outlet-orm 5.0.0 → 5.5.2

package/package.json

@@ -1,76 +1,88 @@
-{
-  "name": "outlet-orm",
-  "version": "5.0.0",
-  "description": "A Laravel Eloquent-inspired ORM for Node.js with support for MySQL, PostgreSQL, and SQLite",
-  "main": "src/index.js",
-  "types": "types/index.d.ts",
-  "bin": {
-    "outlet-init": "./bin/init.js",
-    "outlet-convert": "./bin/convert.js",
-    "outlet-migrate": "./bin/migrate.js"
-  },
-  "files": [
-    "src/**",
-    "bin/**",
-    "types/**",
-    "README.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "test": "jest",
-    "test:watch": "jest --watch",
-    "test:coverage": "jest --coverage",
-    "lint": "eslint \"{src,bin}/**/*.js\"",
-    "lint:fix": "eslint \"{src,bin}/**/*.js\" --fix",
-    "migrate": "node bin/migrate.js migrate",
-    "migrate:make": "node bin/migrate.js make",
-    "migrate:rollback": "node bin/migrate.js rollback --steps 1",
-    "migrate:status": "node bin/migrate.js status",
-    "migrate:reset": "node bin/migrate.js reset --yes",
-    "migrate:refresh": "node bin/migrate.js refresh --yes",
-    "migrate:fresh": "node bin/migrate.js fresh --yes"
-  },
-  "keywords": [
-    "orm",
-    "eloquent",
-    "laravel",
-    "database",
-    "mysql",
-    "postgresql",
-    "sqlite",
-    "query-builder",
-    "active-record"
-  ],
-  "author": "omgbwa-yasse",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/omgbwa-yasse/outlet-orm.git"
-  },
-  "bugs": {
-    "url": "https://github.com/omgbwa-yasse/outlet-orm/issues"
-  },
-  "homepage": "https://github.com/omgbwa-yasse/outlet-orm#readme",
-  "dependencies": {
-    "dotenv": "^16.4.5"
-  },
-  "peerDependencies": {
-    "mysql2": "^3.15.2",
-    "pg": "^8.11.0",
-    "sqlite3": "^5.1.6"
-  },
-  "peerDependenciesMeta": {
-    "mysql2": { "optional": true },
-    "pg": { "optional": true },
-    "sqlite3": { "optional": true }
-  },
-  "devDependencies": {
-    "@types/node": "^20.10.0",
-    "eslint": "^8.50.0",
-    "jest": "^29.7.0",
-    "typescript": "^5.3.0"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  }
-}
+{
+  "name": "outlet-orm",
+  "version": "5.5.2",
+  "description": "A Laravel Eloquent-inspired ORM for Node.js with support for MySQL, PostgreSQL, and SQLite",
+  "main": "src/index.js",
+  "types": "types/index.d.ts",
+  "bin": {
+    "outlet-init": "bin/init.js",
+    "outlet-convert": "bin/convert.js",
+    "outlet-migrate": "bin/migrate.js",
+    "outlet-reverse": "bin/reverse.js"
+  },
+  "files": [
+    "src/**",
+    "bin/**",
+    "types/**",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "test": "jest",
+    "test:watch": "jest --watch",
+    "test:coverage": "jest --coverage",
+    "check:version": "node scripts/check-changelog-version.js",
+    "prepublishOnly": "npm run check:version",
+    "lint": "eslint \"{src,bin}/**/*.js\"",
+    "lint:fix": "eslint \"{src,bin}/**/*.js\" --fix",
+    "migrate": "node bin/migrate.js migrate",
+    "migrate:make": "node bin/migrate.js make",
+    "migrate:rollback": "node bin/migrate.js rollback --steps 1",
+    "migrate:status": "node bin/migrate.js status",
+    "migrate:reset": "node bin/migrate.js reset --yes",
+    "migrate:refresh": "node bin/migrate.js refresh --yes",
+    "migrate:fresh": "node bin/migrate.js fresh --yes",
+    "seed": "node bin/migrate.js seed",
+    "seed:make": "node bin/migrate.js make:seed"
+  },
+  "keywords": [
+    "orm",
+    "eloquent",
+    "laravel",
+    "database",
+    "mysql",
+    "postgresql",
+    "sqlite",
+    "query-builder",
+    "active-record"
+  ],
+  "author": "omgbwa-yasse",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/omgbwa-yasse/outlet-orm.git"
+  },
+  "bugs": {
+    "url": "https://github.com/omgbwa-yasse/outlet-orm/issues"
+  },
+  "homepage": "https://github.com/omgbwa-yasse/outlet-orm#readme",
+  "dependencies": {
+    "dotenv": "^16.4.5",
+    "pluralize": "^8.0.0"
+  },
+  "peerDependencies": {
+    "mysql2": "^3.15.2",
+    "pg": "^8.11.0",
+    "sqlite3": "^5.1.6"
+  },
+  "peerDependenciesMeta": {
+    "mysql2": {
+      "optional": true
+    },
+    "pg": {
+      "optional": true
+    },
+    "sqlite3": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "eslint": "^8.50.0",
+    "jest": "^29.7.0",
+    "typescript": "^5.3.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/src/DatabaseConnection.js

