chore: remove sql.unsafe usages (#2001)

zone117x · web-flow · commit 03a91ed6ccf9 · 2024-06-17T12:56:31.000+02:00
* chore: remove sql.unsafe usages

* chore: remove sql.unsafe usages
diff --git a/src/datastore/helpers.ts b/src/datastore/helpers.ts
@@ -273,29 +273,18 @@ export function prefixedCols(columns: string[], prefix: string): string[] {
   return columns.map(c => `${prefix}.${c}`);
 }
 
-/**
- * Concatenates column names to use on a query. Necessary when one or more of those columns is complex enough
- * so that postgres.js can't figure out how to list it (e.g. abi column, aggregates, partitions, etc.).
- * @param sql - SQL client
- * @param columns - list of columns
- * @returns raw SQL column list string
- */
-export function unsafeCols(sql: PgSqlClient, columns: string[]): postgres.PendingQuery<any> {
-  return sql.unsafe(columns.join(', '));
-}
-
 /**
  * Shorthand function that returns a column query to retrieve the smart contract abi when querying transactions
  * that may be of type `contract_call`. Usually used alongside `TX_COLUMNS` or `MEMPOOL_TX_COLUMNS`.
  * @param tableName - Name of the table that will determine the transaction type. Defaults to `txs`.
  * @returns `string` - abi column select statement portion
  */
-export function abiColumn(tableName: string = 'txs'): string {
-  return `
-    CASE WHEN ${tableName}.type_id = ${DbTxTypeId.ContractCall} THEN (
+export function abiColumn(sql: PgSqlClient, tableName: string = 'txs'): postgres.Fragment {
+  return sql`
+    CASE WHEN ${sql(tableName)}.type_id = ${DbTxTypeId.ContractCall} THEN (
       SELECT abi
       FROM smart_contracts
-      WHERE smart_contracts.contract_id = ${tableName}.contract_call_contract_id
+      WHERE smart_contracts.contract_id = ${sql(tableName)}.contract_call_contract_id
       ORDER BY abi != 'null' DESC, canonical DESC, microblock_canonical DESC, block_height DESC
       LIMIT 1
     ) END as abi
diff --git a/src/datastore/pg-store.ts b/src/datastore/pg-store.ts
@@ -88,7 +88,6 @@ import {
   POX_SYNTHETIC_EVENT_COLUMNS,
   prefixedCols,
   TX_COLUMNS,
-  unsafeCols,
   validateZonefileHash,
 } from './helpers';
 import { PgNotifier } from './pg-notifier';
@@ -240,7 +239,7 @@ export class PgStore extends BasePgStore {
       const microblock_tx_count: Record<string, number> = {};
       if (metadata?.txs) {
         const txQuery = await sql<ContractTxQueryResult[]>`
-          SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+          SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
           FROM txs
           WHERE index_block_hash = ${block.result.index_block_hash}
             AND canonical = true AND microblock_canonical = true
@@ -528,7 +527,7 @@ export class PgStore extends BasePgStore {
         throw new Error(`Could not find block by hash ${blockHash}`);
       }
       const result = await sql<ContractTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+        SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
         FROM txs
         WHERE index_block_hash = ${blockQuery.result.index_block_hash}
           AND canonical = true AND microblock_canonical = true
@@ -613,7 +612,7 @@ export class PgStore extends BasePgStore {
     const { block_height } = await this.getChainTip(sql);
     const unanchoredBlockHeight = block_height + 1;
     const query = await sql<ContractTxQueryResult[]>`
-      SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+      SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
       FROM txs
       WHERE canonical = true AND microblock_canonical = true AND block_height = ${unanchoredBlockHeight}
       ORDER BY block_height DESC, microblock_sequence DESC, tx_index DESC
@@ -823,7 +822,7 @@ export class PgStore extends BasePgStore {
           AND index_block_hash = ${blockQuery.result.index_block_hash}
       `;
       const result = await sql<ContractTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+        SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
         FROM txs
