slonik - npm Package Compare versions

Comparing version 14.8.1 to 14.9.0

dist/templateTags/sql.js

@@ -8,3 +8,3 @@ "use strict";
 
-var _isPrimitiveValueExpression = _interopRequireDefault(require("../utilities/isPrimitiveValueExpression"));
+var _utilities = require("../utilities");
 
@@ -15,2 +15,4 @@ var _Logger = _interopRequireDefault(require("../Logger"));
 
+var _QueryStore = _interopRequireDefault(require("../QueryStore"));
+
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
@@ -41,3 +43,3 @@
 
-    if ((0, _isPrimitiveValueExpression.default)(token)) {
+    if ((0, _utilities.isPrimitiveValueExpression)(token)) {
       rawSql += '$' + (parameters.length + 1);
@@ -68,7 +70,11 @@ parameters.push(token);
 
-  return {
+  const query = (0, _utilities.deepFreeze)({
     sql: rawSql,
     type: 'SQL',
     values: parameters
-  };
+  });
+
+  _QueryStore.default.set(query, true);
+
+  return query;
 };
@@ -75,0 +81,0 @@

dist/utilities/index.js

@@ -18,2 +18,8 @@ "use strict";
 });
+Object.defineProperty(exports, "deepFreeze", {
+  enumerable: true,
+  get: function () {
+    return _deepFreeze.default;
+  }
+});
 Object.defineProperty(exports, "escapeIdentifier", {
@@ -60,2 +66,4 @@ enumerable: true,
 
+var _deepFreeze = _interopRequireDefault(require("./deepFreeze"));
+
 var _escapeIdentifier = _interopRequireDefault(require("./escapeIdentifier"));
@@ -62,0 +70,0 @@

dist/utilities/mapTaggedTemplateLiteralInvocation.js

@@ -8,5 +8,9 @@ "use strict";
 
+var _QueryStore = _interopRequireDefault(require("../QueryStore"));
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
 const mapTaggedTemplateLiteralInvocation = targetMethod => {
   return query => {
-    if (typeof query === 'string') {
+    if (_QueryStore.default.get(query) !== true) {
       throw new TypeError('Query must be constructed using `sql` tagged template literal.');
@@ -13,0 +17,0 @@ }

package.json

@@ -97,3 +97,3 @@ {
   },
-  "version": "14.8.1"
+  "version": "14.9.0"
 }

README.md

@@ -335,2 +335,3 @@ <a name="slonik"></a>
         * [Tagged template literals](#slonik-value-placeholders-tagged-template-literals)
+        * [Manually constructing the query](#slonik-value-placeholders-manually-constructing-the-query)
         * [Nesting `sql`](#slonik-value-placeholders-nesting-sql)
@@ -1073,2 +1074,30 @@ * [`sql.valueList`](#slonik-value-placeholders-sql-valuelist)
 
+<a name="slonik-value-placeholders-manually-constructing-the-query"></a>
+### Manually constructing the query
+
+Manually constructing queries is not allowed.
+
+There is an internal mechanism that checks to see if query was created using `sql` tagged template literal, i.e.
+
+```js
+const query = {
+  sql: 'SELECT 1 FROM foo WHERE bar = $1',
+  type: 'SQL',
+  values: [
+    'baz'
+  ]
+};
+
+connection.query(query);
+
+```
+
+Will result in an error:
+
+> Query must be constructed using `sql` tagged template literal.
+
+This is a security measure designed to prevent unsafe query execution.
+
+Furthermore, a query object constructed using `sql` tagged template literal is [frozen](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze) to prevent further manipulation.
+
 <a name="slonik-value-placeholders-nesting-sql"></a>
@@ -1075,0 +1104,0 @@ ### Nesting <code>sql</code>

src/templateTags/sql.js

@@ -16,3 +16,6 @@ // @flow
 } from '../types';
-import isPrimitiveValueExpression from '../utilities/isPrimitiveValueExpression';
+import {
+  deepFreeze,
+  isPrimitiveValueExpression
+} from '../utilities';
 import Logger from '../Logger';
@@ -28,2 +31,3 @@ import {
 } from '../sqlFragmentFactories';
+import QueryStore from '../QueryStore';
 
@@ -87,7 +91,11 @@ const log = Logger.child({
 
-  return {
+  const query = deepFreeze({
     sql: rawSql,
     type: 'SQL',
     values: parameters
-  };
+  });
+
+  QueryStore.set(query, true);
+
+  return query;
 };
@@ -94,0 +102,0 @@

src/utilities/index.js

@@ -5,2 +5,3 @@ // @flow
 export {default as createUlid} from './createUlid';
+export {default as deepFreeze} from './deepFreeze';
 export {default as escapeIdentifier} from './escapeIdentifier';
@@ -7,0 +8,0 @@ export {default as formatNotice} from './formatNotice';

src/utilities/mapTaggedTemplateLiteralInvocation.js

@@ -6,6 +6,7 @@ // @flow
 } from '../types';
+import QueryStore from '../QueryStore';
 
 export default (targetMethod: *) => {
   return (query: TaggedTemplateLiteralInvocationType) => {
-    if (typeof query === 'string') {
+    if (QueryStore.get(query) !== true) {
       throw new TypeError('Query must be constructed using `sql` tagged template literal.');
@@ -12,0 +13,0 @@ }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

326410

increased by2%

Number of package files

203

increased by4.1%

Lines of code

3475

increased by2.03%

Number of lines in readme file

1712

increased by1.72%

No dependency changes