@carbonorm/carbonnode 3.5.5 → 3.5.7

package/src/api/orm/builders/ConditionBuilder.ts

@@ -8,7 +8,37 @@ export abstract class ConditionBuilder<
     G extends OrmGenerics
 > extends AggregateBuilder<G> {
 
-    protected aliasMappings: Record<string, string> = {};
+    protected aliasMap: Record<string, string> = {};
+
+    protected initAlias(baseTable: string, joins?: any): void {
+        this.aliasMap = { [baseTable]: baseTable };
+
+        if (!joins) return;
+
+        for (const joinType in joins) {
+            for (const raw in joins[joinType]) {
+                const [table, alias] = raw.split(' ');
+                this.aliasMap[alias || table] = table;
+            }
+        }
+    }
+
+    protected isColumnRef(ref: string): boolean {
+        if (typeof ref !== 'string' || !ref.includes('.')) return false;
+
+        const [prefix, column] = ref.split('.', 2);
+        const tableName = this.aliasMap[prefix] || prefix;
+        const table = this.config.C6?.TABLES?.[tableName];
+        if (!table) return false;
+
+        const fullKey = `${tableName}.${column}`;
+        if (table.COLUMNS && (fullKey in table.COLUMNS)) return true;
+        if (table.COLUMNS && Object.values(table.COLUMNS).includes(ref)) return true;
+
+        this.config.verbose && console.log(`[COLUMN REF] ${ref} is not a valid column reference`);
+
+        return false;
+    }
 
     abstract build(table: string): SqlBuilderResult;
 
@@ -27,17 +57,6 @@ export abstract class ConditionBuilder<
         C6C.ST_DISTANCE_SPHERE
     ]);
 
-    private isTableReference(val: any): boolean {
-        if (typeof val !== 'string' || !val.includes('.')) return false;
-        const [prefix, column] = val.split('.');
-        const tableName = this.aliasMappings[prefix] ?? prefix;
-        return (
-            typeof this.config.C6?.TABLES[tableName] === 'object' &&
-            val in this.config.C6.TABLES[tableName].COLUMNS &&
-            this.config.C6.TABLES[tableName].COLUMNS[val] === column
-        );
-    }
-
     private validateOperator(op: string) {
         if (!this.OPERATORS.has(op)) {
             throw new Error(`Invalid or unsupported SQL operator detected: '${op}'`);
@@ -83,8 +102,14 @@ export abstract class ConditionBuilder<
                 }
             }
 
+            const leftIsCol = this.isColumnRef(column);
+            const rightIsCol = typeof value === 'string' && this.isColumnRef(value);
+
+            if (!leftIsCol && !rightIsCol) {
+                throw new Error(`Potential SQL injection detected: '${column} ${op} ${value}'`);
+            }
+
             this.validateOperator(op);
-            const leftIsRef: boolean = this.isTableReference(column);
 
             if (op === C6C.MATCH_AGAINST && Array.isArray(value)) {
                 const [search, mode] = value;
@@ -109,7 +134,7 @@ export abstract class ConditionBuilder<
                         break;
                 }
 
-                if (!leftIsRef) {
+                if (!leftIsCol) {
                     throw new Error(`MATCH_AGAINST requires a table reference as the left operand. Column '${column}' is not a valid table reference.`);
                 }
                 const matchClause = `(MATCH(${column}) ${againstClause})`;
@@ -118,9 +143,11 @@ export abstract class ConditionBuilder<
             }
 
             if ((op === C6C.IN || op === C6C.NOT_IN) && Array.isArray(value)) {
-                const placeholders = value.map(v => this.addParam(params, column, v)).join(', ');
+                const placeholders = value.map(v =>
+                    this.isColumnRef(v) ? v : this.addParam(params, column, v)
+                ).join(', ');
                 const normalized = op.replace('_', ' ');
-                if (!leftIsRef) {
+                if (!leftIsCol) {
                     throw new Error(`IN operator requires a table reference as the left operand. Column '${column}' is not a valid table reference.`);
                 }
                 return `( ${column} ${normalized} (${placeholders}) )`;
@@ -128,26 +155,25 @@ export abstract class ConditionBuilder<
 
