bad query should probably throw exception rather than generate invalid sequel #86
Comments
|
@kevinburkeshyp Thanks for posting, we'll take a look as soon as possible. In the meantime, if you haven’t already, please carefully read the issue contribution guidelines and double-check for any missing information above. In particular, please ensure that this issue is about a stability or performance bug with a documented feature; and make sure you’ve included detailed instructions on how to reproduce the bug from a clean install. Finally, don’t forget to include the version of Node.js you tested with, as well as your version of Sails or Waterline, and of any relevant standalone adapters/generators/hooks. Thank you! |
|
@sailsbot this should be pretty easily reproducible! |
|
I believe this is happening because there's no |
Previously passing a query with an unknown operator would place the word
"undefined" in the SQL query:
```javascript
sequel.find('users', { balance: { 'in': [ 1, 2 ] } });
```
```sql
'SELECT "users"."id", "users"."email", "users"."balance", "users"."pickupCount" FROM "users" AS "users" "users"."balance" undefined '
```
(Valid operators are things like 'contains', 'startsWith', 'endsWith', '>'.)
This happens because we define the var `str` to be undefined, never set it, and
then append it to the query string.
Instead, immediately throw an error when an unknown key gets passed to
Waterline, which should help diagnose these problems going forward (instead of
forcing us to parse a Postgres syntax error).
Fixes balderdashy#86.
|
^^ Our fix is available at the link. I'm not sure if that gets converted into a WLValidationError, probably depends on the adapter. |
Previously passing a query with an unknown operator would place the word
"undefined" in the SQL query:
```javascript
sequel.find('users', { balance: { 'in': [ 1, 2 ] } });
```
```sql
'SELECT "users"."id", "users"."email", "users"."balance", "users"."pickupCount" FROM "users" AS "users" "users"."balance" undefined '
```
(Valid operators are things like 'contains', 'startsWith', 'endsWith', '>'.)
This happens because we define the var `str` to be undefined, never set it, and
then append it to the query string.
Instead, immediately throw an error when an unknown key gets passed to
Waterline, which should help diagnose these problems going forward (instead of
forcing us to parse a Postgres syntax error).
Fixes balderdashy#86.
|
@kevinburkeshyp great! Would you mind submitting a PR with that commit? |
Previously passing a query with an unknown operator would place the word
"undefined" in the SQL query:
```javascript
sequel.find('users', { balance: { 'in': [ 1, 2 ] } });
```
```sql
'SELECT "users"."id", "users"."email", "users"."balance", "users"."pickupCount"
FROM "users" AS "users" "users"."balance" undefined '
```
(Valid operators are things like 'contains', 'startsWith', 'endsWith', '>'.)
This happens because we define the var `str` to be undefined, never set it, and
then append it to the query string.
Instead, immediately throw an error when an unknown key gets passed to
Waterline, which should help diagnose these problems going forward (instead of
forcing us to parse a Postgres syntax error).
Cherry-picked from #6. Fixes balderdashy#86.
We wrote a query that ended up sending the following data as part of a
.find()Note this works:
sequel.find('users', { balance: [ 1, 2 ] }). The user schema isThis triggers the
CriteriaProcessor.prototype.andbranch (instead of the_inbranch) and generates the following SQL:I think that should probably throw there (or check for a
'in'property) instead of generating invalid SQL. I'm also not sure where theundefinedis coming from, I don't think it's exploitable.The text was updated successfully, but these errors were encountered: