Merge pull request #87 from kaleido-io/like-escape

Fix escaping in LIKE expressions

Author: peterbroadhurst

.golangci.yml

@@ -54,3 +54,6 @@ linters:
     - unconvert
     - unparam
     - unused
+issues:
+  exclude:
+    - "method ToSql should be ToSQL"

pkg/dbsql/filter_sql.go

@@ -26,6 +26,70 @@ import (
 	"github.com/hyperledger/firefly-common/pkg/i18n"
 )
 
+const escapeChar = "["
+
+type LikeEscape sq.Like
+type NotLikeEscape sq.NotLike
+type ILikeEscape sq.ILike
+type NotILikeEscape sq.NotILike
+
+// Split a map into a list of maps with a single entry each
+func splitMap[T ~map[string]interface{}](m T) (exprs []T) {
+	for key, val := range m {
+		exprs = append(exprs, T{key: val})
+	}
+	return exprs
+}
+
+// Convert a list of Sqlizer operations to sq.And
+func toAnd[T sq.Sqlizer](ops []T) (and sq.And) {
+	for _, op := range ops {
+		and = append(and, op)
+	}
+	return and
+}
+
+func (lk LikeEscape) ToSql() (sql string, args []interface{}, err error) {
+	if len(lk) == 1 {
+		sql, args, err = sq.Like(lk).ToSql()
+		return fmt.Sprintf("%s ESCAPE '%s'", sql, escapeChar), args, err
+	}
+	return toAnd(splitMap(lk)).ToSql()
+}
+
+func (lk NotLikeEscape) ToSql() (sql string, args []interface{}, err error) {
+	if len(lk) == 1 {
+		sql, args, err = sq.NotLike(lk).ToSql()
+		return fmt.Sprintf("%s ESCAPE '%s'", sql, escapeChar), args, err
+	}
+	return toAnd(splitMap(lk)).ToSql()
+}
+
+func (lk ILikeEscape) ToSql() (sql string, args []interface{}, err error) {
+	if len(lk) == 1 {
+		sql, args, err = sq.ILike(lk).ToSql()
+		return fmt.Sprintf("%s ESCAPE '%s'", sql, escapeChar), args, err
+	}
+	return toAnd(splitMap(lk)).ToSql()
+}
+
+func (lk NotILikeEscape) ToSql() (sql string, args []interface{}, err error) {
+	if len(lk) == 1 {
+		sql, args, err = sq.NotILike(lk).ToSql()
+		return fmt.Sprintf("%s ESCAPE '%s'", sql, escapeChar), args, err
+	}
+	return toAnd(splitMap(lk)).ToSql()
+}
+
+func (s *Database) escapeLike(value ffapi.FieldSerialization) string {
+	v, _ := value.Value()
+	vs, _ := v.(string)
+	vs = strings.ReplaceAll(vs, escapeChar, escapeChar+escapeChar)
+	vs = strings.ReplaceAll(vs, "%", escapeChar+"%")
+	vs = strings.ReplaceAll(vs, "_", escapeChar+"_")
+	return vs
+}
+
 func (s *Database) FilterSelect(ctx context.Context, tableName string, sel sq.SelectBuilder, filter ffapi.Filter, typeMap map[string]string, defaultSort []interface{}, preconditions ...sq.Sqlizer) (sq.SelectBuilder, sq.Sqlizer, *ffapi.FilterInfo, error) {
 	fi, err := filter.Finalize()
 	if err != nil {
@@ -127,15 +191,6 @@ func (s *Database) FilterUpdate(ctx context.Context, update sq.UpdateBuilder, fi
 	return update.Where(fop), nil
 }
 
-func (s *Database) escapeLike(value ffapi.FieldSerialization) string {
-	v, _ := value.Value()
-	vs, _ := v.(string)
-	vs = strings.ReplaceAll(vs, "[", "[[]")
-	vs = strings.ReplaceAll(vs, "%", "[%]")
-	vs = strings.ReplaceAll(vs, "_", "[_]")
-	return vs
-}
-
 func (s *Database) mapField(tableName, fieldName string, tm map[string]string) string {
 	if fieldName == "sequence" {
 		if tableName == "" {
@@ -158,17 +213,17 @@ func (s *Database) mapField(tableName, fieldName string, tm map[string]string) s
 // newILike uses ILIKE if supported by DB, otherwise the "lower" approach
 func (s *Database) newILike(field, value string) sq.Sqlizer {
 	if s.features.UseILIKE {
-		return sq.ILike{field: value}
+		return ILikeEscape{field: value}
 	}
-	return sq.Like{fmt.Sprintf("lower(%s)", field): strings.ToLower(value)}
+	return LikeEscape{fmt.Sprintf("lower(%s)", field): strings.ToLower(value)}
 }
 