             if (op === C6C.BETWEEN || op === 'NOT BETWEEN') {
                 if (!Array.isArray(value) || value.length !== 2) {
-                    throw new Error(`BETWEEN operator requires an array of two values`);
+                    throw new Error(`BETWEEN operator requires an array of two values. Received: ${JSON.stringify(value)}`);
                 }
                 const [start, end] = value;
-                if (!leftIsRef) {
+                if (!leftIsCol) {
                     throw new Error(`BETWEEN operator requires a table reference as the left operand. Column '${column}' is not a valid table reference.`);
                 }
                 return `(${column}) ${op.replace('_', ' ')} ${this.addParam(params, column, start)} AND ${this.addParam(params, column, end)}`;
             }
 
-            const rightIsRef: boolean = this.isTableReference(value);
 
-            if (leftIsRef && rightIsRef) {
+            if (leftIsCol && rightIsCol) {
                 return `(${column}) ${op} ${value}`;
             }
 
-            if (leftIsRef && !rightIsRef) {
+            if (leftIsCol && !rightIsCol) {
                 return `(${column}) ${op} ${this.addParam(params, column, value)}`;
             }
 
-            if (rightIsRef) {
+            if (rightIsCol) {
                 return `(${this.addParam(params, column, column)}) ${op} ${value}`;
             }
 

package/src/api/orm/builders/JoinBuilder.ts

@@ -11,9 +11,7 @@ export abstract class JoinBuilder<G extends OrmGenerics> extends ConditionBuilde
 
             for (const raw in joinArgs[joinType]) {
                 const [table, alias] = raw.split(' ');
-                if (alias) {
-                    this.aliasMappings[alias] = table;
-                }
+                this.aliasMap[alias || table] = table;
                 const onClause = this.buildBooleanJoinedConditions(joinArgs[joinType][raw], true, params);
                 const joinSql = alias ? `\`${table}\` AS \`${alias}\`` : `\`${table}\``;
                 sql += ` ${joinKind} JOIN ${joinSql} ON ${onClause}`;

package/src/api/orm/queries/DeleteQueryBuilder.ts

@@ -6,8 +6,8 @@ export class DeleteQueryBuilder<G extends OrmGenerics> extends JoinBuilder<G> {
     build(
         table: string
     ): SqlBuilderResult {
-        this.aliasMappings = {};
         const params = this.useNamedParams ? {} : [];
+        this.initAlias(table, this.request.JOIN);
 
         let sql = `DELETE \`${table}\` FROM \`${table}\``;
 

package/src/api/orm/queries/PostQueryBuilder.ts

@@ -14,7 +14,6 @@ export class PostQueryBuilder<G extends OrmGenerics> extends ConditionBuilder<G>
     }
 
     build(table: string) {
-        this.aliasMappings = {};
         const verb = C6C.REPLACE in this.request ? C6C.REPLACE : C6C.INSERT;
         const body = verb in this.request ? this.request[verb] : this.request;
         const keys = Object.keys(body);

package/src/api/orm/queries/SelectQueryBuilder.ts

@@ -8,8 +8,8 @@ export class SelectQueryBuilder<G extends OrmGenerics> extends PaginationBuilder
         table: string,
         isSubSelect: boolean = false
     ): SqlBuilderResult {
-        this.aliasMappings = {};
         const args = this.request;
+        this.initAlias(table, args.JOIN);
         const params = this.useNamedParams ? {} : [];
         const selectList = args.SELECT ?? ['*'];
         const selectFields = selectList

package/src/api/orm/queries/UpdateQueryBuilder.ts

@@ -8,9 +8,9 @@ export class UpdateQueryBuilder<G extends OrmGenerics> extends PaginationBuilder
     build(
         table: string,
     ): SqlBuilderResult {
-        this.aliasMappings = {};
         const args = this.request;
         const params = this.useNamedParams ? {} : [];
+        this.initAlias(table, args.JOIN);
         let sql = `UPDATE \`${table}\``;
 
         if (args.JOIN) {