fix: prevent object expansion in placeholders after SET clause (#5)

Author: wellwelwel

README.md

@@ -30,7 +30,7 @@ deno add npm:sql-escaper
 
 > [!NOTE]
 >
-> 🔐 **SQL Escaper** fixes a [**SQL Injection vulnerability**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4) discovered in 2022 in the original [**sqlstring**](https://github.com/mysqljs/sqlstring), where objects passed as values could be expanded into SQL fragments, potentially allowing attackers to manipulate query structure. See [sidorares/node-mysql2#4051](https://github.com/sidorares/node-mysql2/issues/4051) for details.
+> 🔐 **SQL Escaper** fixes a potential [**SQL Injection vulnerability**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4) discovered in 2022 in the original [**sqlstring**](https://github.com/mysqljs/sqlstring), where objects passed as values could be expanded into SQL fragments, potentially allowing attackers to manipulate query structure. See [sidorares/node-mysql2#4051](https://github.com/sidorares/node-mysql2/issues/4051) for details.
 
 ---
 

src/index.ts

@@ -432,9 +432,10 @@ export const format = (
         !Buffer.isBuffer(currentValue) &&
         !isDate(currentValue) &&
         isRecord(currentValue)
-      )
+      ) {
         escapedValue = objectToValues(currentValue, timezone);
-      else escapedValue = escape(currentValue, stringifyObjects, timezone);
+        setIndex = -1;
+      } else escapedValue = escape(currentValue, stringifyObjects, timezone);
     } else escapedValue = escape(currentValue, stringifyObjects, timezone);
 
     result += sql.slice(chunkIndex, placeholderPosition);

test/stringify-objects-as-false.test.ts

@@ -135,3 +135,70 @@ describe('SELECT and INSERT with Date parameter', () => {
     );
   });
 });
+
+describe('Object placeholder after SET but outside SET clause', () => {
+  it('should not expand object in WHERE clause after UPDATE SET', () => {
+    const query = format('UPDATE users SET ? WHERE id = ?', [
+      { name: 'foo' },
+      { id: 1 },
+    ]);
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET `name` = 'foo' WHERE id = '[object Object]'"
+    );
+  });
+
+  it('should not expand object in WHERE with multiple conditions after SET', () => {
+    const query = format('UPDATE users SET ? WHERE id = ? AND role = ?', [
+      { name: 'bar' },
+      { id: 1 },
+      'admin',
+    ]);
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET `name` = 'bar' WHERE id = '[object Object]' AND role = 'admin'"
+    );
+  });
+
+  it('should not expand object in WHERE after multiline UPDATE SET', () => {
+    const query = format(
+      `UPDATE users
+       SET ?
+       WHERE status = ?`,
+      [{ name: 'foo', email: 'bar@test.com' }, { status: 'active' }]
+    );
+
+    assert.strictEqual(
+      query,
+      `UPDATE users
+       SET \`name\` = 'foo', \`email\` = 'bar@test.com'
+       WHERE status = '[object Object]'`
+    );
+  });
+
+  it('should not expand object in subquery after SET', () => {
+    const query = format(
+      'UPDATE users SET ? WHERE id IN (SELECT user_id FROM roles WHERE role = ?)',
+      [{ active: true }, { role: 'admin' }]
+    );
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET `active` = true WHERE id IN (SELECT user_id FROM roles WHERE role = '[object Object]')"
+    );
+  });
+
+  it('should not expand object in ORDER BY/LIMIT after SET', () => {
+    const query = format(
+      'UPDATE users SET ? WHERE active = ? ORDER BY id LIMIT ?',
+      [{ name: 'test' }, { active: true }, 10]
+    );
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET `name` = 'test' WHERE active = '[object Object]' ORDER BY id LIMIT 10"
+    );
+  });
+});

test/stringify-objects-as-true.test.ts

@@ -129,3 +129,70 @@ describe('SELECT and INSERT with Date parameter', () => {
     );
   });
 });
+
+describe('Object placeholder after SET but outside SET clause', () => {
+  it('should stringify objects in both SET and WHERE clauses', () => {
+    const query = format('UPDATE users SET ? WHERE id = ?', [
+      { name: 'foo' },
+      { id: 1 },
+    ]);
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET '[object Object]' WHERE id = '[object Object]'"
+    );
+  });
+
+  it('should stringify objects in WHERE with multiple conditions after SET', () => {
+    const query = format('UPDATE users SET ? WHERE id = ? AND role = ?', [
+      { name: 'bar' },
+      { id: 1 },
+      'admin',
+    ]);
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET '[object Object]' WHERE id = '[object Object]' AND role = 'admin'"
+    );
+  });
+
+  it('should stringify objects in WHERE after multiline UPDATE SET', () => {
+    const query = format(
+      `UPDATE users
+       SET ?
+       WHERE status = ?`,
+      [{ name: 'foo', email: 'bar@test.com' }, { status: 'active' }]
+    );
+
+    assert.strictEqual(
+      query,
+      `UPDATE users
+       SET '[object Object]'
+       WHERE status = '[object Object]'`
+    );
+  });
+
+  it('should stringify object in subquery after SET', () => {
+    const query = format(
+      'UPDATE users SET ? WHERE id IN (SELECT user_id FROM roles WHERE role = ?)',
+      [{ active: true }, { role: 'admin' }]
+    );
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET '[object Object]' WHERE id IN (SELECT user_id FROM roles WHERE role = '[object Object]')"
+    );
+  });
+
+  it('should stringify object in WHERE with ORDER BY/LIMIT after SET', () => {
+    const query = format(
+      'UPDATE users SET ? WHERE active = ? ORDER BY id LIMIT ?',
+      [{ name: 'test' }, { active: true }, 10]
+    );
+
+    assert.strictEqual(
+      query,
+      "UPDATE users SET '[object Object]' WHERE active = '[object Object]' ORDER BY id LIMIT 10"
+    );
+  });
+});