@@ -9,23 +9,27 @@ let sqlite3;
 // Query log storage
 let queryLog = [];
 let queryLoggingEnabled = false;
+// Maximum number of entries retained in the query log to prevent unbounded memory growth
+const MAX_QUERY_LOG_SIZE = 1000;
+
+const RawExpression = require('./RawExpression');
 
 /**
  * Sanitize SQL identifier (table/column name) to prevent SQL injection
- * @param {string} identifier
+ * @param {string|RawExpression} identifier
  * @returns {string}
  */
 function sanitizeIdentifier(identifier) {
+  if (identifier instanceof RawExpression) {
+    return identifier.value;
+  }
   if (!identifier || typeof identifier !== 'string') {
     throw new Error('Invalid SQL identifier');
   }
-  // Allow only alphanumeric, underscore, dot (for table.column)
+  // Strict allowlist: only alphanumeric, underscore, dot (for table.column)
+  // Any identifier not matching this pattern is rejected outright — no fallback.
   if (!/^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$/.test(identifier)) {
-    // Check for common SQL injection patterns
-    // Note: Escape hyphen in character class to avoid range interpretation
-    if (/['";]|--|\/*|\*\/|xp_|sp_|0x/i.test(identifier)) {
-      throw new Error(`Potentially dangerous SQL identifier: ${identifier}`);
-    }
+    throw new Error('Invalid SQL identifier');
   }
   return identifier;
 }
@@ -44,6 +48,10 @@ function logQuery(sql, params, duration) {
       duration,
       timestamp: new Date()
     });
+    // Enforce size cap to prevent unbounded memory growth
+    if (queryLog.length > MAX_QUERY_LOG_SIZE) {
+      queryLog.shift();
+    }
   }
 }
 
@@ -272,18 +280,24 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql':
       if (this._transactionConnection) {
-        await this._transactionConnection.commit();
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.commit();
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
     case 'postgres':
     case 'postgresql':
       if (this._transactionConnection) {
-        await this._transactionConnection.query('COMMIT');
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.query('COMMIT');
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
@@ -306,18 +320,24 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql':
       if (this._transactionConnection) {
-        await this._transactionConnection.rollback();
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.rollback();
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
     case 'postgres':
     case 'postgresql':
       if (this._transactionConnection) {
-        await this._transactionConnection.query('ROLLBACK');
-        this._transactionConnection.release();
-        this._transactionConnection = null;
+        try {
+          await this._transactionConnection.query('ROLLBACK');
+        } finally {
+          this._transactionConnection.release();
+          this._transactionConnection = null;
+        }
       }
       break;
 
