fix(mariadb): properly escape json path key (#11089)

Sushant · GitHub
Commit a72a3f50 authored Jun 21, 2019 by Sushant Committed by GitHub Jun 21, 2019
Showing with 34 additions and 21 deletions
lib/dialects/abstract/query-generator.js
package.json
test/integration/include/findAndCountAll.test.js
test/integration/model/json.test.js
test/unit/sql/where.test.js
--- a/lib/dialects/abstract/query-generator.js
+++ b/lib/dialects/abstract/query-generator.js
@@ -1053,12 +1053,12 @@ class QueryGenerator {
         * https://bugs.mysql.com/bug.php?id=81896
         */
        paths = paths.map(subPath => Utils.addTicks(subPath, '"'));
-        pathStr = ['$'].concat(paths).join('.');
+        pathStr = this.escape(['$'].concat(paths).join('.'));
-        return `(${quotedColumn}->>'${pathStr}')`;
+        return `(${quotedColumn}->>${pathStr})`;
      case 'mariadb':
-        pathStr = ['$'].concat(paths).join('.');
+        pathStr = this.escape(['$'].concat(paths).join('.'));
-        return `json_unquote(json_extract(${quotedColumn},'${pathStr}'))`;
+        return `json_unquote(json_extract(${quotedColumn},${pathStr}))`;
      case 'sqlite':
        pathStr = this.escape(['$']

--- a/package.json
+++ b/package.json
@@ -72,7 +72,7 @@
    "lint-staged": "^8.1.5",
    "mariadb": "^2.0.3",
    "markdownlint-cli": "^0.14.1",
-    "mocha": "^6.0.2",
+    "mocha": "6.0.2",
    "mysql2": "^1.6.5",
    "nyc": "^13.3.0",
    "pg": "^7.8.1",
@@ -80,8 +80,8 @@
    "pg-types": "^2.0.0",
    "rimraf": "^2.6.3",
    "semantic-release": "^15.13.3",
-    "sinon": "^7.2.6",
+    "sinon": "7.2.6",
-    "sinon-chai": "^3.2.0",
+    "sinon-chai": "3.2.0",
    "sqlite3": "^4.0.6",
    "tedious": "^6.0.0",
    "typescript": "^3.3.3333"

--- a/test/integration/include/findAndCountAll.test.js
+++ b/test/integration/include/findAndCountAll.test.js
@@ -73,6 +73,7 @@ describe(Support.getTestDialectTeaser('Include'), () => {
        });
      });
    });
    it('should be able to include a required model. Result rows should match count', function() {
      const User = this.sequelize.define('User', { name: DataTypes.STRING(40) }, { paranoid: true }),
        SomeConnection = this.sequelize.define('SomeConnection', {

--- a/test/integration/model/json.test.js
+++ b/test/integration/model/json.test.js
@@ -685,6 +685,18 @@ describe(Support.getTestDialectTeaser('Model'), () => {
          });
        });
+        it('should properly escape path keys', function() {
+          return this.Model.findAll({
+            raw: true,
+            attributes: ['id'],
+            where: {
+              data: {
+                "a')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ": 1
+              }
+            }
+          });
+        });
        it('should properly escape the single quotes in array', function() {
          return this.Model.create({
            data: {

