Enable type validation for all queries (#5713)

* Refactor type validation on value escape * Fix type validation for a list of values * Fix type validation for incomplete UUIDs Useful for instance for fuzzy searching (e.g. the LIKE comparator), where anything that isn't the complete UUID would otherwise fail. Accept strings as incomplete UUIDs for those scenarios. * Enable type validation for all queries

Enable type validation for all queries (#5713)
* Refactor type validation on value escape * Fix type validation for a list of values * Fix type validation for incomplete UUIDs Useful for instance for fuzzy searching (e.g. the LIKE comparator), where anything that isn't the complete UUID would otherwise fail. Accept strings as incomplete UUIDs for those scenarios. * Enable type validation for all queries
Ricardo Lopes · Jan Aagaard Meier
Commit cf4fb27e authored Apr 20, 2016 by Ricardo Lopes Committed by Jan Aagaard Meier Apr 20, 2016
Showing with 38 additions and 10 deletions
changelog.md
lib/data-types.js
lib/dialects/abstract/query-generator.js
test/unit/sql/data-types.test.js
--- a/changelog.md
+++ b/changelog.md
 # Future
 - [FIXED] Fix defaultValues getting overwritten on build
 - [FIXED] Queue queries against tedious connections
+- [ADDED] Enable type validation for all queries

 # 3.21.0
 - [FIXED] Confirmed that values modified in validation hooks are preserved [#3534](https://github.com/sequelize/sequelize/issues/3534)

--- a/lib/data-types.js
+++ b/lib/data-types.js
@@ -669,8 +669,8 @@ RANGE.prototype.validate = function(value) {
 var UUID = ABSTRACT.inherits();

 UUID.prototype.key = UUID.key = 'UUID';
-UUID.prototype.validate = function(value) {
-  if (!Validator.isUUID(value)) {
+UUID.prototype.validate = function(value, options) {
+  if (!Validator.isUUID(value) && (!options || !options.acceptStrings || typeof value !== 'string')) {
    throw new sequelizeErrors.ValidationError(util.format('%j is not a valid uuid', value));
  }

@@ -689,8 +689,8 @@ var UUIDV1 = function() {
 util.inherits(UUIDV1, ABSTRACT);

 UUIDV1.prototype.key = UUIDV1.key = 'UUIDV1';
-UUIDV1.prototype.validate = function(value) {
-  if (!Validator.isUUID(value)) {
+UUIDV1.prototype.validate = function(value, options) {
+  if (!Validator.isUUID(value) && (!options || !options.acceptStrings || typeof value !== 'string')) {
    throw new sequelizeErrors.ValidationError(util.format('%j is not a valid uuid', value));
  }

@@ -709,8 +709,8 @@ var UUIDV4 = function() {
 util.inherits(UUIDV4, ABSTRACT);

 UUIDV4.prototype.key = UUIDV4.key = 'UUIDV4';
-UUIDV4.prototype.validate = function(value) {
-  if (!Validator.isUUID(value, 4)) {
+UUIDV4.prototype.validate = function(value, options) {
+  if (!Validator.isUUID(value, 4) && (!options || !options.acceptStrings || typeof value !== 'string')) {
    throw new sequelizeErrors.ValidationError(util.format('%j is not a valid uuidv4', value));
  }


--- a/lib/dialects/abstract/query-generator.js
+++ b/lib/dialects/abstract/query-generator.js
@@ -949,9 +949,13 @@ var QueryGenerator = {
        return this.handleSequelizeMethod(value);
      } else {
        if (field && field.type) {
-          if (['INSERT', 'UPDATE'].indexOf(options.context) !== -1 && this.typeValidation && field && field.type && value) {
-            if (field.type.validate) {
-              field.type.validate(value);
+          if (this.typeValidation && field.type.validate && value) {
+            if (options.isList && Array.isArray(value)) {
+              _.forEach(value, function(item) {
+                field.type.validate(item, options);
+              });
+            } else {
+              field.type.validate(value, options);
            }
          }

@@ -2202,6 +2206,7 @@ var QueryGenerator = {
      value = value.map(this.quoteIdentifier.bind(this)).join('.');
    } else {
      var escapeValue = true;
+      var escapeOptions = {};

      if (_.isPlainObject(value)) {
        _.forOwn(value, function (item, key) {
@@ -2211,9 +2216,11 @@ var QueryGenerator = {

            if (_.isPlainObject(value) && value.$any) {
              comparator += ' ANY';
+              escapeOptions.isList = true;
              value = value.$any;
            } else if (_.isPlainObject(value) && value.$all) {
              comparator += ' ALL';
+              escapeOptions.isList = true;
              value = value.$all;
            } else if (value && value.$col) {
              escapeValue = false;
@@ -2229,8 +2236,10 @@ var QueryGenerator = {
        comparator = 'IS NOT';
      }

+      escapeOptions.acceptStrings = comparator.indexOf('LIKE') !== -1;
+
      if (escapeValue) {
-        value = this.escape(value, field);
+        value = this.escape(value, field, escapeOptions);
      }
    }


--- a/test/unit/sql/data-types.test.js
+++ b/test/unit/sql/data-types.test.js
@@ -240,6 +240,12 @@ suite(Support.getTestDialectTeaser('SQL'), function() {

          expect(type.validate(uuid.v4())).to.equal(true);
        });
+
+        test('should return `true` if `value` is a string and we accept strings', function() {
+          var type = DataTypes.UUID();
+
+          expect(type.validate('foobar', { acceptStrings: true })).to.equal(true);
+        });
      });
    });

@@ -262,6 +268,12 @@ suite(Support.getTestDialectTeaser('SQL'), function() {

          expect(type.validate(uuid.v1())).to.equal(true);
        });
+
+        test('should return `true` if `value` is a string and we accept strings', function() {
+          var type = DataTypes.UUIDV1();
+
+          expect(type.validate('foobar', { acceptStrings: true })).to.equal(true);
+        });
      });
    });

@@ -285,6 +297,12 @@ suite(Support.getTestDialectTeaser('SQL'), function() {

          expect(type.validate(uuid.v4())).to.equal(true);
        });
+
+        test('should return `true` if `value` is a string and we accept strings', function() {
+          var type = DataTypes.UUIDV4();
+
+          expect(type.validate('foobar', { acceptStrings: true })).to.equal(true);
+        });
      });
    });