         WHERE canonical = true AND microblock_canonical = true
           AND index_block_hash = ${blockQuery.result.index_block_hash}
@@ -977,7 +976,7 @@ export class PgStore extends BasePgStore {
     }
     return await this.sqlTransaction(async sql => {
       const result = await sql<MempoolTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...MEMPOOL_TX_COLUMNS, abiColumn('mempool_txs')])}
+        SELECT ${sql(MEMPOOL_TX_COLUMNS)}, ${abiColumn(sql, 'mempool_txs')}
         FROM mempool_txs
         WHERE tx_id IN ${sql(args.txIds)}
       `;
@@ -996,7 +995,7 @@ export class PgStore extends BasePgStore {
   }): Promise<FoundOrNot<DbMempoolTx>> {
     return await this.sqlTransaction(async sql => {
       const result = await sql<MempoolTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...MEMPOOL_TX_COLUMNS, abiColumn('mempool_txs')])}
+        SELECT ${sql(MEMPOOL_TX_COLUMNS)}, ${abiColumn(sql, 'mempool_txs')}
         FROM mempool_txs
         WHERE tx_id = ${txId}
       `;
@@ -1048,11 +1047,9 @@ export class PgStore extends BasePgStore {
         DbTxStatus.DroppedProblematic,
       ];
       const resultQuery = await sql<(MempoolTxQueryResult & { count: number })[]>`
-        SELECT ${unsafeCols(sql, [
-          ...prefixedCols(MEMPOOL_TX_COLUMNS, 'mempool'),
-          abiColumn('mempool'),
-          '(COUNT(*) OVER())::INTEGER AS count',
-        ])}
+        SELECT ${sql(prefixedCols(MEMPOOL_TX_COLUMNS, 'mempool'))},
+          ${abiColumn(sql, 'mempool')},
+          (COUNT(*) OVER())::INTEGER AS count
         FROM (
           SELECT *
           FROM mempool_txs
@@ -1323,7 +1320,7 @@ export class PgStore extends BasePgStore {
         orderBy == 'fee' ? sql`fee_rate` : orderBy == 'size' ? sql`tx_size` : sql`receipt_time`;
       const orderSql = order == 'asc' ? sql`ASC` : sql`DESC`;
       const resultQuery = await sql<(MempoolTxQueryResult & { count: number })[]>`
-        SELECT ${unsafeCols(sql, [...MEMPOOL_TX_COLUMNS, abiColumn('mempool_txs')])}, ${count}
+        SELECT ${sql(MEMPOOL_TX_COLUMNS)}, ${abiColumn(sql, 'mempool_txs')}, ${count}
         FROM mempool_txs
         WHERE ${
           address
@@ -1386,7 +1383,7 @@ export class PgStore extends BasePgStore {
     return await this.sqlTransaction(async sql => {
       const maxBlockHeight = await this.getMaxBlockHeight(sql, { includeUnanchored });
       const result = await sql<ContractTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+        SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
         FROM txs
         WHERE tx_id = ${txId} AND block_height <= ${maxBlockHeight}
         ORDER BY canonical DESC, microblock_canonical DESC, block_height DESC
@@ -1434,7 +1431,7 @@ export class PgStore extends BasePgStore {
           FROM chain_tip
         `;
         resultQuery = await sql<ContractTxQueryResult[]>`
-          SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+          SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
           FROM txs
           WHERE canonical = true AND microblock_canonical = true AND block_height <= ${maxHeight}
           ORDER BY block_height DESC, microblock_sequence DESC, tx_index DESC
@@ -1450,7 +1447,7 @@ export class PgStore extends BasePgStore {
             AND type_id IN ${sql(txTypeIds)} AND block_height <= ${maxHeight}
         `;
         resultQuery = await sql<ContractTxQueryResult[]>`
-          SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+          SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
           FROM txs
           WHERE canonical = true AND microblock_canonical = true
             AND type_id IN ${sql(txTypeIds)} AND block_height <= ${maxHeight}
@@ -1474,11 +1471,13 @@ export class PgStore extends BasePgStore {
   }): Promise<{ results: DbEvent[] }> {
     return await this.sqlTransaction(async sql => {
       if (args.txs.length === 0) return { results: [] };
-      // TODO: This hack has to be done because postgres.js can't figure out how to interpolate
-      // these `bytea` VALUES comparisons yet.
