outlet-orm 4.2.1 → 5.5.1

package/src/DatabaseConnection.js

@@ -9,23 +9,27 @@ let sqlite3;
 // Query log storage
 let queryLog = [];
 let queryLoggingEnabled = false;
+// Maximum number of entries retained in the query log to prevent unbounded memory growth
+const MAX_QUERY_LOG_SIZE = 1000;
+
+const RawExpression = require('./RawExpression');
 
 /**
  * Sanitize SQL identifier (table/column name) to prevent SQL injection
- * @param {string} identifier
+ * @param {string|RawExpression} identifier
  * @returns {string}
  */
 function sanitizeIdentifier(identifier) {
+  if (identifier instanceof RawExpression) {
+    return identifier.value;
+  }
   if (!identifier || typeof identifier !== 'string') {
     throw new Error('Invalid SQL identifier');
   }
-  // Allow only alphanumeric, underscore, dot (for table.column)
+  // Strict allowlist: only alphanumeric, underscore, dot (for table.column)
+  // Any identifier not matching this pattern is rejected outright — no fallback.
   if (!/^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$/.test(identifier)) {
-    // Check for common SQL injection patterns
-    // Note: Escape hyphen in character class to avoid range interpretation
-    if (/['";]|--|\/*|\*\/|xp_|sp_|0x/i.test(identifier)) {
-      throw new Error(`Potentially dangerous SQL identifier: ${identifier}`);
-    }
+    throw new Error('Invalid SQL identifier');
   }
   return identifier;
 }
@@ -44,6 +48,10 @@ function logQuery(sql, params, duration) {
       duration,
       timestamp: new Date()
     });
+    // Enforce size cap to prevent unbounded memory growth
+    if (queryLog.length > MAX_QUERY_LOG_SIZE) {
+      queryLog.shift();
+    }
   }
 }
 
@@ -272,18 +280,24 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql':
       if (this._transactionConnection) {
-        await this._transactionConnection.commit();
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.commit();
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
     case 'postgres':
     case 'postgresql':
       if (this._transactionConnection) {
-        await this._transactionConnection.query('COMMIT');
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.query('COMMIT');
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
@@ -306,18 +320,24 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql':
       if (this._transactionConnection) {
-        await this._transactionConnection.rollback();
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.rollback();
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
     case 'postgres':
     case 'postgresql':
       if (this._transactionConnection) {
-        await this._transactionConnection.query('ROLLBACK');
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.query('ROLLBACK');
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
@@ -515,10 +535,7 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql': {
       const conn = this._getConnection();
-      const [res] = await conn.execute(
-        this.convertToDriverPlaceholder(sql),
-        params
-      );
+      const [res] = await conn.execute(sql, params);
       result = { affectedRows: res.affectedRows };
       break;
     }
@@ -566,10 +583,7 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql': {
       const conn = this._getConnection();
-      const [res] = await conn.execute(
-        this.convertToDriverPlaceholder(sql),
-        params
-      );
+      const [res] = await conn.execute(sql, params);
       result = { affectedRows: res.affectedRows };
       break;
     }
@@ -737,7 +751,10 @@ class DatabaseConnection {
   }
 
   /**
-   * Execute a raw query and return normalized results
+   * Execute a raw query and return normalized results.
+   * ⚠️  SECURITY WARNING: The `sql` parameter is passed to the database driver without
+   * any sanitization. NEVER pass user-controlled data in `sql`. User-controlled values
+   * must be supplied exclusively via the `params` array (parameterized queries).
    * @param {string} sql
    * @param {Array} params
    * @returns {Promise<Array>}
@@ -776,7 +793,10 @@ class DatabaseConnection {
   }
 
