/sql/join-include-query.test.js
test/unit/sql/where.test.js
--- a/docs/docs/querying.md
+++ b/docs/docs/querying.md
@@ -133,7 +133,7 @@ $contains: [1, 2]      // @> [1, 2] (PG array contains operator)
 $contained: [1, 2]     // <@ [1, 2] (PG array contained by operator)
 $any: [2,3]            // ANY ARRAY[2, 3]::INTEGER (PG only)
-$eq: '$user.organization_id$' // = "user"."organization_id", with dialect specific column identifiers, PG in this example
+$col: '$user.organization_id$' // = "user"."organization_id", with dialect specific column identifiers, PG in this example
 ```
 ### Combinations

--- a/lib/dialects/abstract/query-generator.js
+++ b/lib/dialects/abstract/query-generator.js
@@ -2161,18 +2161,29 @@ var QueryGenerator = {
      }).join(' AND ');
    } else if (value && value.$raw) {
      value = value.$raw;
+    } else if (value && value.$col) {
+      value = value.$col.split('.').map(this.quoteIdentifier.bind(this)).join('.');
    } else {
+      var escapeValue = true;
      if (_.isPlainObject(value)) {
        _.forOwn(value, function (item, key) {
          if (comparatorMap[key]) {
            comparator = comparatorMap[key];
            value = item;
-            if (_.isPlainObject(value) && value.$any){
+            if (_.isPlainObject(value) && value.$any) {
              comparator += ' ANY';
              value = value.$any;
+            } else if (_.isPlainObject(value) && value.$all) {
+              comparator += ' ALL';
+              value = value.$all;
+            } else if (value && value.$col) {
+              escapeValue = false;
+              value = this.whereItemQuery(null, value);
            }
          }
-        });
+        }, this);
      }
      if (comparator === '=' && value === null) {
@@ -2181,9 +2192,7 @@ var QueryGenerator = {
        comparator = 'IS NOT';
      }
-      if (Utils.isColString(value)) {
+      if (escapeValue) {
-        value = value.substr(1, value.length - 2).split('.').map(this.quoteIdentifier.bind(this)).join('.');
-      } else {
        value = this.escape(value, field);
      }
    }

--- a/test/unit/sql/join-include-query.test.js
+++ b/test/unit/sql/join-include-query.test.js
@@ -270,7 +270,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
        include: [
          {association: User.Tasks, on: {
            $or: [
-              {'$User.id_user$': '$Tasks.user_id$'},
+              {'$User.id_user$': {$col: 'Tasks.user_id'}},
              {'$Tasks.user_id$': 2}
            ]
          }}
@@ -286,7 +286,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
      include: Sequelize.Model.$validateIncludedElements({
        model: User,
        include: [
-          {association: User.Tasks, on: {'user_id': '$User.alternative_id$'}}
+          {association: User.Tasks, on: {'user_id': {$col: 'User.alternative_id'}}}
        ]
      }).include[0]
    }, {

--- a/test/unit/sql/where.test.js
+++ b/test/unit/sql/where.test.js
@@ -307,18 +307,38 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
    });
    suite('$col', function () {
-      testsql('userId', '$user.id$', {
+      testsql('userId', {
+        $col: 'user.id'
+      }, {
+        default: '[userId] = [user].[id]'
+      });
+      testsql('userId', {
+        $eq: {
+          $col: 'user.id'
+        }
+      }, {
        default: '[userId] = [user].[id]'
      });
+      testsql('userId', {
+        $gt: {
+          $col: 'user.id'
+        }
+      }, {
+        default: '[userId] > [user].[id]'
+      });
      testsql('$or', [
-        {'ownerId': '$user.id$'},
+        {'ownerId': {$col: 'user.id'}},
-        {'ownerId': '$organization.id$'}
+        {'ownerId': {$col: 'organization.id'}}
      ], {
        default: '([ownerId] = [user].[id] OR [ownerId] = [organization].[id])'
      });
-      testsql('$organization.id$', '$user.organizationId$', {
+      testsql('$organization.id$', {
+        $col: 'user.organizationId'
+      }, {
        default: '[organization].[id] = [user].[organizationId]'
      });
    });
@@ -331,7 +351,9 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
      });
      testsql('created_at', {
-        $lt: '$updated_at$'
+        $lt: {
+          $col: 'updated_at'
+        }
      }, {
        default: '[created_at] < [updated_at]'
      });
@@ -510,6 +532,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
          }, {
            postgres: "\"userId\" LIKE ANY ARRAY['foo','bar','baz']"
          });
          testsql('userId', {
            $iLike: {
              $any: ['foo', 'bar', 'baz']
@@ -517,6 +540,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
          }, {
            postgres: "\"userId\" ILIKE ANY ARRAY['foo','bar','baz']"
          });
          testsql('userId', {
            $notLike: {
              $any: ['foo', 'bar', 'baz']
@@ -524,6 +548,7 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
          }, {
            postgres: "\"userId\" NOT LIKE ANY ARRAY['foo','bar','baz']"
          });
          testsql('userId', {
            $notILike: {
              $any: ['foo', 'bar', 'baz']
@@ -531,6 +556,14 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
          }, {
            postgres: "\"userId\" NOT ILIKE ANY ARRAY['foo','bar','baz']"
          });
+          testsql('userId', {
+            $notILike: {
+              $all: ['foo', 'bar', 'baz']
+            }
+          }, {
+            postgres: "\"userId\" NOT ILIKE ALL ARRAY['foo','bar','baz']"
+          });
        });
      });
    }