-      const transactionValues = args.txs
-        .map(tx => `('\\x${tx.txId.slice(2)}'::bytea, '\\x${tx.indexBlockHash.slice(2)}'::bytea)`)
-        .join(', ');
+
+      const transactionValues = args.txs.map(tx => [
+        `\\x${tx.txId.slice(2)}`,
+        `\\x${tx.indexBlockHash.slice(2)}`,
+      ]);
+      const txValuesSql = sql(transactionValues.map(tx => sql`(${tx[0]}::bytea, ${tx[1]}::bytea)`));
+
       const eventIndexStart = args.offset;
       const eventIndexEnd = args.offset + args.limit - 1;
       const stxLockResults = await sql<
@@ -1497,7 +1496,7 @@ export class PgStore extends BasePgStore {
         SELECT
           event_index, tx_id, tx_index, block_height, canonical, locked_amount, unlock_height, locked_address, contract_name
         FROM stx_lock_events
-        WHERE (tx_id, index_block_hash) IN (VALUES ${sql.unsafe(transactionValues)})
+        WHERE (tx_id, index_block_hash) IN ${txValuesSql}
           AND microblock_canonical = true AND event_index BETWEEN ${eventIndexStart} AND ${eventIndexEnd}
       `;
       const stxResults = await sql<
@@ -1517,7 +1516,7 @@ export class PgStore extends BasePgStore {
         SELECT
           event_index, tx_id, tx_index, block_height, canonical, asset_event_type_id, sender, recipient, amount, memo
         FROM stx_events
-        WHERE (tx_id, index_block_hash) IN (VALUES ${sql.unsafe(transactionValues)})
+        WHERE (tx_id, index_block_hash) IN ${txValuesSql}
           AND microblock_canonical = true AND event_index BETWEEN ${eventIndexStart} AND ${eventIndexEnd}
       `;
       const ftResults = await sql<
@@ -1537,7 +1536,7 @@ export class PgStore extends BasePgStore {
         SELECT
           event_index, tx_id, tx_index, block_height, canonical, asset_event_type_id, sender, recipient, asset_identifier, amount
         FROM ft_events
-        WHERE (tx_id, index_block_hash) IN (VALUES ${sql.unsafe(transactionValues)})
+        WHERE (tx_id, index_block_hash) IN ${txValuesSql}
           AND microblock_canonical = true AND event_index BETWEEN ${eventIndexStart} AND ${eventIndexEnd}
       `;
       const nftResults = await sql<
@@ -1557,7 +1556,7 @@ export class PgStore extends BasePgStore {
         SELECT
           event_index, tx_id, tx_index, block_height, canonical, asset_event_type_id, sender, recipient, asset_identifier, value
         FROM nft_events
-        WHERE (tx_id, index_block_hash) = ANY(VALUES ${sql.unsafe(transactionValues)})
+        WHERE (tx_id, index_block_hash) IN ${txValuesSql}
           AND microblock_canonical = true AND event_index BETWEEN ${eventIndexStart} AND ${eventIndexEnd}
       `;
       const logResults = await sql<
@@ -1575,7 +1574,7 @@ export class PgStore extends BasePgStore {
         SELECT
           event_index, tx_id, tx_index, block_height, canonical, contract_identifier, topic, value
         FROM contract_logs
-        WHERE (tx_id, index_block_hash) IN (VALUES ${sql.unsafe(transactionValues)})
+        WHERE (tx_id, index_block_hash) IN ${txValuesSql}
           AND microblock_canonical = true AND event_index BETWEEN ${eventIndexStart} AND ${eventIndexEnd}
       `;
       return {
@@ -2745,7 +2744,9 @@ export class PgStore extends BasePgStore {
         LIMIT ${args.limit}
         OFFSET ${args.offset}
       )
-      SELECT ${unsafeCols(this.sql, [...TX_COLUMNS, abiColumn(), 'count'])}
+      SELECT ${this.sql(TX_COLUMNS)},
+        ${abiColumn(this.sql)},
+        count
       FROM stx_txs
       INNER JOIN txs USING (tx_id, index_block_hash, microblock_hash)
     `;
@@ -2814,7 +2815,7 @@ export class PgStore extends BasePgStore {
         events.sender as event_sender,
         events.recipient as event_recipient,
         events.memo as event_memo,
-        ${this.sql.unsafe(abiColumn('transactions'))}
+        ${abiColumn(this.sql, 'transactions')}
       FROM transactions
       LEFT JOIN events ON transactions.tx_id = events.tx_id
       AND transactions.tx_id = ${tx_id}
@@ -2914,7 +2915,7 @@ export class PgStore extends BasePgStore {
       )
       SELECT
         transactions.*,
-        ${this.sql.unsafe(abiColumn('transactions'))},
+        ${abiColumn(this.sql, 'transactions')},
         events.event_index as event_index,
         events.event_type_id as event_type,
         events.amount as event_amount,
@@ -3039,7 +3040,7 @@ export class PgStore extends BasePgStore {
