outlet-orm 4.2.1 → 5.5.1

package/src/QueryBuilder.js

@@ -1,6 +1,22 @@
 /**
  * Query Builder for constructing and executing database queries
  */
+const RawExpression = require('./RawExpression');
+
+/**
+ * Validate a SQL identifier used internally in subquery construction.
+ * Throws if the value is not a safe alphanumeric/underscore/dot string.
+ * @param {string} value
+ * @param {string} context - human-readable label for error messages
+ * @returns {string}
+ */
+function assertIdentifier(value, context = 'identifier') {
+  if (typeof value !== 'string' || !/^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$/.test(value)) {
+    throw new Error(`Invalid SQL ${context}`);
+  }
+  return value;
+}
+
 class QueryBuilder {
   constructor(model) {
     this.model = model;
@@ -28,6 +44,7 @@ class QueryBuilder {
    */
   _applyGlobalScopes() {
     if (this._excludeAllScopes) return;
+    if (this._scopesApplied) return;
 
     const scopes = this.model.globalScopes || {};
     for (const [name, scopeFn] of Object.entries(scopes)) {
@@ -35,6 +52,7 @@ class QueryBuilder {
         scopeFn(this);
       }
     }
+    this._scopesApplied = true;
   }
 
   /**
@@ -43,12 +61,14 @@ class QueryBuilder {
    */
   _applySoftDeleteConstraints() {
     if (!this.model.softDeletes) return;
+    if (this._softDeleteApplied) return;
 
     if (this._onlyTrashed) {
       this.whereNotNull(this.model.DELETED_AT);
     } else if (!this._withTrashed) {
       this.whereNull(this.model.DELETED_AT);
     }
+    this._softDeleteApplied = true;
   }
 
   /**
@@ -98,6 +118,16 @@ class QueryBuilder {
     return this;
   }
 
+  /**
+   * Add a raw select expression
+   * @param {string} expression
+   * @returns {this}
+   */
+  selectRaw(expression) {
+    this.selectedColumns.push(new RawExpression(expression));
+    return this;
+  }
+
   /**
    * Convenience alias to pass an array of columns
    * @param {string[]} cols
@@ -215,6 +245,28 @@ class QueryBuilder {
     return this;
   }
 
+  /**
+   * Add a raw where clause
+   * @param {string} sql
+   * @param {Array} bindings
+   * @returns {this}
+   */
+  whereRaw(sql, bindings = []) {
+    this.wheres.push({ type: 'raw', sql, bindings, boolean: 'and' });
+    return this;
+  }
+
+  /**
+   * Add a raw or where clause
+   * @param {string} sql
+   * @param {Array} bindings
+   * @returns {this}
+   */
+  orWhereRaw(sql, bindings = []) {
+    this.wheres.push({ type: 'raw', sql, bindings, boolean: 'or' });
+    return this;
+  }
+
   /**
    * Filter parents where the given relation has at least one matching record.
    * Implements via INNER JOIN and applying the related where clauses.
@@ -234,23 +286,23 @@ class QueryBuilder {
       throw new Error(`Invalid relation '${relationName}' on ${this.model.name}`);
     }
 
-    const parentTable = this.model.table;
+    const parentTable = assertIdentifier(this.model.table, 'parent table');
     const relatedClass = relation.related;
-    const relatedTable = relatedClass.table;
+    const relatedTable = assertIdentifier(relatedClass.table, 'related table');
+    const foreignKey = assertIdentifier(relation.foreignKey, 'foreignKey');
+    const localKey = assertIdentifier(relation.localKey, 'localKey');
 
-    // Heuristic to detect relation direction
-    const relatedDerivedFK = `${relatedTable.replace(/s$/, '')}_id`;
-
-    // Build ON condition depending on relation type
+    // Determine relation direction using relation type (relation.child is set on BelongsTo)
     let onLeft, onRight;
-    if (relation.foreignKey === relatedDerivedFK) {
-      // belongsTo: parent has FK to related
-      onLeft = `${relatedTable}.${relation.localKey}`; // related.ownerKey
-      onRight = `${parentTable}.${relation.foreignKey}`; // parent.foreignKey
+    if (relation.child) {
+      // belongsTo: parent has FK pointing to related
+      const ownerKey = assertIdentifier(relation.ownerKey || relatedClass.primaryKey || 'id', 'ownerKey');
+      onLeft = `${relatedTable}.${ownerKey}`;
+      onRight = `${parentTable}.${foreignKey}`;
     } else {
-      // hasOne/hasMany: related has FK to parent
-      onLeft = `${relatedTable}.${relation.foreignKey}`; // related.foreignKey -> parent
-      onRight = `${parentTable}.${relation.localKey}`; // parent.localKey (usually PK)
+      // hasOne/hasMany: related has FK pointing to parent
+      onLeft = `${relatedTable}.${foreignKey}`;
+      onRight = `${parentTable}.${localKey}`;
     }
 