   /**
-   * Execute raw SQL (driver-native results - for migrations)
+   * Execute raw SQL — driver-native results (intended for migrations).
+   * ⚠️  SECURITY WARNING: The `sql` parameter is passed to the database driver without
+   * any sanitization. NEVER pass user-controlled data in `sql`. User-controlled values
+   * must be supplied exclusively via the `params` array (parameterized queries).
    * @param {string} sql
    * @param {Array} params
    * @returns {Promise<any>}
@@ -864,7 +884,7 @@ class DatabaseConnection {
     // SELECT clause
     let selectClause = '*';
     if (query.columns && query.columns.length > 0 && query.columns[0] !== '*') {
-      selectClause = query.columns.join(', ');
+      selectClause = query.columns.map(col => sanitizeIdentifier(col)).join(', ');
     }
 
     // DISTINCT
@@ -876,7 +896,12 @@ class DatabaseConnection {
     if (query.joins && query.joins.length > 0) {
       for (const join of query.joins) {
         const joinType = (join.type || 'inner').toUpperCase();
-        sql += ` ${joinType} JOIN ${join.table} ON ${join.first} ${join.operator} ${join.second}`;
+        const ALLOWED_OPERATORS = ['=', '!=', '<>', '<', '>', '<=', '>=', 'LIKE', 'NOT LIKE', 'IS', 'IS NOT'];
+        const op = join.operator.toUpperCase();
+        if (!ALLOWED_OPERATORS.includes(op)) {
+          throw new Error(`Invalid operator: ${join.operator}`);
+        }
+        sql += ` ${joinType} JOIN ${sanitizeIdentifier(join.table)} ON ${sanitizeIdentifier(join.first)} ${op} ${sanitizeIdentifier(join.second)}`;
       }
     }
 
@@ -887,19 +912,24 @@ class DatabaseConnection {
 
     // GROUP BY
     if (query.groupBys && query.groupBys.length > 0) {
-      sql += ` GROUP BY ${query.groupBys.join(', ')}`;
+      sql += ` GROUP BY ${query.groupBys.map(col => sanitizeIdentifier(col)).join(', ')}`;
     }
 
     // HAVING
     if (query.havings && query.havings.length > 0) {
       const havingClauses = [];
       for (const h of query.havings) {
+        const ALLOWED_OPERATORS = ['=', '!=', '<>', '<', '>', '<=', '>=', 'LIKE', 'NOT LIKE', 'IS', 'IS NOT'];
+        const op = h.operator.toUpperCase();
+        if (!ALLOWED_OPERATORS.includes(op)) {
+          throw new Error(`Invalid operator: ${h.operator}`);
+        }
         if (h.type === 'basic') {
-          havingClauses.push(`${h.column} ${h.operator} ?`);
+          havingClauses.push(`${sanitizeIdentifier(h.column)} ${op} ?`);
           params.push(h.value);
         } else if (h.type === 'count') {
-          const col = h.column && h.column !== '*' ? h.column : '*';
-          havingClauses.push(`COUNT(${col}) ${h.operator} ?`);
+          const col = h.column && h.column !== '*' ? sanitizeIdentifier(h.column) : '*';
+          havingClauses.push(`COUNT(${col}) ${op} ?`);
           params.push(h.value);
         }
       }
@@ -911,19 +941,28 @@ class DatabaseConnection {
     // ORDER BY
     if (query.orders && query.orders.length > 0) {
       const orderClauses = query.orders.map(
-        order => `${order.column} ${order.direction.toUpperCase()}`
+        order => {
+          if (order.type === 'raw') {
+            return order.sql;
+          }
+          const dir = order.direction.toUpperCase();
+          if (dir !== 'ASC' && dir !== 'DESC') throw new Error(`Invalid direction: ${dir}`);
+          return `${sanitizeIdentifier(order.column)} ${dir}`;
+        }
       );
       sql += ` ORDER BY ${orderClauses.join(', ')}`;
     }
 
     // LIMIT
     if (query.limit !== null && query.limit !== undefined) {
-      sql += ` LIMIT ${query.limit}`;
+      sql += ' LIMIT ?';
+      params.push(query.limit);
     }
 