     // TODO(mb): add support for searching for microblock by hash
     return await this.sqlTransaction(async sql => {
       const txQuery = await sql<ContractTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+        SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
         FROM txs WHERE tx_id = ${hash} LIMIT 1
       `;
       if (txQuery.length > 0) {
@@ -3054,7 +3055,7 @@ export class PgStore extends BasePgStore {
         };
       }
       const txMempoolQuery = await sql<MempoolTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...MEMPOOL_TX_COLUMNS, abiColumn('mempool_txs')])}
+        SELECT ${sql(MEMPOOL_TX_COLUMNS)}, ${abiColumn(sql, 'mempool_txs')}
         FROM mempool_txs WHERE pruned = false AND tx_id = ${hash} LIMIT 1
       `;
       if (txMempoolQuery.length > 0) {
@@ -3099,7 +3100,7 @@ export class PgStore extends BasePgStore {
     return await this.sqlTransaction(async sql => {
       if (isContract) {
         const contractMempoolTxResult = await sql<MempoolTxQueryResult[]>`
-          SELECT ${unsafeCols(sql, [...MEMPOOL_TX_COLUMNS, abiColumn('mempool_txs')])}
+          SELECT ${sql(MEMPOOL_TX_COLUMNS)}, ${abiColumn(sql, 'mempool_txs')}
           FROM mempool_txs WHERE pruned = false AND smart_contract_contract_id = ${principal} LIMIT 1
         `;
         if (contractMempoolTxResult.length > 0) {
@@ -3114,7 +3115,7 @@ export class PgStore extends BasePgStore {
           };
         }
         const contractTxResult = await sql<ContractTxQueryResult[]>`
-          SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+          SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
           FROM txs
           WHERE smart_contract_contract_id = ${principal}
           ORDER BY canonical DESC, microblock_canonical DESC, block_height DESC
@@ -3259,13 +3260,12 @@ export class PgStore extends BasePgStore {
       ${
         args.includeTxMetadata
           ? this.sql`
-            SELECT ${unsafeCols(this.sql, [
+            SELECT ${this.sql([
               'nft.asset_identifier',
               'nft.value',
               ...prefixedCols(TX_COLUMNS, 'txs'),
-              abiColumn(),
               'nft.count',
-            ])}
+            ])}, ${abiColumn(this.sql)}
             FROM nft
             INNER JOIN txs USING (tx_id)
             WHERE txs.canonical = TRUE AND txs.microblock_canonical = TRUE
@@ -3301,16 +3301,15 @@ export class PgStore extends BasePgStore {
     includeTxMetadata: boolean;
   }): Promise<{ results: NftEventWithTxMetadata[]; total: number }> {
     const columns = args.includeTxMetadata
-      ? unsafeCols(this.sql, [
+      ? this.sql`${this.sql([
           'asset_identifier',
           'value',
           'event_index',
           'asset_event_type_id',
           'sender',
           'recipient',
           ...prefixedCols(TX_COLUMNS, 'txs'),
-          abiColumn(),
-        ])
+        ])}, ${abiColumn(this.sql)}`
       : this.sql`nft.*`;
     const nftTxResults = await this.sql<(DbNftEvent & ContractTxQueryResult & { count: number })[]>`
       SELECT ${columns}, (COUNT(*) OVER())::INTEGER AS count
@@ -3362,16 +3361,15 @@ export class PgStore extends BasePgStore {
     includeTxMetadata: boolean;
   }): Promise<{ results: NftEventWithTxMetadata[]; total: number }> {
     const columns = args.includeTxMetadata
-      ? unsafeCols(this.sql, [
+      ? this.sql`${this.sql([
           'asset_identifier',
           'value',
           'event_index',
           'asset_event_type_id',
           'sender',
           'recipient',
           ...prefixedCols(TX_COLUMNS, 'txs'),
-          abiColumn(),
-        ])
+        ])}, ${abiColumn(this.sql)}`
       : this.sql`nft.*`;
     const nftTxResults = await this.sql<(DbNftEvent & ContractTxQueryResult & { count: number })[]>`
       SELECT ${columns}, (COUNT(*) OVER())::INTEGER AS count
@@ -3442,7 +3440,7 @@ export class PgStore extends BasePgStore {
     return await this.sqlTransaction(async sql => {
       const maxBlockHeight = await this.getMaxBlockHeight(sql, { includeUnanchored });
       const result = await sql<ContractTxQueryResult[]>`
-        SELECT ${unsafeCols(sql, [...TX_COLUMNS, abiColumn()])}
+        SELECT ${sql(TX_COLUMNS)}, ${abiColumn(sql)}
         FROM txs
         WHERE tx_id IN ${sql(txIds)}
           AND block_height <= ${maxBlockHeight}