@@ -515,10 +535,7 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql': {
       const conn = this._getConnection();
-      const [res] = await conn.execute(
-        this.convertToDriverPlaceholder(sql),
-        params
-      );
+      const [res] = await conn.execute(sql, params);
       result = { affectedRows: res.affectedRows };
       break;
     }
@@ -566,10 +583,7 @@ class DatabaseConnection {
     switch (this.driver) {
     case 'mysql': {
       const conn = this._getConnection();
-      const [res] = await conn.execute(
-        this.convertToDriverPlaceholder(sql),
-        params
-      );
+      const [res] = await conn.execute(sql, params);
       result = { affectedRows: res.affectedRows };
       break;
     }
@@ -737,7 +751,10 @@ class DatabaseConnection {
   }
 
   /**
-   * Execute a raw query and return normalized results
+   * Execute a raw query and return normalized results.
+   * ⚠️  SECURITY WARNING: The `sql` parameter is passed to the database driver without
+   * any sanitization. NEVER pass user-controlled data in `sql`. User-controlled values
+   * must be supplied exclusively via the `params` array (parameterized queries).
    * @param {string} sql
    * @param {Array} params
    * @returns {Promise<Array>}
@@ -776,7 +793,10 @@ class DatabaseConnection {
   }
 
   /**
-   * Execute raw SQL (driver-native results - for migrations)
+   * Execute raw SQL — driver-native results (intended for migrations).
+   * ⚠️  SECURITY WARNING: The `sql` parameter is passed to the database driver without
+   * any sanitization. NEVER pass user-controlled data in `sql`. User-controlled values
+   * must be supplied exclusively via the `params` array (parameterized queries).
    * @param {string} sql
    * @param {Array} params
    * @returns {Promise<any>}
@@ -864,7 +884,7 @@ class DatabaseConnection {
     // SELECT clause
     let selectClause = '*';
     if (query.columns && query.columns.length > 0 && query.columns[0] !== '*') {
-      selectClause = query.columns.join(', ');
+      selectClause = query.columns.map(col => sanitizeIdentifier(col)).join(', ');
     }
 
     // DISTINCT
@@ -876,7 +896,12 @@ class DatabaseConnection {
     if (query.joins && query.joins.length > 0) {
       for (const join of query.joins) {
         const joinType = (join.type || 'inner').toUpperCase();
-        sql += ` ${joinType} JOIN ${join.table} ON ${join.first} ${join.operator} ${join.second}`;
+        const ALLOWED_OPERATORS = ['=', '!=', '<>', '<', '>', '<=', '>=', 'LIKE', 'NOT LIKE', 'IS', 'IS NOT'];
+        const op = join.operator.toUpperCase();
+        if (!ALLOWED_OPERATORS.includes(op)) {
+          throw new Error(`Invalid operator: ${join.operator}`);
+        }
+        sql += ` ${joinType} JOIN ${sanitizeIdentifier(join.table)} ON ${sanitizeIdentifier(join.first)} ${op} ${sanitizeIdentifier(join.second)}`;
       }
     }
 
@@ -887,19 +912,24 @@ class DatabaseConnection {
 
     // GROUP BY
     if (query.groupBys && query.groupBys.length > 0) {
-      sql += ` GROUP BY ${query.groupBys.join(', ')}`;
+      sql += ` GROUP BY ${query.groupBys.map(col => sanitizeIdentifier(col)).join(', ')}`;
     }
 