 // newNotILike uses ILIKE if supported by DB, otherwise the "lower" approach
 func (s *Database) newNotILike(field, value string) sq.Sqlizer {
 	if s.features.UseILIKE {
-		return sq.NotILike{field: value}
+		return NotILikeEscape{field: value}
 	}
-	return sq.NotLike{fmt.Sprintf("lower(%s)", field): strings.ToLower(value)}
+	return NotLikeEscape{fmt.Sprintf("lower(%s)", field): strings.ToLower(value)}
 }
 
 func (s *Database) filterOp(ctx context.Context, tableName string, op *ffapi.FilterInfo, tm map[string]string) (sq.Sqlizer, error) {
@@ -190,25 +245,25 @@ func (s *Database) filterOp(ctx context.Context, tableName string, op *ffapi.Fil
 	case ffapi.FilterOpNotIn:
 		return sq.NotEq{s.mapField(tableName, op.Field, tm): op.Values}, nil
 	case ffapi.FilterOpCont:
-		return sq.Like{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s%%", s.escapeLike(op.Value))}, nil
+		return LikeEscape{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s%%", s.escapeLike(op.Value))}, nil
 	case ffapi.FilterOpNotCont:
-		return sq.NotLike{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s%%", s.escapeLike(op.Value))}, nil
+		return NotLikeEscape{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s%%", s.escapeLike(op.Value))}, nil
 	case ffapi.FilterOpICont:
 		return s.newILike(s.mapField(tableName, op.Field, tm), fmt.Sprintf("%%%s%%", s.escapeLike(op.Value))), nil
 	case ffapi.FilterOpNotICont:
 		return s.newNotILike(s.mapField(tableName, op.Field, tm), fmt.Sprintf("%s%%", s.escapeLike(op.Value))), nil
 	case ffapi.FilterOpStartsWith:
-		return sq.Like{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%s%%", s.escapeLike(op.Value))}, nil
+		return LikeEscape{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%s%%", s.escapeLike(op.Value))}, nil
 	case ffapi.FilterOpNotStartsWith:
-		return sq.NotLike{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%s%%", s.escapeLike(op.Value))}, nil
+		return NotLikeEscape{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%s%%", s.escapeLike(op.Value))}, nil
 	case ffapi.FilterOpIStartsWith:
 		return s.newILike(s.mapField(tableName, op.Field, tm), fmt.Sprintf("%s%%", s.escapeLike(op.Value))), nil
 	case ffapi.FilterOpNotIStartsWith:
 		return s.newNotILike(s.mapField(tableName, op.Field, tm), fmt.Sprintf("%s%%", s.escapeLike(op.Value))), nil
 	case ffapi.FilterOpEndsWith:
-		return sq.Like{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s", s.escapeLike(op.Value))}, nil
+		return LikeEscape{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s", s.escapeLike(op.Value))}, nil
 	case ffapi.FilterOpNotEndsWith:
-		return sq.NotLike{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s", s.escapeLike(op.Value))}, nil
+		return NotLikeEscape{s.mapField(tableName, op.Field, tm): fmt.Sprintf("%%%s", s.escapeLike(op.Value))}, nil
 	case ffapi.FilterOpIEndsWith:
 		return s.newILike(s.mapField(tableName, op.Field, tm), fmt.Sprintf("%%%s", s.escapeLike(op.Value))), nil
 	case ffapi.FilterOpNotIEndsWith:

pkg/dbsql/filter_sql_test.go

@@ -19,6 +19,7 @@ package dbsql
 import (
 	"context"
 	"database/sql/driver"
+	"sort"
 	"testing"
 
 	"github.com/Masterminds/squirrel"
@@ -128,7 +129,7 @@ func TestSQLQueryFactoryExtraOps(t *testing.T) {
 
 	sqlFilter, _, err := sel.ToSql()
 	assert.NoError(t, err)
-	assert.Equal(t, "SELECT * FROM mytable AS mt WHERE (mt.created IN (?,?,?) AND mt.created NOT IN (?,?,?) AND mt.id = ? AND mt.id IN (?) AND mt.id IS NOT NULL AND mt.created < ? AND mt.created <= ? AND mt.created >= ? AND mt.created <> ? AND mt.seq > ? AND mt.topics LIKE ? AND mt.topics NOT LIKE ? AND mt.topics ILIKE ? AND mt.topics NOT ILIKE ?) ORDER BY mt.seq DESC", sqlFilter)
+	assert.Equal(t, "SELECT * FROM mytable AS mt WHERE (mt.created IN (?,?,?) AND mt.created NOT IN (?,?,?) AND mt.id = ? AND mt.id IN (?) AND mt.id IS NOT NULL AND mt.created < ? AND mt.created <= ? AND mt.created >= ? AND mt.created <> ? AND mt.seq > ? AND mt.topics LIKE ? ESCAPE '[' AND mt.topics NOT LIKE ? ESCAPE '[' AND mt.topics ILIKE ? ESCAPE '[' AND mt.topics NOT ILIKE ? ESCAPE '[') ORDER BY mt.seq DESC", sqlFilter)
 }
 