     // Ensure the join exists
@@ -314,23 +366,27 @@ class QueryBuilder {
     }
     const relation = fn.call(parent);
     const relatedClass = relation.related;
-    const relatedTable = relatedClass.table;
-    const parentTable = this.model.table;
+    const relatedTable = assertIdentifier(relatedClass.table, 'related table');
+    const parentTable = assertIdentifier(this.model.table, 'parent table');
+    const foreignKey = assertIdentifier(relation.foreignKey, 'foreignKey');
+    const localKey = assertIdentifier(relation.localKey, 'localKey');
 
-    // Heuristic to detect direction as above
-    const relatedDerivedFK = `${relatedTable.replace(/s$/, '')}_id`;
+    // Determine direction using relation type (same logic as whereHas)
     let onLeft, onRight;
-    if (relation.foreignKey === relatedDerivedFK) {
-      onLeft = `${relatedTable}.${relation.localKey}`;
-      onRight = `${parentTable}.${relation.foreignKey}`;
+    if (relation.child) {
+      // belongsTo: parent has FK pointing to related
+      const ownerKey = assertIdentifier(relation.ownerKey || relatedClass.primaryKey || 'id', 'ownerKey');
+      onLeft = `${relatedTable}.${ownerKey}`;
+      onRight = `${parentTable}.${foreignKey}`;
     } else {
-      onLeft = `${relatedTable}.${relation.foreignKey}`;
-      onRight = `${parentTable}.${relation.localKey}`;
+      // hasOne/hasMany: related has FK pointing to parent
+      onLeft = `${relatedTable}.${foreignKey}`;
+      onRight = `${parentTable}.${localKey}`;
     }
 
     // LEFT JOIN and ensure null on related PK
     this.leftJoin(relatedTable, onLeft, '=', onRight);
-    const relatedPk = relatedClass.primaryKey || 'id';
+    const relatedPk = assertIdentifier(relatedClass.primaryKey || 'id', 'relatedPrimaryKey');
     this.whereNull(`${relatedTable}.${relatedPk}`);
     return this;
   }
@@ -346,6 +402,16 @@ class QueryBuilder {
     return this;
   }
 
+  /**
+   * Add a raw order by clause
+   * @param {string} sql
+   * @returns {this}
+   */
+  orderByRaw(sql) {
+    this.orders.push({ type: 'raw', sql });
+    return this;
+  }
+
   /**
    * Typo-friendly alias for orderBy
    * @param {string} column
@@ -451,23 +517,29 @@ class QueryBuilder {
       const fn = parent[name];
       if (typeof fn !== 'function') continue;
       const relation = fn.call(parent);
-      const parentTable = this.model.table;
+      const parentTable = assertIdentifier(this.model.table, 'parent table');
       const relatedClass = relation.related;
-      const relatedTable = relatedClass.table;
+      const relatedTable = assertIdentifier(relatedClass.table, 'related table');
 
