Merge pull request #5381 from Extensis/sqlstring-escape-recursion-fix

Fix bug in SqlString.escape which caused the function to be recursive…

Merge pull request #5381 from Extensis/sqlstring-escape-recursion-fix
Fix bug in SqlString.escape which caused the function to be recursive…
Mick Hansen
Commit ef7793b8 authored Mar 02, 2016 by Mick Hansen
Showing with 13 additions and 2 deletions
changelog.md
lib/sql-string.js
test/integration/sequelize.test.js
test/unit/sql/select.test.js
--- a/changelog.md
+++ b/changelog.md
@@ -3,6 +3,7 @@
 - [ADDED] `validationFailed` hook [#1626](https://github.com/sequelize/sequelize/issues/1626)
 - [FIXED] Mark index as `unique: true` when `type: 'UNIQUE'`. Fixes [#5351](https://github.com/sequelize/sequelize/issues/5351)
 - [ADDED[ Support for IEEE floating point literals in postgres and sqlite [#5194](https://github.com/sequelize/sequelize/issues/5194)
+- [FIXED] Improper escaping of bound arrays of strings on Postgres, SQLite, and Microsoft SQL Server

 # 3.19.3
 - [FIXED] `updatedAt` and `createdAt` values are now set before validation [#5367](https://github.com/sequelize/sequelize/pull/5367)

--- a/lib/sql-string.js
+++ b/lib/sql-string.js
@@ -48,7 +48,7 @@ SqlString.escape = function(val, timeZone, dialect, format) {
  }

  if (Array.isArray(val)) {
-    var escape = _.partialRight(SqlString.escape, timeZone, dialect);
+    var escape = _.partial(SqlString.escape, _, timeZone, dialect, format);
    if (dialect === 'postgres' && !format) {
      return dataTypes.ARRAY.prototype.stringify(val, {escape: escape});
    }

--- a/test/integration/sequelize.test.js
+++ b/test/integration/sequelize.test.js
@@ -583,6 +583,15 @@ describe(Support.getTestDialectTeaser('Sequelize'), function() {
      });
    });

+    if (dialect === 'postgres' || dialect === 'sqlite' || dialect === 'mssql') {
+      it ('does not improperly escape arrays of strings bound to named parameters', function() {
+        var logSql;
+        return this.sequelize.query('select :stringArray as foo', { raw: true, replacements: { stringArray: [ '"string"' ] }, logging: function(s) { logSql = s; } }).then(function(result) {
+          expect(result[0]).to.deep.equal([{ foo: '"string"' }]);
+        });
+      });
+    }
+
    it('throw an exception when binds passed with object and numeric $1 is also present', function() {
      var self = this;
      var typeCast = (dialect === 'postgres') ? '::int' : '';

--- a/test/unit/sql/select.test.js
+++ b/test/unit/sql/select.test.js
@@ -299,7 +299,8 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
        attributes: ['*'],
        having: ['name IN (?)', [1, 'test', 3, "derp"]]
      }), {
-        default: "SELECT * FROM [User] HAVING name IN (1,'test',3,'derp');"
+        default: "SELECT * FROM [User] HAVING name IN (1,'test',3,'derp');",
+        mssql: "SELECT * FROM [User] HAVING name IN (1,N'test',3,N'derp');"
      });
    });
  });