@carbonorm/carbonnode 3.9.4 → 3.9.6

package/src/__tests__/sqlBuilders.expressions.test.ts

@@ -0,0 +1,163 @@
+import { describe, it, expect } from 'vitest';
+import { C6C } from '../api/C6Constants';
+import { SelectQueryBuilder } from '../api/orm/queries/SelectQueryBuilder';
+import { buildParcelConfig } from './fixtures/c6.fixture';
+
+const Property_Units = {
+  TABLE_NAME: 'property_units',
+  LOCATION: 'property_units.location',
+  PARCEL_ID: 'property_units.parcel_id',
+} as const;
+
+const Parcel_Sales = {
+  TABLE_NAME: 'parcel_sales',
+  PARCEL_ID: 'parcel_sales.parcel_id',
+  SALE_DATE: 'parcel_sales.sale_date',
+} as const;
+
+const Parcel_Building_Details = {
+  TABLE_NAME: 'parcel_building_details',
+  PARCEL_ID: 'parcel_building_details.parcel_id',
+} as const;
+
+describe('Explicit SQL expression grammar', () => {
+  it('supports operator-rooted nested function expressions with explicit OR grouping', () => {
+    const config = buildParcelConfig();
+
+    const qb = new SelectQueryBuilder(config as any, {
+      [C6C.SELECT]: [Property_Units.PARCEL_ID],
+      [C6C.WHERE]: {
+        [C6C.OR]: [
+          {
+            [C6C.LESS_THAN_OR_EQUAL_TO]: [
+              {
+                [C6C.ST_DISTANCE_SPHERE]: [
+                  Property_Units.LOCATION,
+                  { [C6C.ST_GEOMFROMTEXT]: ['POINT(39.4972468 -105.0403593)', 4326] },
+                ],
+              },
+              5000,
+            ],
+          },
+          {
+            [C6C.GREATER_THAN]: [
+              {
+                [C6C.ST_AREA]: [
+                  { [C6C.ST_GEOMFROMTEXT]: ['POLYGON((0 0,1 0,1 1,0 1,0 0))', 4326] },
+                ],
+              },
+              10000,
+            ],
+          },
+        ],
+      },
+    } as any, false);
+
+    const { sql, params } = qb.build(Property_Units.TABLE_NAME);
+
+    expect(sql).toContain('WHERE');
+    expect(sql).toMatch(/ST_DISTANCE_SPHERE\(property_units.location, ST_GEOMFROMTEXT\('/);
+    expect(sql).toMatch(/ST_AREA\(ST_GEOMFROMTEXT\('/);
+    expect(sql).toMatch(/<= \?/);
+    expect(sql).toMatch(/> \?/);
+    expect(sql).toContain('OR');
+    expect(params).toEqual([5000, 10000]);
+  });
+
+  it('treats safe raw function expressions as SQL expressions', () => {
+    const config = buildParcelConfig();
+
+    const qb = new SelectQueryBuilder(config as any, {
+      [C6C.SELECT]: [Property_Units.PARCEL_ID],
+      [C6C.WHERE]: {
+        0: [
+          [
+            "ST_Distance_Sphere(property_units.location, ST_GeomFromText('POINT(39.4972468 -105.0403593)', 4326))",
+            C6C.LESS_THAN_OR_EQUAL_TO,
+            5000,
+          ],
+        ],
+      },
+    } as any, false);
+
+    const { sql, params } = qb.build(Property_Units.TABLE_NAME);
+    expect(sql).toMatch(
+      /ST_Distance_Sphere\(property_units\.location, ST_GeomFromText\('POINT\(39\.4972468 -105\.0403593\)', 4326\)\) <= \?/
+    );
+    expect(params.slice(-1)[0]).toBe(5000);
+  });
+
+  it('rejects raw function expressions containing unsafe tokens', () => {
+    const config = buildParcelConfig();
+
+    const qb = new SelectQueryBuilder(config as any, {
+      [C6C.SELECT]: [Property_Units.PARCEL_ID],
+      [C6C.WHERE]: {
+        0: [
+          [
+            "ST_Distance_Sphere(property_units.location, ST_GeomFromText('POINT(39.4972468 -105.0403593)', 4326)); DROP TABLE users",
+            C6C.LESS_THAN,
+            1000,
+          ],
+        ],
+      },
+    } as any, false);
+
+    expect(() => qb.build(Property_Units.TABLE_NAME)).toThrowError(/Potential SQL injection detected/);
+  });
+
+  it('supports explicit AND groupings composed of nested OR clauses', () => {
+    const config = buildParcelConfig();
+
+    const qb = new SelectQueryBuilder(config as any, {
+      [C6C.SELECT]: [Property_Units.PARCEL_ID],
+      [C6C.WHERE]: {
+        [C6C.AND]: [
+          { [C6C.GREATER_THAN]: [Property_Units.PARCEL_ID, 100] },
+          {
+            [C6C.OR]: [
+              { [C6C.BETWEEN]: [Parcel_Sales.SALE_DATE, ['2021-01-01', '2022-06-30']] },
+              { [C6C.BETWEEN]: [Parcel_Sales.SALE_DATE, ['2023-01-01', '2024-06-30']] },
+            ],
+          },
+        ],
+      },
+    } as any, false);
+
+    const { sql, params } = qb.build(Property_Units.TABLE_NAME);
+
+    expect(sql).toMatch(/\(property_units\.parcel_id\) > \?/);
+    expect(sql).toMatch(/\(parcel_sales\.sale_date\) BETWEEN \? AND \?/);
+    expect(sql).toContain('AND');
+    expect(sql).toContain('OR');
+    expect(params).toEqual([100, '2021-01-01', '2022-06-30', '2023-01-01', '2024-06-30']);
+  });
+
+  it('serializes JOIN clauses deterministically based on declaration order', () => {
+    const config = buildParcelConfig();
+
+    const qb = new SelectQueryBuilder(config as any, {
+      [C6C.SELECT]: [Property_Units.PARCEL_ID],
+      [C6C.JOIN]: {
+        [C6C.LEFT]: {
+          [Parcel_Sales.TABLE_NAME]: {
+            [Parcel_Sales.PARCEL_ID]: Property_Units.PARCEL_ID,
+          },
+          [Parcel_Building_Details.TABLE_NAME]: {
+            [Parcel_Building_Details.PARCEL_ID]: Property_Units.PARCEL_ID,
+          },
+        },
+      },
+      [C6C.WHERE]: { [Property_Units.PARCEL_ID]: [C6C.EQUAL, 1] },
+    } as any, false);
+
+    const { sql } = qb.build(Property_Units.TABLE_NAME);
+
+    const firstJoin = sql.indexOf('JOIN `parcel_sales`');
+    const secondJoin = sql.indexOf('JOIN `parcel_building_details`');
+
+    expect(firstJoin).toBeGreaterThan(-1);
+    expect(secondJoin).toBeGreaterThan(firstJoin);
+  });
+});
+