     // OFFSET
     if (query.offset !== null && query.offset !== undefined) {
-      sql += ` OFFSET ${query.offset}`;
+      sql += ' OFFSET ?';
+      params.push(query.offset);
     }
 
     return { sql, params };
@@ -940,45 +979,58 @@ class DatabaseConnection {
 
     const clauses = [];
     const params = [];
+    const ALLOWED_OPERATORS = ['=', '!=', '<>', '<', '>', '<=', '>=', 'LIKE', 'NOT LIKE', 'IS', 'IS NOT'];
 
     wheres.forEach((where, index) => {
       const boolean = index === 0 ? 'WHERE' : (where.boolean || 'AND').toUpperCase();
+      const col = where.type !== 'raw' ? sanitizeIdentifier(where.column) : null;
 
       switch (where.type) {
-      case 'basic':
-        clauses.push(`${boolean} ${where.column} ${where.operator} ?`);
+      case 'raw': {
+        clauses.push(`${boolean} ${where.sql}`);
+        if (where.bindings) {
+          params.push(...where.bindings);
+        }
+        break;
+      }
+
+      case 'basic': {
+        const op = where.operator.toUpperCase();
+        if (!ALLOWED_OPERATORS.includes(op)) throw new Error(`Invalid operator: ${where.operator}`);
+        clauses.push(`${boolean} ${col} ${op} ?`);
         params.push(where.value);
         break;
+      }
 
       case 'in': {
         const inPlaceholders = where.values.map(() => '?').join(', ');
-        clauses.push(`${boolean} ${where.column} IN (${inPlaceholders})`);
+        clauses.push(`${boolean} ${col} IN (${inPlaceholders})`);
         params.push(...where.values);
         break;
       }
 
       case 'notIn': {
         const notInPlaceholders = where.values.map(() => '?').join(', ');
-        clauses.push(`${boolean} ${where.column} NOT IN (${notInPlaceholders})`);
+        clauses.push(`${boolean} ${col} NOT IN (${notInPlaceholders})`);
         params.push(...where.values);
         break;
       }
 
       case 'null':
-        clauses.push(`${boolean} ${where.column} IS NULL`);
+        clauses.push(`${boolean} ${col} IS NULL`);
         break;
 
       case 'notNull':
-        clauses.push(`${boolean} ${where.column} IS NOT NULL`);
+        clauses.push(`${boolean} ${col} IS NOT NULL`);
         break;
 
       case 'between':
-        clauses.push(`${boolean} ${where.column} BETWEEN ? AND ?`);
+        clauses.push(`${boolean} ${col} BETWEEN ? AND ?`);
         params.push(...where.values);
         break;
 
       case 'like':
-        clauses.push(`${boolean} ${where.column} LIKE ?`);
+        clauses.push(`${boolean} ${col} LIKE ?`);
         params.push(where.value);
         break;
       }

package/{lib → src}/Migrations/Migration.js

@@ -1,48 +1,48 @@
-/**
- * Base Migration Class
- * All migrations should extend this class
- */
-
-class Migration {
-  constructor(connection) {
-    this.connection = connection;
-  }
-
-  /**
-   * Run the migrations
-   */
-  async up() {
-    throw new Error('Migration up() method must be implemented');
-  }
-
-  /**
-   * Reverse the migrations
-   */
-  async down() {
-    throw new Error('Migration down() method must be implemented');
-  }
-
-  /**
-   * Get the migration name
-   */
-  static getName() {
-    return this.name;
-  }
-
-  /**
-   * Execute raw SQL
-   */
-  async execute(sql) {
-    return await this.connection.execute(sql);
-  }
-
-  /**
-   * Get the Schema builder
-   */
-  getSchema() {
-    const { Schema } = require('../Schema/Schema');
-    return new Schema(this.connection);
-  }
-}
-
-module.exports = Migration;
+/**
+ * Base Migration Class
+ * All migrations should extend this class
+ */
+
+class Migration {
+  constructor(connection) {
+    this.connection = connection;
+  }
+
+  /**
+   * Run the migrations
+   */
+  async up() {
+    throw new Error('Migration up() method must be implemented');
+  }
+
+  /**
+   * Reverse the migrations
+   */
+  async down() {
+    throw new Error('Migration down() method must be implemented');
+  }
+
+  /**
+   * Get the migration name
+   */
+  static getName() {
+    return this.name;
+  }
+
+  /**
+   * Execute raw SQL
+   */
+  async execute(sql) {
+    return await this.connection.execute(sql);
+  }
+
+  /**
+   * Get the Schema builder
+   */
+  getSchema() {
+    const { Schema } = require('../Schema/Schema');
+    return new Schema(this.connection);
+  }
+}
+
+module.exports = Migration;

