rez_core 4.0.60 → 4.0.61

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rez_core",
-  "version": "4.0.60",
+  "version": "4.0.61",
   "description": "",
   "author": "",
   "private": false,

package/src/module/filter/service/filter.service.ts

@@ -28,7 +28,6 @@ export class FilterService {
   private readonly skipAppCodeFilterEntities = ['ORGP'];
   private readonly skipOrgFilterEntities = ['ORGP'];
 
-
   private async gettab_value_counts(
     tableName: string,
     column: string | undefined,
@@ -36,27 +35,33 @@ export class FilterService {
   ) {
     if (!column) return [];
   
+    // ✅ Validate tableName and column to prevent SQL injection
+    if (!/^[a-zA-Z0-9_]+$/.test(tableName) || !/^[a-zA-Z0-9_]+$/.test(column)) {
+      throw new Error('Invalid table or column name');
+    }
+  
     let whereSQL = '';
     const values: any[] = [];
   
     if (whereClauses.length > 0) {
       const clauseParts = whereClauses.map((clause) => {
-        let parsedQuery = clause.query.replace(/\be\./g, ''); // remove e. prefix
+        // ✅ Safely remove alias "e." only at word boundaries
+        let parsedQuery = clause.query.replace(/\be\./g, '');
   
         Object.entries(clause.params).forEach(([key, val]) => {
           if (Array.isArray(val)) {
-            // if the query uses '=' but the param is array → convert to IN
-            if (parsedQuery.includes(`= :${key}`)) {
-              parsedQuery = parsedQuery.replace(`= :${key}`, `IN (:${key})`);
+            // ✅ Handle both '=' and 'IN' dynamically
+            if (parsedQuery.match(new RegExp(`=\\s*:${key}\\b`))) {
+              parsedQuery = parsedQuery.replace(
+                new RegExp(`=\\s*:${key}\\b`, 'g'),
+                `IN (${val.map(() => '?').join(', ')})`,
+              );
+            } else {
+              parsedQuery = parsedQuery.replace(
+                new RegExp(`:\\b${key}\\b`, 'g'),
+                val.map(() => '?').join(', '),
+              );
             }
-  
-            // generate (?, ?, ?) placeholders
-            const placeholders = val.map(() => '?').join(', ');
-            parsedQuery = parsedQuery.replace(
-              new RegExp(`:\\b${key}\\b`, 'g'),
-              placeholders,
-            );
-  
             values.push(...val);
           } else {
             parsedQuery = parsedQuery.replace(
@@ -67,31 +72,38 @@ export class FilterService {
           }
         });
   
-        return parsedQuery;
+        // ✅ Enclose each clause in parentheses for proper AND grouping
+        return `(${parsedQuery})`;
       });
   
       whereSQL = `WHERE ${clauseParts.join(' AND ')}`;
     }
   
+    // ✅ Wrap identifiers in backticks for MySQL or double quotes for Postgres
     const rawSQL = `
-      SELECT ${column} AS tab_value, COUNT(*) AS tab_value_count
+      SELECT 
+        ${column} AS tab_value, 
+        COUNT(*) AS tab_value_count
       FROM ${tableName}
       ${whereSQL}
       GROUP BY ${column}
+      ORDER BY tab_value_count DESC
     `;
   
     const rows = await this.dataSource.query(rawSQL, values);
   
+    // ✅ Handle total count safely
     const total = rows.reduce(
-      (sum, r) => sum + parseInt(r.tab_value_count, 10),
+      (sum, r) => sum + Number(r.tab_value_count || 0),
       0,
     );
   
+    // ✅ Ensure consistent response
     return [
       { tab_value: 'All', tab_value_count: total },
       ...rows.map((r) => ({
         tab_value: r.tab_value ?? 'UNKNOWN',
-        tab_value_count: parseInt(r.tab_value_count, 10),
+        tab_value_count: Number(r.tab_value_count || 0),
       })),
     ];
   }