package/src/api/C6Constants.ts

@@ -6,6 +6,7 @@ export const C6Constants = {
     ADDTIME: 'ADDTIME',
     AS: 'AS',
     ASC: 'ASC',
+    AND: 'AND',
 
     BETWEEN: 'BETWEEN',
 
@@ -92,6 +93,7 @@ export const C6Constants = {
     NULL: 'NULL',
 
     ORDER: 'ORDER',
+    OR: 'OR',
 
     PAGE: 'PAGE',
     PAGINATION: 'PAGINATION',

package/src/api/orm/builders/AggregateBuilder.ts

@@ -43,6 +43,11 @@ export abstract class AggregateBuilder<G extends OrmGenerics> extends Executor<G
         }
 
         const F = String(fn).toUpperCase();
+        const isGeomFromText = F === C6C.ST_GEOMFROMTEXT.toUpperCase();
+
+        if (args.length === 1 && Array.isArray(args[0])) {
+            args = args[0];
+        }
 
         // Parameter placeholder helper: [C6C.PARAM, value]
         if (F === C6C.PARAM) {
@@ -79,7 +84,7 @@ export abstract class AggregateBuilder<G extends OrmGenerics> extends Executor<G
         const identifierPathRegex = /^[A-Za-z_][A-Za-z0-9_]*\.[A-Za-z_][A-Za-z0-9_]*$/;
 
         const argList = args
-            .map(arg => {
+            .map((arg, index) => {
                 if (Array.isArray(arg)) return this.buildAggregateField(arg, params);
                 if (typeof arg === 'string') {
                     if (identifierPathRegex.test(arg)) {
@@ -88,6 +93,17 @@ export abstract class AggregateBuilder<G extends OrmGenerics> extends Executor<G
                     }
                     // Treat numeric-looking strings as literals, not identifier paths
                     if (isNumericString(arg)) return arg;
+
+                    if (isGeomFromText && index === 0) {
+                        const trimmed = arg.trim();
+                        const alreadyQuoted = trimmed.startsWith("'") && trimmed.endsWith("'") && trimmed.length >= 2;
+                        if (alreadyQuoted) {
+                            return trimmed;
+                        }
+                        const escaped = arg.replace(/'/g, "''");
+                        return `'${escaped}'`;
+                    }
+
                     return arg;
                 }
                 return String(arg);