--- a/test/unit/sql/where.test.js
+++ b/test/unit/sql/where.test.js
@@ -851,7 +851,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          prefix: 'User'
        }, {
          mariadb: "json_unquote(json_extract(`User`.`data`,'$.nested.attribute')) = 'value'",
-          mysql: "(`User`.`data`->>'$.\"nested\".\"attribute\"') = 'value'",
+          mysql: "(`User`.`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') = 'value'",
          postgres: "(\"User\".\"data\"#>>'{nested,attribute}') = 'value'",
          sqlite: "json_extract(`User`.`data`, '$.nested.attribute') = 'value'"
        });
@@ -866,7 +866,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "CAST(json_unquote(json_extract(`data`,'$.nested')) AS DECIMAL) IN (1, 2)",
-          mysql: "CAST((`data`->>'$.\"nested\"') AS DECIMAL) IN (1, 2)",
+          mysql: "CAST((`data`->>'$.\\\"nested\\\"') AS DECIMAL) IN (1, 2)",
          postgres: "CAST((\"data\"#>>'{nested}') AS DOUBLE PRECISION) IN (1, 2)",
          sqlite: "CAST(json_extract(`data`, '$.nested') AS DOUBLE PRECISION) IN (1, 2)"
        });
@@ -881,7 +881,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "CAST(json_unquote(json_extract(`data`,'$.nested')) AS DECIMAL) BETWEEN 1 AND 2",
-          mysql: "CAST((`data`->>'$.\"nested\"') AS DECIMAL) BETWEEN 1 AND 2",
+          mysql: "CAST((`data`->>'$.\\\"nested\\\"') AS DECIMAL) BETWEEN 1 AND 2",
          postgres: "CAST((\"data\"#>>'{nested}') AS DOUBLE PRECISION) BETWEEN 1 AND 2",
          sqlite: "CAST(json_extract(`data`, '$.nested') AS DOUBLE PRECISION) BETWEEN 1 AND 2"
        });
@@ -900,7 +900,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          prefix: current.literal(sql.quoteTable.call(current.dialect.QueryGenerator, { tableName: 'User' }))
        }, {
          mariadb: "(json_unquote(json_extract(`User`.`data`,'$.nested.attribute')) = 'value' AND json_unquote(json_extract(`User`.`data`,'$.nested.prop')) != 'None')",
-          mysql: "((`User`.`data`->>'$.\"nested\".\"attribute\"') = 'value' AND (`User`.`data`->>'$.\"nested\".\"prop\"') != 'None')",
+          mysql: "((`User`.`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') = 'value' AND (`User`.`data`->>'$.\\\"nested\\\".\\\"prop\\\"') != 'None')",
          postgres: "((\"User\".\"data\"#>>'{nested,attribute}') = 'value' AND (\"User\".\"data\"#>>'{nested,prop}') != 'None')",
          sqlite: "(json_extract(`User`.`data`, '$.nested.attribute') = 'value' AND json_extract(`User`.`data`, '$.nested.prop') != 'None')"
        });
@@ -919,7 +919,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          prefix: 'User'
        }, {
          mariadb: "(json_unquote(json_extract(`User`.`data`,'$.name.last')) = 'Simpson' AND json_unquote(json_extract(`User`.`data`,'$.employment')) != 'None')",
-          mysql: "((`User`.`data`->>'$.\"name\".\"last\"') = 'Simpson' AND (`User`.`data`->>'$.\"employment\"') != 'None')",
+          mysql: "((`User`.`data`->>'$.\\\"name\\\".\\\"last\\\"') = 'Simpson' AND (`User`.`data`->>'$.\\\"employment\\\"') != 'None')",
          postgres: "((\"User\".\"data\"#>>'{name,last}') = 'Simpson' AND (\"User\".\"data\"#>>'{employment}') != 'None')",
          sqlite: "(json_extract(`User`.`data`, '$.name.last') = 'Simpson' AND json_extract(`User`.`data`, '$.employment') != 'None')"
        });
@@ -933,7 +933,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "(CAST(json_unquote(json_extract(`data`,'$.price')) AS DECIMAL) = 5 AND json_unquote(json_extract(`data`,'$.name')) = 'Product')",
-          mysql: "(CAST((`data`->>'$.\"price\"') AS DECIMAL) = 5 AND (`data`->>'$.\"name\"') = 'Product')",
+          mysql: "(CAST((`data`->>'$.\\\"price\\\"') AS DECIMAL) = 5 AND (`data`->>'$.\\\"name\\\"') = 'Product')",
          postgres: "(CAST((\"data\"#>>'{price}') AS DOUBLE PRECISION) = 5 AND (\"data\"#>>'{name}') = 'Product')",
          sqlite: "(CAST(json_extract(`data`, '$.price') AS DOUBLE PRECISION) = 5 AND json_extract(`data`, '$.name') = 'Product')"
        });
