joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Postgres: Safely escape strings in nested objects (#5855)

Browse Source 
* Postgres: Safely handle string in nested objects

* fix failing tests
This commit is contained in:
Diamond Lewis
2019-07-28 23:54:13 -05:00
committed by GitHub
parent 4f21c36825
commit 95208e96e0
2 changed files with 24 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
spec/ParseQuery.spec.js
View File

@@ -359,6 +359,24 @@ describe('Parse.Query testing', () => {
}, done.fail); }, done.fail);
}); });
it('nested equalTo string with single quote', async () => {
const obj = new TestObject({ nested: { foo: "single'quote" } });
await obj.save();
const query = new Parse.Query(TestObject);
query.equalTo('nested.foo', "single'quote");
const result = await query.get(obj.id);
equal(result.get('nested').foo, "single'quote");
});
it('nested containedIn string with single quote', async () => {
const obj = new TestObject({ nested: { foo: ["single'quote"]} });
await obj.save();
const query = new Parse.Query(TestObject);
query.containedIn('nested.foo', ["single'quote"]);
const result = await query.get(obj.id);
equal(result.get('nested').foo[0], "single'quote");
});
it('nested containedIn string', done => { it('nested containedIn string', done => {
const sender1 = { group: ['A', 'B'] }; const sender1 = { group: ['A', 'B'] };
const sender2 = { group: ['A', 'C'] }; const sender2 = { group: ['A', 'C'] };

22
src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
View File

@@ -282,26 +282,16 @@ const buildWhereClause = ({ schema, query, index }): WhereClause => {
patterns.push(`${name} IS NULL`); patterns.push(`${name} IS NULL`);
} else { } else {
if (fieldValue.$in) { if (fieldValue.$in) {
const inPatterns = [];
name = transformDotFieldToComponents(fieldName).join('->'); name = transformDotFieldToComponents(fieldName).join('->');
fieldValue.$in.forEach(listElem => { patterns.push(`($${index}:raw)::jsonb @> $${index + 1}::jsonb`);
if (typeof listElem === 'string') { values.push(name, JSON.stringify(fieldValue.$in));
if (listElem.includes('"') || listElem.includes("'")) { index += 2;
throw new Parse.Error(
Parse.Error.INVALID_JSON,
'bad $in value; Strings with quotes cannot yet be safely escaped'
);
}
inPatterns.push(`"${listElem}"`);
} else {
inPatterns.push(`${listElem}`);
}
});
patterns.push(`(${name})::jsonb @> '[${inPatterns.join()}]'::jsonb`);
} else if (fieldValue.$regex) { } else if (fieldValue.$regex) {
// Handle later // Handle later
} else { } else {
patterns.push(`${name} = '${fieldValue}'`); patterns.push(`$${index}:raw = $${index + 1}::text`);
values.push(name, fieldValue);
index += 2;
} }
} }
} else if (fieldValue === null || fieldValue === undefined) { } else if (fieldValue === null || fieldValue === undefined) {