Merge branch '#122-implement-server-side-prepared-statement' of https://github.com/sqlitecloud/sqlitecloud-js into #122-implement-server-side-prepared-statement

Author: Daniele Briggi

src/drivers/protocol.ts

@@ -338,7 +338,7 @@ export function popData(buffer: Buffer): { data: SQLiteCloudDataTypes | SQLiteCl
 export function formatCommand(command: SQLiteCloudCommand): string {
   if (command.parameters && command.parameters.length > 0) {
     // by SCSP the string paramenters in the array are zero-terminated
-    return serializeCommand([command.query, ...command.parameters || []], true)
+    return serializeCommand([command.query, ...(command.parameters || [])], true)
   }
   return serializeData(command.query, false)
 }

src/drivers/statement.ts

@@ -33,10 +33,10 @@ export class Statement<T> {
    * Binds parameters to the prepared statement and calls the callback when done
    * or when an error occurs. The function returns the Statement object to allow
    * for function chaining. The first and only argument to the callback is null
-   * when binding was successful. Binding parameters with this function completely 
-   * resets the statement object and row cursor and removes all previously bound 
+   * when binding was successful. Binding parameters with this function completely
+   * resets the statement object and row cursor and removes all previously bound
    * parameters, if any.
-   * 
+   *
    * In SQLiteCloud the statement is prepared on the database server and binding errors
    * are raised on execution time.
    */

src/drivers/utilities.ts

@@ -96,7 +96,7 @@ export function sanitizeSQLiteIdentifier(identifier: any): string {
   }
 
   // escape double quotes
-  const escaped = trimmed.replace(/"/g, '\"')
+  const escaped = trimmed.replace(/"/g, '""')
 
   // Wrap in double quotes for safety
   return `"${escaped}"`

test/database.test.ts

@@ -476,35 +476,53 @@ describe('Database.sql (async)', () => {
     }
   })
 
-  it('should sanitize SQL Injection as table name', async () => {
-    const database = await getTestingDatabaseAsync()
-    
-    const databaseName = sanitizeSQLiteIdentifier('people.sqlite; SELECT * FROM people; -- ')
-    await expect(database.sql(`USE DATABASE ${databaseName}`)).rejects.toThrow('Database name contains invalid characters (people.sqlite; SELECT * FROM people; --).')
-    
-    const table = sanitizeSQLiteIdentifier('people; -- ')
-    await expect(database.sql(`SELECT * FROM ${table} WHERE people = 1`)).rejects.toThrow('no such table: people; --')
+  describe('should sanitize identifiers', () => {
+    it('should sanitize database name and run the query', async () => {
+      const database = await getTestingDatabaseAsync()
+
+      const databaseName = sanitizeSQLiteIdentifier('people.sqlite')
+      await expect(database.sql(`USE DATABASE ${databaseName}`)).resolves.toBe('OK')
+    })
+
+    it('should sanitize table name and run the query', async () => {
+      const database = await getTestingDatabaseAsync()
+
+      const table = sanitizeSQLiteIdentifier('people')
+      await expect(database.sql(`USE DATABASE people.sqlite; SELECT id FROM ${table} LIMIT 1`)).resolves.toMatchObject([{ id: 1 }])
+    })
+
+    it('should sanitize SQL Injection as table name', async () => {
+      const database = await getTestingDatabaseAsync()
+
+      const databaseName = sanitizeSQLiteIdentifier('people.sqlite; SELECT * FROM people; -- ')
+      await expect(database.sql(`USE DATABASE ${databaseName}`)).rejects.toThrow(
+        'Database name contains invalid characters (people.sqlite; SELECT * FROM people; --).'
+      )
+
+      const table = sanitizeSQLiteIdentifier('people; -- ')
+      await expect(database.sql(`SELECT * FROM ${table} WHERE people = 1`)).rejects.toThrow('no such table: people; --')
+    })
   })
 
   it('should throw exception when using table name as binding', async () => {
-    const database = await getTestingDatabaseAsync()  
+    const database = await getTestingDatabaseAsync()
     const table = 'people'
     await expect(database.sql`USE DATABASE people.sqlite; SELECT * FROM ${table}`).rejects.toThrow('near "?": syntax error')
   })
 
   it('should built in commands accept bindings', async () => {
     const database = await getTestingDatabaseAsync()
-    
+
     let databaseName = 'people.sqlite'
     await expect(database.sql`USE DATABASE ${databaseName}`).resolves.toBe('OK')
-  
+
     databaseName = 'people.sqlite; SELECT * FROM people'
     await expect(database.sql`USE DATABASE ${databaseName}`).rejects.toThrow('Database name contains invalid characters (people.sqlite; SELECT * FROM people).')
-    
+
     let key = 'logo_level'
     let value = 'debug'
     await expect(database.sql`SET KEY ${key} TO ${value}`).resolves.toBe('OK')
-  
+
     key = 'logo_level'
     value = 'debug; DROP TABLE people'
     await expect(database.sql`SET KEY ${key} TO ${value}`).resolves.toBe('OK')

test/utilities.test.ts

@@ -163,6 +163,6 @@ describe('sanitizeSQLiteIdentifier()', () => {
   it('should double quotes for sql injection', () => {
     const identifier = ' chinook.sql; DROP TABLE "albums" '
     const sanitized = sanitizeSQLiteIdentifier(identifier)
-    expect(sanitized).toBe('"chinook.sql; DROP TABLE \"albums\""')
+    expect(sanitized).toBe('"chinook.sql; DROP TABLE \"\"albums\"\""')
   })
 })