@@ -948,7 +948,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "json_unquote(json_extract(`data`,'$.nested.attribute')) = 'value'",
-          mysql: "(`data`->>'$.\"nested\".\"attribute\"') = 'value'",
+          mysql: "(`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') = 'value'",
          postgres: "(\"data\"#>>'{nested,attribute}') = 'value'",
          sqlite: "json_extract(`data`, '$.nested.attribute') = 'value'"
        });
@@ -963,7 +963,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "CAST(json_unquote(json_extract(`data`,'$.nested.attribute')) AS DECIMAL) = 4",
-          mysql: "CAST((`data`->>'$.\"nested\".\"attribute\"') AS DECIMAL) = 4",
+          mysql: "CAST((`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') AS DECIMAL) = 4",
          postgres: "CAST((\"data\"#>>'{nested,attribute}') AS DOUBLE PRECISION) = 4",
          sqlite: "CAST(json_extract(`data`, '$.nested.attribute') AS DOUBLE PRECISION) = 4"
        });
@@ -980,7 +980,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "CAST(json_unquote(json_extract(`data`,'$.nested.attribute')) AS DECIMAL) IN (3, 7)",
-          mysql: "CAST((`data`->>'$.\"nested\".\"attribute\"') AS DECIMAL) IN (3, 7)",
+          mysql: "CAST((`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') AS DECIMAL) IN (3, 7)",
          postgres: "CAST((\"data\"#>>'{nested,attribute}') AS DOUBLE PRECISION) IN (3, 7)",
          sqlite: "CAST(json_extract(`data`, '$.nested.attribute') AS DOUBLE PRECISION) IN (3, 7)"
        });
@@ -997,7 +997,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "CAST(json_unquote(json_extract(`data`,'$.nested.attribute')) AS DECIMAL) > 2",
-          mysql: "CAST((`data`->>'$.\"nested\".\"attribute\"') AS DECIMAL) > 2",
+          mysql: "CAST((`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') AS DECIMAL) > 2",
          postgres: "CAST((\"data\"#>>'{nested,attribute}') AS DOUBLE PRECISION) > 2",
          sqlite: "CAST(json_extract(`data`, '$.nested.attribute') AS DOUBLE PRECISION) > 2"
        });
@@ -1014,7 +1014,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "CAST(json_unquote(json_extract(`data`,'$.nested.attribute')) AS DECIMAL) > 2",
-          mysql: "CAST((`data`->>'$.\"nested\".\"attribute\"') AS DECIMAL) > 2",
+          mysql: "CAST((`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') AS DECIMAL) > 2",
          postgres: "CAST((\"data\"#>>'{nested,attribute}') AS INTEGER) > 2",
          sqlite: "CAST(json_extract(`data`, '$.nested.attribute') AS INTEGER) > 2"
        });
@@ -1032,7 +1032,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: `CAST(json_unquote(json_extract(\`data\`,'$.nested.attribute')) AS DATETIME) > ${sql.escape(dt)}`,
-          mysql: `CAST((\`data\`->>'$."nested"."attribute"') AS DATETIME) > ${sql.escape(dt)}`,
+          mysql: `CAST((\`data\`->>'$.\\"nested\\".\\"attribute\\"') AS DATETIME) > ${sql.escape(dt)}`,
          postgres: `CAST(("data"#>>'{nested,attribute}') AS TIMESTAMPTZ) > ${sql.escape(dt)}`,
          sqlite: `json_extract(\`data\`, '$.nested.attribute') > ${sql.escape(dt.toISOString())}`
        });
@@ -1047,7 +1047,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "json_unquote(json_extract(`data`,'$.nested.attribute')) = 'true'",
-          mysql: "(`data`->>'$.\"nested\".\"attribute\"') = 'true'",
+          mysql: "(`data`->>'$.\\\"nested\\\".\\\"attribute\\\"') = 'true'",
          postgres: "CAST((\"data\"#>>'{nested,attribute}') AS BOOLEAN) = true",
          sqlite: "CAST(json_extract(`data`, '$.nested.attribute') AS BOOLEAN) = 1"
        });
@@ -1064,7 +1064,7 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
          }
        }, {
          mariadb: "json_unquote(json_extract(`meta_data`,'$.nested.attribute')) = 'value'",
-          mysql: "(`meta_data`->>'$.\"nested\".\"attribute\"') = 'value'",
+          mysql: "(`meta_data`->>'$.\\\"nested\\\".\\\"attribute\\\"') = 'value'",
          postgres: "(\"meta_data\"#>>'{nested,attribute}') = 'value'",
          sqlite: "json_extract(`meta_data`, '$.nested.attribute') = 'value'"
        });