Postgres: Safely escape strings in nested objects (#5855)

dplewis · web-flow · commit 95208e96e0c2 · 2019-07-28T23:54:13.000-05:00
* Postgres: Safely handle string in nested objects

* fix failing tests
diff --git a/spec/ParseQuery.spec.js b/spec/ParseQuery.spec.js
@@ -359,6 +359,24 @@ describe('Parse.Query testing', () => {
       }, done.fail);
   });
 
+  it('nested equalTo string with single quote', async () => {
+    const obj = new TestObject({ nested: { foo: "single'quote" } });
+    await obj.save();
+    const query = new Parse.Query(TestObject);
+    query.equalTo('nested.foo', "single'quote");
+    const result = await query.get(obj.id);
+    equal(result.get('nested').foo, "single'quote");
+  });
+
+  it('nested containedIn string with single quote', async () => {
+    const obj = new TestObject({ nested: { foo: ["single'quote"]} });
+    await obj.save();
+    const query = new Parse.Query(TestObject);
+    query.containedIn('nested.foo', ["single'quote"]);
+    const result = await query.get(obj.id);
+    equal(result.get('nested').foo[0], "single'quote");
+  });
+
   it('nested containedIn string', done => {
     const sender1 = { group: ['A', 'B'] };
     const sender2 = { group: ['A', 'C'] };
diff --git a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
@@ -282,26 +282,16 @@ const buildWhereClause = ({ schema, query, index }): WhereClause => {
         patterns.push(`${name} IS NULL`);
       } else {
         if (fieldValue.$in) {
-          const inPatterns = [];
           name = transformDotFieldToComponents(fieldName).join('->');
-          fieldValue.$in.forEach(listElem => {
-            if (typeof listElem === 'string') {
-              if (listElem.includes('"') || listElem.includes("'")) {
-                throw new Parse.Error(
-                  Parse.Error.INVALID_JSON,
-                  'bad $in value; Strings with quotes cannot yet be safely escaped'
-                );
-              }
-              inPatterns.push(`"${listElem}"`);
-            } else {
-              inPatterns.push(`${listElem}`);
-            }
-          });
-          patterns.push(`(${name})::jsonb @> '[${inPatterns.join()}]'::jsonb`);
+          patterns.push(`($${index}:raw)::jsonb @> $${index + 1}::jsonb`);
+          values.push(name, JSON.stringify(fieldValue.$in));
+          index += 2;
         } else if (fieldValue.$regex) {
           // Handle later
         } else {
-          patterns.push(`${name} = '${fieldValue}'`);
+          patterns.push(`$${index}:raw = $${index + 1}::text`);
+          values.push(name, fieldValue);
+          index += 2;
         }
       }
     } else if (fieldValue === null || fieldValue === undefined) {