 func TestSQLQueryFactoryEvenMoreOps(t *testing.T) {
@@ -139,8 +140,8 @@ func TestSQLQueryFactoryEvenMoreOps(t *testing.T) {
 	f := fb.And(
 		fb.IEq("id", u),
 		fb.NIeq("id", nil),
-		fb.StartsWith("topics", "abc"),
-		fb.NotStartsWith("topics", "def"),
+		fb.StartsWith("topics", "abc_"),
+		fb.NotStartsWith("topics", "def%"),
 		fb.IStartsWith("topics", "ghi"),
 		fb.NotIStartsWith("topics", "jkl"),
 		fb.EndsWith("topics", "mno"),
@@ -154,9 +155,37 @@ func TestSQLQueryFactoryEvenMoreOps(t *testing.T) {
 	sel, _, _, err := s.FilterSelect(context.Background(), "mt", sel, f, nil, []interface{}{"sequence"})
 	assert.NoError(t, err)
 
-	sqlFilter, _, err := sel.ToSql()
+	sqlFilter, args, err := sel.ToSql()
+	assert.NoError(t, err)
+	assert.Equal(t, "SELECT * FROM mytable AS mt WHERE (mt.id ILIKE ? ESCAPE '[' AND mt.id NOT ILIKE ? ESCAPE '[' AND mt.topics LIKE ? ESCAPE '[' AND mt.topics NOT LIKE ? ESCAPE '[' AND mt.topics ILIKE ? ESCAPE '[' AND mt.topics NOT ILIKE ? ESCAPE '[' AND mt.topics LIKE ? ESCAPE '[' AND mt.topics NOT LIKE ? ESCAPE '[' AND mt.topics ILIKE ? ESCAPE '[' AND mt.topics NOT ILIKE ? ESCAPE '[') ORDER BY mt.seq DESC", sqlFilter)
+	assert.Equal(t, []interface{}{
+		"4066abdc-8bbd-4472-9d29-1a55b467f9b9",
+		"",
+		"abc[_%",
+		"def[%%",
+		"ghi%",
+		"jkl%",
+		"%mno",
+		"%pqr",
+		"%sty",
+		"%vwx",
+	}, args)
+}
+
+func TestSQLQueryFactoryEscapeLike(t *testing.T) {
+
+	sel := squirrel.Select("*").From("mytable AS mt").
+		Where(LikeEscape{"a": 1, "b": 2}).
+		Where(NotLikeEscape{"a": 1, "b": 2}).
+		Where(ILikeEscape{"a": 1, "b": 2}).
+		Where(NotILikeEscape{"a": 1, "b": 2})
+
+	sql, args, err := sel.ToSql()
 	assert.NoError(t, err)
-	assert.Equal(t, "SELECT * FROM mytable AS mt WHERE (mt.id ILIKE ? AND mt.id NOT ILIKE ? AND mt.topics LIKE ? AND mt.topics NOT LIKE ? AND mt.topics ILIKE ? AND mt.topics NOT ILIKE ? AND mt.topics LIKE ? AND mt.topics NOT LIKE ? AND mt.topics ILIKE ? AND mt.topics NOT ILIKE ?) ORDER BY mt.seq DESC", sqlFilter)
+	assert.Regexp(t, `SELECT \* FROM mytable AS mt WHERE \([ab] LIKE \? ESCAPE '\[' AND [ab] LIKE \? ESCAPE '\['\) AND \([ab] NOT LIKE \? ESCAPE '\[' AND [ab] NOT LIKE \? ESCAPE '\['\) AND \([ab] ILIKE \? ESCAPE '\[' AND [ab] ILIKE \? ESCAPE '\['\) AND \([ab] NOT ILIKE \? ESCAPE '\[' AND [ab] NOT ILIKE \? ESCAPE '\['\)`, sql)
+	assert.Len(t, args, 8)
+	sort.Slice(args, func(i, j int) bool { return args[i].(int) < args[j].(int) })
+	assert.Equal(t, []interface{}{1, 1, 1, 1, 2, 2, 2, 2}, args)
 }
 
 func TestSQLQueryFactoryFinalizeFail(t *testing.T) {