     // HAVING
     if (query.havings && query.havings.length > 0) {
       const havingClauses = [];
       for (const h of query.havings) {
+        const ALLOWED_OPERATORS = ['=', '!=', '<>', '<', '>', '<=', '>=', 'LIKE', 'NOT LIKE', 'IS', 'IS NOT'];
+        const op = h.operator.toUpperCase();
+        if (!ALLOWED_OPERATORS.includes(op)) {
+          throw new Error(`Invalid operator: ${h.operator}`);
+        }
         if (h.type === 'basic') {
-          havingClauses.push(`${h.column} ${h.operator} ?`);
+          havingClauses.push(`${sanitizeIdentifier(h.column)} ${op} ?`);
           params.push(h.value);
         } else if (h.type === 'count') {
-          const col = h.column && h.column !== '*' ? h.column : '*';
-          havingClauses.push(`COUNT(${col}) ${h.operator} ?`);
+          const col = h.column && h.column !== '*' ? sanitizeIdentifier(h.column) : '*';
+          havingClauses.push(`COUNT(${col}) ${op} ?`);
           params.push(h.value);
         }
       }
@@ -911,19 +941,28 @@ class DatabaseConnection {
     // ORDER BY
     if (query.orders && query.orders.length > 0) {
       const orderClauses = query.orders.map(
-        order => `${order.column} ${order.direction.toUpperCase()}`
+        order => {
+          if (order.type === 'raw') {
+            return order.sql;
+          }
+          const dir = order.direction.toUpperCase();
+          if (dir !== 'ASC' && dir !== 'DESC') throw new Error(`Invalid direction: ${dir}`);
+          return `${sanitizeIdentifier(order.column)} ${dir}`;
+        }
       );
       sql += ` ORDER BY ${orderClauses.join(', ')}`;
     }
 
     // LIMIT
     if (query.limit !== null && query.limit !== undefined) {
-      sql += ` LIMIT ${query.limit}`;
+      sql += ' LIMIT ?';
+      params.push(query.limit);
     }
 
     // OFFSET
     if (query.offset !== null && query.offset !== undefined) {
-      sql += ` OFFSET ${query.offset}`;
+      sql += ' OFFSET ?';
+      params.push(query.offset);
     }
 
     return { sql, params };
@@ -940,45 +979,58 @@ class DatabaseConnection {
 
     const clauses = [];
     const params = [];
+    const ALLOWED_OPERATORS = ['=', '!=', '<>', '<', '>', '<=', '>=', 'LIKE', 'NOT LIKE', 'IS', 'IS NOT'];
 
     wheres.forEach((where, index) => {
       const boolean = index === 0 ? 'WHERE' : (where.boolean || 'AND').toUpperCase();
+      const col = where.type !== 'raw' ? sanitizeIdentifier(where.column) : null;
 
       switch (where.type) {
-      case 'basic':
-        clauses.push(`${boolean} ${where.column} ${where.operator} ?`);
+      case 'raw': {
+        clauses.push(`${boolean} ${where.sql}`);
+        if (where.bindings) {
+          params.push(...where.bindings);
+        }
+        break;
+      }
+
+      case 'basic': {
+        const op = where.operator.toUpperCase();
+        if (!ALLOWED_OPERATORS.includes(op)) throw new Error(`Invalid operator: ${where.operator}`);
+        clauses.push(`${boolean} ${col} ${op} ?`);
         params.push(where.value);
         break;
+      }
 
       case 'in': {
         const inPlaceholders = where.values.map(() => '?').join(', ');
-        clauses.push(`${boolean} ${where.column} IN (${inPlaceholders})`);
+        clauses.push(`${boolean} ${col} IN (${inPlaceholders})`);
         params.push(...where.values);
         break;
       }
 
       case 'notIn': {
         const notInPlaceholders = where.values.map(() => '?').join(', ');
-        clauses.push(`${boolean} ${where.column} NOT IN (${notInPlaceholders})`);
+        clauses.push(`${boolean} ${col} NOT IN (${notInPlaceholders})`);
         params.push(...where.values);
         break;
       }
 
       case 'null':
-        clauses.push(`${boolean} ${where.column} IS NULL`);
+        clauses.push(`${boolean} ${col} IS NULL`);
         break;
 
       case 'notNull':
-        clauses.push(`${boolean} ${where.column} IS NOT NULL`);
+        clauses.push(`${boolean} ${col} IS NOT NULL`);
         break;
 
       case 'between':
-        clauses.push(`${boolean} ${where.column} BETWEEN ? AND ?`);
+        clauses.push(`${boolean} ${col} BETWEEN ? AND ?`);
         params.push(...where.values);
         break;
 
       case 'like':
-        clauses.push(`${boolean} ${where.column} LIKE ?`);
+        clauses.push(`${boolean} ${col} LIKE ?`);
         params.push(where.value);
         break;
       }