fix: deny passing Buffer columns to SQLite JSON helpers

- Added HasUint8Array<T> and ObjectHasUint8ArrayProperty<O> type utilities
- SQLite JSON helpers now return KyselyTypeError when binary columns are detected
- Error message includes workarounds: eb.cast<string>(column, "text") or sql<string>`hex(column)`

Author: hwisu

src/helpers/sqlite.ts

@@ -3,13 +3,24 @@ import type { SelectQueryNode } from '../operation-node/select-query-node.js'
 import type { SelectQueryBuilderExpression } from '../query-builder/select-query-builder-expression.js'
 import type { RawBuilder } from '../raw-builder/raw-builder.js'
 import { sql } from '../raw-builder/sql.js'
+import type { KyselyTypeError } from '../util/type-error.js'
 import { getJsonObjectArgs } from '../util/json-object-args.js'
 import type {
+  HasUint8Array,
+  ObjectHasUint8ArrayProperty,
   ShallowDehydrateObject,
   ShallowDehydrateValue,
   Simplify,
 } from '../util/type-utils.js'
 
+type ExpressionRecordHasUint8Array<
+  O extends Record<string, Expression<unknown>>,
+> = true extends {
+  [K in keyof O]: O[K] extends Expression<infer V> ? HasUint8Array<V> : false
+}[keyof O]
+  ? true
+  : false
+
 /**
  * A SQLite helper for aggregating a subquery into a JSON array.
  *
@@ -73,10 +84,12 @@ import type {
  */
 export function jsonArrayFrom<O>(
   expr: SelectQueryBuilderExpression<O>,
-): RawBuilder<Simplify<ShallowDehydrateObject<O>>[]> {
+): ObjectHasUint8ArrayProperty<O> extends true
+  ? KyselyTypeError<'SQLite jsonArrayFrom does not support Buffer/Uint8Array columns. Cast to text using eb.cast<string>(column, "text") or sql<string>`hex(column)`'>
+  : RawBuilder<Simplify<ShallowDehydrateObject<O>>[]> {
   return sql`(select coalesce(json_group_array(json_object(${sql.join(
     getSqliteJsonObjectArgs(expr.toOperationNode(), 'agg'),
-  )})), '[]') from ${expr} as agg)`
+  )})), '[]') from ${expr} as agg)` as any
 }
 
 /**
@@ -144,10 +157,12 @@ export function jsonArrayFrom<O>(
  */
 export function jsonObjectFrom<O>(
   expr: SelectQueryBuilderExpression<O>,
-): RawBuilder<Simplify<ShallowDehydrateObject<O>> | null> {
+): ObjectHasUint8ArrayProperty<O> extends true
+  ? KyselyTypeError<'SQLite jsonObjectFrom does not support Buffer/Uint8Array columns. Cast to text using eb.cast<string>(column, "text") or sql<string>`hex(column)`'>
+  : RawBuilder<Simplify<ShallowDehydrateObject<O>> | null> {
   return sql`(select json_object(${sql.join(
     getSqliteJsonObjectArgs(expr.toOperationNode(), 'obj'),
-  )}) from ${expr} as obj)`
+  )}) from ${expr} as obj)` as any
 }
 
 /**
@@ -208,16 +223,18 @@ export function jsonObjectFrom<O>(
  */
 export function jsonBuildObject<O extends Record<string, Expression<unknown>>>(
   obj: O,
-): RawBuilder<
-  Simplify<{
-    [K in keyof O]: O[K] extends Expression<infer V>
-      ? ShallowDehydrateValue<V>
-      : never
-  }>
-> {
+): ExpressionRecordHasUint8Array<O> extends true
+  ? KyselyTypeError<'SQLite jsonBuildObject does not support Buffer/Uint8Array values. Cast to text using eb.cast<string>(column, "text") or sql<string>`hex(column)`'>
+  : RawBuilder<
+      Simplify<{
+        [K in keyof O]: O[K] extends Expression<infer V>
+          ? ShallowDehydrateValue<V>
+          : never
+      }>
+    > {
   return sql`json_object(${sql.join(
     Object.keys(obj).flatMap((k) => [sql.lit(k), obj[k]]),
-  )})`
+  )})` as any
 }
 
 function getSqliteJsonObjectArgs(

src/util/type-utils.ts

@@ -260,3 +260,21 @@ export type StringsWhenDataTypeNotAvailable =
 export type NumbersWhenDataTypeNotAvailable = bigint | NumericString
 
 export type NumericString = `${number}`
+
+/**
+ * Evaluates to `true` if type `T` contains `Uint8Array`.
+ */
+export type HasUint8Array<T> = Uint8Array extends T
+  ? true
+  : T extends Uint8Array
+    ? true
+    : false
+
+/**
+ * Evaluates to `true` if any property in object type `O` contains `Uint8Array`.
+ */
+export type ObjectHasUint8ArrayProperty<O> = true extends {
+  [K in keyof O]: HasUint8Array<O[K]>
+}[keyof O]
+  ? true
+  : false

test/node/src/json.test.ts

@@ -414,14 +414,17 @@ for (const dialect of DIALECTS) {
         ).as('doggo'),
 
         // Nest an object that holds the person's formatted name
-        jsonBuildObject({
-          first: eb.ref('first_name'),
-          last: eb.ref('last_name'),
-          full:
-            dialect === 'sqlite'
-              ? sql<string>`first_name || ' ' || last_name`
-              : eb.fn('concat', ['first_name', sql.lit(' '), 'last_name']),
-        }).as('name'),
+        // Type assertion needed due to union of dialect helper types
+        (
+          jsonBuildObject({
+            first: eb.ref('first_name'),
+            last: eb.ref('last_name'),
+            full:
+              dialect === 'sqlite'
+                ? sql<string>`first_name || ' ' || last_name`
+                : eb.fn('concat', ['first_name', sql.lit(' '), 'last_name']),
+          }) as RawBuilder<{ first: string; last: string | null; full: string }>
+        ).as('name'),
 
         // Nest an empty list
         jsonArrayFrom(
@@ -564,14 +567,17 @@ for (const dialect of DIALECTS) {
       const result = await db
         .selectNoFrom([
           buffer,
-          jsonObjectFrom(
-            db.selectNoFrom([
-              dialect === 'sqlite'
-                ? expressionBuilder()
-                    .cast<string>(buffer.expression, 'text')
-                    .as('buffer')
-                : buffer,
-            ]),
+          // Type assertion needed due to union of dialect helper types
+          (
+            jsonObjectFrom(
+              db.selectNoFrom([
+                dialect === 'sqlite'
+                  ? expressionBuilder()
+                      .cast<string>(buffer.expression, 'text')
+                      .as('buffer')
+                  : buffer,
+              ]),
+            ) as RawBuilder<{ buffer: string } | null>
           )
             .$notNull()
             .as('dehydrated'),