package/{lib → src}/Migrations/MigrationManager.js

@@ -7,10 +7,13 @@ const fs = require('fs').promises;
 const path = require('path');
 
 class MigrationManager {
-  constructor(connection, migrationsPath = './database/migrations') {
+  constructor(connection, migrationsPath = './database/migrations', migrationsTable = 'migrations') {
+    if (typeof migrationsTable !== 'string' || !/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(migrationsTable)) {
+      throw new Error(`Invalid migrations table name: "${migrationsTable}"`);
+    }
     this.connection = connection;
     this.migrationsPath = path.resolve(process.cwd(), migrationsPath);
-    this.migrationsTable = 'migrations';
+    this.migrationsTable = migrationsTable;
   }
 
   /**
@@ -54,7 +57,7 @@ class MigrationManager {
       await this.runMigration(migration, batch);
     }
 
-    console.log(`\n✓ All migrations completed successfully`);
+    console.log('\n✓ All migrations completed successfully');
   }
 
   /**
@@ -105,7 +108,7 @@ class MigrationManager {
       await this.rollbackMigration(migration);
     }
 
-    console.log(`\n✓ Rollback completed successfully`);
+    console.log('\n✓ Rollback completed successfully');
   }
 
   /**
@@ -155,7 +158,7 @@ class MigrationManager {
       await this.rollbackMigration(migration);
     }
 
-    console.log(`\n✓ Reset completed successfully`);
+    console.log('\n✓ Reset completed successfully');
   }
 
   /**
@@ -263,11 +266,11 @@ class MigrationManager {
     const sql = `
       SELECT * FROM ${this.migrationsTable}
       WHERE batch >= (
-        SELECT MAX(batch) - ${steps - 1} FROM ${this.migrationsTable}
+        SELECT MAX(batch) - ? FROM ${this.migrationsTable}
       )
       ORDER BY batch DESC, id DESC
     `;
-    return await this.connection.execute(sql);
+    return await this.connection.execute(sql, [steps - 1]);
   }
 
   /**
@@ -304,18 +307,18 @@ class MigrationManager {
     let sql;
 
     switch (driver) {
-      case 'mysql':
-        sql = `SELECT table_name FROM information_schema.tables WHERE table_schema = DATABASE()`;
-        break;
-      case 'postgres':
-      case 'postgresql':
-        sql = `SELECT tablename FROM pg_tables WHERE schemaname = 'public'`;
-        break;
-      case 'sqlite':
-        sql = `SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'`;
-        break;
-      default:
-        throw new Error(`Unsupported driver: ${driver}`);
+    case 'mysql':
+      sql = 'SELECT table_name FROM information_schema.tables WHERE table_schema = DATABASE()';
+      break;
+    case 'postgres':
+    case 'postgresql':
+      sql = 'SELECT tablename FROM pg_tables WHERE schemaname = \'public\'';
+      break;
+    case 'sqlite':
+      sql = 'SELECT name FROM sqlite_master WHERE type=\'table\' AND name NOT LIKE \'sqlite_%\'';
+      break;
+    default:
+      throw new Error(`Unsupported driver: ${driver}`);
     }
 
     const result = await this.connection.execute(sql);

