fix(query): do not bind $ used within a whole-word (#12250)

Juarez Lustosa · GitHub
Commit 4dbfb5d1 authored May 14, 2020 by Juarez Lustosa Committed by GitHub May 14, 2020
Showing with 8 additions and 2 deletions
lib/dialects/abstract/query.js
test/integration/sequelize.test.js
--- a/lib/dialects/abstract/query.js
+++ b/lib/dialects/abstract/query.js
@@ -84,8 +84,7 @@ class AbstractQuery {
    const timeZone = null;
    const list = Array.isArray(values);
+    sql = sql.replace(/\B\$(\$|\w+)/g, (match, key) => {
-    sql = sql.replace(/\$(\$|\w+)/g, (match, key) => {
      if ('$' === key) {
        return options.skipUnescape ? match : key;
      }

--- a/test/integration/sequelize.test.js
+++ b/test/integration/sequelize.test.js
@@ -716,6 +716,13 @@ describe(Support.getTestDialectTeaser('Sequelize'), () => {
      });
    });
+    it('escape where has $ on the middle of characters', function() {
+      const typeCast = dialect === 'postgres' ? '::int' : '';
+      return this.sequelize.query(`select $one${typeCast} as foo$bar`, { raw: true, bind: { one: 1 } }).then(result => {
+        expect(result[0]).to.deep.equal([{ foo$bar: 1 }]);
+      });
+    });
    if (dialect === 'postgres' || dialect === 'sqlite' || dialect === 'mssql') {
      it('does not improperly escape arrays of strings bound to named parameters', function() {
        return this.sequelize.query('select :stringArray as foo', { raw: true, replacements: { stringArray: ['"string"'] } }).then(result => {