       let sub = '';
       if (relation instanceof require('./Relations/BelongsToManyRelation')) {
         // belongsToMany: count from pivot
-        sub = `(SELECT COUNT(*) FROM ${relation.pivot} WHERE ${relation.pivot}.${relation.foreignPivotKey} = ${parentTable}.${relation.parentKey}) AS ${name}_count`;
+        const pivot = assertIdentifier(relation.pivot, 'pivot table');
+        const fpk = assertIdentifier(relation.foreignPivotKey, 'foreignPivotKey');
+        const pk = assertIdentifier(relation.parentKey, 'parentKey');
+        sub = `(SELECT COUNT(*) FROM \`${pivot}\` WHERE \`${pivot}\`.\`${fpk}\` = \`${parentTable}\`.\`${pk}\`) AS \`${name}_count\``;
       } else if (relation.child) {
         // belongsTo
-        const ownerKey = relation.ownerKey || relatedClass.primaryKey || 'id';
-        sub = `(SELECT COUNT(*) FROM ${relatedTable} WHERE ${relatedTable}.${ownerKey} = ${parentTable}.${relation.foreignKey}) AS ${name}_count`;
+        const ownerKey = assertIdentifier(relation.ownerKey || relatedClass.primaryKey || 'id', 'ownerKey');
+        const fk = assertIdentifier(relation.foreignKey, 'foreignKey');
+        sub = `(SELECT COUNT(*) FROM \`${relatedTable}\` WHERE \`${relatedTable}\`.\`${ownerKey}\` = \`${parentTable}\`.\`${fk}\`) AS \`${name}_count\``;
       } else {
         // hasOne/hasMany
-        sub = `(SELECT COUNT(*) FROM ${relatedTable} WHERE ${relatedTable}.${relation.foreignKey} = ${parentTable}.${relation.localKey}) AS ${name}_count`;
+        const fk = assertIdentifier(relation.foreignKey, 'foreignKey');
+        const lk = assertIdentifier(relation.localKey, 'localKey');
+        sub = `(SELECT COUNT(*) FROM \`${relatedTable}\` WHERE \`${relatedTable}\`.\`${fk}\` = \`${parentTable}\`.\`${lk}\`) AS \`${name}_count\``;
       }
-      this.selectedColumns.push(sub);
+      this.selectedColumns.push(new RawExpression(sub));
     }
     return this;
   }
@@ -609,10 +681,18 @@ class QueryBuilder {
    * @returns {Promise<any>}
    */
   async insert(data) {
-    if (Array.isArray(data)) {
-      return this.model.connection.insertMany(this.model.table, data);
+    // Apply fillable guard: only allow fields listed in model.fillable (if defined)
+    const fillable = this.model.fillable || [];
+    const applyFillable = (obj) => fillable.length > 0
+      ? Object.fromEntries(Object.entries(obj).filter(([k]) => fillable.includes(k)))
+      : { ...obj };
+
+    const safeData = Array.isArray(data) ? data.map(applyFillable) : applyFillable(data);
+
+    if (Array.isArray(safeData)) {
+      return this.model.connection.insertMany(this.model.table, safeData);
     }
-    return this.model.connection.insert(this.model.table, data);
+    return this.model.connection.insert(this.model.table, safeData);
   }
 
   /**
@@ -621,13 +701,19 @@ class QueryBuilder {
    * @returns {Promise<any>}
    */
   async update(attributes) {
+    // Apply fillable guard: only allow fields listed in model.fillable (if defined)
+    const fillable = this.model.fillable || [];
+    const safeAttributes = fillable.length > 0
+      ? Object.fromEntries(Object.entries(attributes).filter(([k]) => fillable.includes(k)))
+      : { ...attributes };
+
     if (this.model.timestamps) {
-      attributes.updated_at = new Date();
+      safeAttributes.updated_at = new Date();
     }
 
     return this.model.connection.update(
       this.model.table,
-      attributes,
+      safeAttributes,
       this.buildQuery()
     );
   }
@@ -729,6 +815,10 @@ class QueryBuilder {
     const head = segments[0];
     const tail = segments.slice(1).join('.');
 
+    // Prevent prototype pollution and calling built-in methods
+    const builtIns = ['constructor', 'load', 'save', 'delete', 'update', 'query', 'with', 'withCount', 'hasOne', 'hasMany', 'belongsTo', 'belongsToMany', 'morphTo', 'morphOne', 'morphMany', 'hasOneThrough', 'hasManyThrough'];
+    if (builtIns.includes(head) || head.startsWith('__')) return;
+
     // Load head relation eagerly
     const relationInstance = models[0][head];
     if (typeof relationInstance === 'function') {
@@ -787,6 +877,15 @@ class QueryBuilder {
     cloned.distinctFlag = this.distinctFlag;
     cloned.groupBys = [...this.groupBys];
     cloned.havings = [...this.havings];
+
+    cloned._showHidden = this._showHidden;
+    cloned._withTrashed = this._withTrashed;
+    cloned._onlyTrashed = this._onlyTrashed;
+    cloned._excludedScopes = [...this._excludedScopes];
+    cloned._excludeAllScopes = this._excludeAllScopes;
+    cloned._scopesApplied = this._scopesApplied;
+    cloned._softDeleteApplied = this._softDeleteApplied;
+
     return cloned;
   }
 }

package/src/RawExpression.js

@@ -0,0 +1,11 @@
+class RawExpression {
+  constructor(value) {
+    this.value = value;
+  }
+
+  toString() {
+    return this.value;
+  }
+}
+
+module.exports = RawExpression;