package/src/Model.js

@@ -95,6 +95,13 @@ class Model {
    * @param {Function} callback - Callback function
    */
   static on(event, callback) {
+    if (!Object.prototype.hasOwnProperty.call(this, 'eventListeners')) {
+      this.eventListeners = {
+        creating: [], created: [], updating: [], updated: [],
+        saving: [], saved: [], deleting: [], deleted: [],
+        restoring: [], restored: []
+      };
+    }
     if (!this.eventListeners[event]) {
       this.eventListeners[event] = [];
     }
@@ -108,6 +115,9 @@ class Model {
    * @returns {Promise<boolean>} - Returns false if event should be cancelled
    */
   static async fireEvent(event, model) {
+    if (!Object.prototype.hasOwnProperty.call(this, 'eventListeners')) {
+      return true;
+    }
     const listeners = this.eventListeners[event] || [];
     for (const listener of listeners) {
       const result = await listener(model);
@@ -423,8 +433,13 @@ class Model {
       break;
 
     case 'regex':
-      if (value && !new RegExp(ruleParam).test(value)) {
-        return `${field} format is invalid`;
+      try {
+        const re = new RegExp(ruleParam);
+        if (value && !re.test(value)) {
+          return `${field} format is invalid`;
+        }
+      } catch {
+        return `${field} has an invalid regex rule`;
       }
       break;
     }
@@ -556,7 +571,7 @@ class Model {
    * @returns {Promise<any>}
    */
   static async delete() {
-    return this.query().delete();
+    throw new Error('Cannot call static delete() without conditions. Use query().delete() instead.');
   }
 
   /**
@@ -679,8 +694,9 @@ class Model {
    * @returns {this}
    */
   fill(attributes) {
+    const fillable = this.constructor.fillable || [];
     for (const [key, value] of Object.entries(attributes)) {
-      if (this.constructor.fillable.length === 0 || this.constructor.fillable.includes(key)) {
+      if (fillable.includes(key)) {
         this.setAttribute(key, value);
       }
     }
@@ -952,6 +968,10 @@ class Model {
     const head = segments[0];
     const tail = segments.slice(1).join('.');
 
+    // Prevent prototype pollution and calling built-in methods
+    const builtIns = ['constructor', 'load', 'save', 'delete', 'update', 'query', 'with', 'withCount', 'hasOne', 'hasMany', 'belongsTo', 'belongsToMany', 'morphTo', 'morphOne', 'morphMany', 'hasOneThrough', 'hasManyThrough'];
+    if (builtIns.includes(head) || head.startsWith('__')) return;
+
     const relationFn = this[head];
     if (typeof relationFn !== 'function') return;
 
@@ -984,7 +1004,8 @@ class Model {
   hasOne(related, foreignKey, localKey) {
     const HasOneRelation = require('./Relations/HasOneRelation');
     localKey = localKey || this.constructor.primaryKey;
-    foreignKey = foreignKey || `${this.constructor.table.slice(0, -1)}_id`;
+    const pluralize = require('pluralize');
+    foreignKey = foreignKey || `${pluralize.singular(this.constructor.table)}_id`;
 
     return new HasOneRelation(this, related, foreignKey, localKey);
   }
@@ -999,7 +1020,8 @@ class Model {
   hasMany(related, foreignKey, localKey) {
     const HasManyRelation = require('./Relations/HasManyRelation');
     localKey = localKey || this.constructor.primaryKey;
-    foreignKey = foreignKey || `${this.constructor.table.slice(0, -1)}_id`;
+    const pluralize = require('pluralize');
+    foreignKey = foreignKey || `${pluralize.singular(this.constructor.table)}_id`;
 
     return new HasManyRelation(this, related, foreignKey, localKey);
   }
@@ -1014,7 +1036,8 @@ class Model {
   belongsTo(related, foreignKey, ownerKey) {
     const BelongsToRelation = require('./Relations/BelongsToRelation');
     ownerKey = ownerKey || related.primaryKey;
-    foreignKey = foreignKey || `${related.table.slice(0, -1)}_id`;
+    const pluralize = require('pluralize');
+    foreignKey = foreignKey || `${pluralize.singular(related.table)}_id`;
 
     return new BelongsToRelation(this, related, foreignKey, ownerKey);
   }