Skip to content

Rewrite escape/unescape for SQL #1245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Rewrite escape/unescape for SQL #1245

wants to merge 5 commits into from
+682 −66

Conversation

ukrbublik
Copy link
Owner

Potential fix for https://github.com/ukrbublik/react-awesome-query-builder/security/code-scanning/10

To fix the issue, we need to ensure that backslashes are properly escaped in the default branch of the escapeLike function. This can be achieved by modifying the regular expression in the res.replace call on line 40 to include backslashes (\\) as part of the characters to escape. The replacement string should also escape backslashes correctly.

The updated regular expression will be /[%_\\]/g, and the replacement string will be "\\\\$&". This ensures that all occurrences of %, _, and \ are escaped consistently.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@codesandbox CodeSandbox
Copy link

codesandbox bot commented Apr 25, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@vercel Vercel
Copy link

vercel bot commented Apr 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
react-awesome-query-builder-examples ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 23, 2025 0:12am
react-awesome-query-builder-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 23, 2025 0:12am
react-awesome-query-builder-sandbox-next ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 23, 2025 0:12am

@codesandbox-ci CodeSandbox CI
Copy link

codesandbox-ci bot commented Apr 25, 2025
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit df97ffd:

Sandbox Source
@react-awesome-query-builder/examples Configuration
@react-awesome-query-builder/sandbox Configuration
@react-awesome-query-builder/sandbox-simple Configuration
@react-awesome-query-builder/sandbox-next Configuration

@ukrbublik
Copy link
Owner Author

https://github.com/brianc/node-postgres/blob/684cd09bcecbf5ad5f451fdf608a3e9a9444524e/packages/pg/lib/client.js#L448-L463

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 29, 2025
View reviewed changes
packages/core/modules/utils/export.js
// escape \ -> \\\\
res = res.replace(/(\\\\)/g, "\\\\$&");
// escape % and _ with \
res = res.replace(/[%_]/g, "\\$&");

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.
@codecov Codecov
Copy link

codecov bot commented Apr 29, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 57.54717% with 90 lines in your changes missing coverage. Please review.

Project coverage is 8.05%. Comparing base (2fc26f3) to head (df97ffd).

Files with missing lines Patch % Lines
packages/core/modules/utils/export.js 68.15% 57 Missing ⚠️
packages/sql/modules/import/ast.ts 0.00% 13 Missing ⚠️
packages/core/modules/config/index.js 0.00% 11 Missing ⚠️
packages/sql/modules/import/convert.ts 0.00% 8 Missing ⚠️
packages/sql/modules/import/index.ts 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #1245       +/-   ##
==========================================
- Coverage   79.62%   8.05%   -71.58%     
==========================================
  Files         246     246               
  Lines       13145   13312      +167     
  Branches     1743    1749        +6     
==========================================
- Hits        10467    1072     -9395     
- Misses       1800   12230    +10430     
+ Partials      878      10      -868

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ukrbublik ukrbublik changed the title Potential fix for code scanning alert no. 10: Incomplete string escaping or encoding Rewrite escape/unescape for SQL May 7, 2025
@ukrbublik ukrbublik force-pushed the alert-autofix-10 branch from 1ae4589 to f3082b7 Compare May 9, 2025 14:34
@vercel Vercel
Copy link

vercel bot commented Jul 19, 2025

Deployment failed with the following error:

Resource is limited - try again in 2 hours (more than 100, code: "api-deployments-free-per-day").

ukrbublik and others added 5 commits July 19, 2025 13:42
@ukrbublik @github-advanced-security
Potential fix for code scanning alert no. 10: Incomplete string escap…
9f68953 
…ing or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@ukrbublik
!tmp
84be74a
@ukrbublik
Revert "!!!tmp"
b5d7c5d 
This reverts commit 566572b.
@ukrbublik
wip
cfcd1ee 
.

pg done

like for pg

better LIKE E'' (pg)

.

.

.

.
@ukrbublik
!!!tmp
df97ffd
@vercel Vercel
Copy link

vercel bot commented Jul 19, 2025

Deployment failed with the following error:

Resource is limited - try again in 60 minutes (more than 100, code: "api-deployments-free-per-day").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ukrbublik