chore: sql string sanitize (#155)

* add: string sql sanitize

* add: test

* add: test

* add: test

Author: vpbs2

meerkat-browser/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@devrev/meerkat-browser",
-  "version": "0.0.99",
+  "version": "0.0.100",
   "dependencies": {
     "tslib": "^2.3.0",
     "@devrev/meerkat-core": "*",

meerkat-core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@devrev/meerkat-core",
-  "version": "0.0.99",
+  "version": "0.0.100",
   "dependencies": {
     "tslib": "^2.3.0"
   },

meerkat-core/src/cube-filter-transformer/base-condition-builder/base-condition-builder.spec.ts

@@ -0,0 +1,120 @@
+import { Dimension, Measure } from '../../types/cube-types';
+import { CUBE_TYPE_TO_DUCKDB_TYPE } from '../../utils/cube-type-to-duckdb-type';
+import { valueBuilder } from './base-condition-builder';
+
+describe('valueBuilder', () => {
+  it('should build a value for a string type', () => {
+    const memberInfo: Measure | Dimension = {
+      name: 'test',
+      type: 'string',
+      sql: 'test',
+    };
+    const value = 'test_value';
+    const result = valueBuilder(value, memberInfo);
+    expect(result).toEqual({
+      type: {
+        id: CUBE_TYPE_TO_DUCKDB_TYPE.string,
+        type_info: null,
+      },
+      is_null: false,
+      value: value,
+    });
+  });
+
+  it('should build a value for a string type with single quotes', () => {
+    const memberInfo: Measure | Dimension = {
+      name: 'test',
+      type: 'string',
+      sql: 'test',
+    };
+
+    const value = "I'm a string with a single quote";
+    const result = valueBuilder(value, memberInfo);
+    expect(result).toEqual({
+      type: {
+        id: CUBE_TYPE_TO_DUCKDB_TYPE.string,
+        type_info: null,
+      },
+      is_null: false,
+      value: "I''m a string with a single quote",
+    });
+  });
+
+  it('should build a value for a number type', () => {
+    const memberInfo: Measure | Dimension = {
+      name: 'test',
+      type: 'number',
+      sql: 'test',
+    };
+    const value = '123';
+    const result = valueBuilder(value, memberInfo);
+
+    expect(result).toEqual({
+      type: {
+        id: CUBE_TYPE_TO_DUCKDB_TYPE.number,
+        type_info: {
+          alias: '',
+          type: 'DECIMAL_TYPE_INFO',
+          width: 3,
+          scale: 0,
+        },
+      },
+      is_null: false,
+      value: 123,
+    });
+  });
+
+  it('should build a value for a boolean type', () => {
+    const memberInfo: Measure | Dimension = {
+      name: 'test',
+      type: 'boolean',
+      sql: 'test',
+    };
+    const value = 'true';
+    const result = valueBuilder(value, memberInfo);
+    expect(result).toEqual({
+      type: {
+        id: CUBE_TYPE_TO_DUCKDB_TYPE.boolean,
+        type_info: null,
+      },
+      is_null: false,
+      value: true,
+    });
+  });
+
+  it('should build a value for a time type', () => {
+    const memberInfo: Measure | Dimension = {
+      name: 'test',
+      type: 'time',
+      sql: 'test',
+    };
+    const value = '2023-01-01';
+    const result = valueBuilder(value, memberInfo);
+    expect(result).toEqual({
+      type: {
+        id: CUBE_TYPE_TO_DUCKDB_TYPE.time,
+        type_info: null,
+      },
+      is_null: false,
+      value: value,
+    });
+  });
+
+  it('should default to string for unknown types', () => {
+    const memberInfo: Measure | Dimension = {
+      name: 'test',
+      type: 'unknown' as any,
+      sql: 'test',
+    };
+    const value = 'test_value';
+    const result = valueBuilder(value, memberInfo);
+    expect(result).toEqual({
+      type: {
+        id: CUBE_TYPE_TO_DUCKDB_TYPE.string,
+        type_info: null,
+      },
+      is_null: false,
+      value: value,
+    });
+  });
+});

meerkat-core/src/cube-filter-transformer/base-condition-builder/base-condition-builder.ts

@@ -1,6 +1,7 @@
 import { Dimension, Measure } from '../../types/cube-types/index';
 
 import { COLUMN_NAME_DELIMITER } from '../../member-formatters/constants';
+import { sanitizeStringValue } from '../../member-formatters/sanitize-value';
 import {
   ExpressionClass,
   ExpressionType,
@@ -115,7 +116,7 @@ export const valueBuilder = (
           type_info: null,
         },
         is_null: false,
-        value: value,
+        value: sanitizeStringValue(value),
       };
 
     case 'number': {
@@ -157,7 +158,7 @@ export const valueBuilder = (
           type_info: null,
         },
         is_null: false,
-        value: value,
+        value: sanitizeStringValue(value),
       };
   }
 };

meerkat-core/src/member-formatters/__tests__/sanitize-value.spec.ts

@@ -0,0 +1,11 @@
+import { sanitizeStringValue } from '../sanitize-value';
+
+describe('sanitizeStringValue', () => {
+  it('should escape single quotes', () => {
+    expect(sanitizeStringValue("I'm a string")).toBe("I''m a string");
+  });
+
+  it('should escape double quotes', () => {
+    expect(sanitizeStringValue('I"m a string')).toBe('I"m a string');
+  });
+});

meerkat-core/src/member-formatters/sanitize-value.ts

@@ -0,0 +1,6 @@
+/**
+ * Sanitizes a string value for use in a SQL query
+ */
+export const sanitizeStringValue = (value: string) => {
+  return value.replace(/'/g, "''");
+};

meerkat-node/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@devrev/meerkat-node",
-  "version": "0.0.99",
+  "version": "0.0.100",
   "dependencies": {
     "@swc/helpers": "~0.5.0",
     "@devrev/meerkat-core": "*",

meerkat-node/src/__tests__/test-data.ts

@@ -22,7 +22,8 @@ INSERT INTO orders VALUES
 (9, '5', '2', '2022-05-05', 85, []),
 (10, '6', '3', '2022-06-01', 120, ['myntra', 'amazon']),
 (11, '6aa6', '3', '2024-06-01', 0, ['amazon']),
-(12, NULL, '3', '2024-07-01', 100, ['flipkart']);
+(12, NULL, '3', '2024-07-01', 100, ['flipkart']),
+(13, '7', '6', '2024-08-01', 100, ['swiggy''s']);
 `;
 
 export const TABLE_SCHEMA = {
@@ -119,6 +120,10 @@ export const TEST_DATA = [
           orders__customer_id: '3',
           orders__total_order_amount: 100,
         },
+        {
+          orders__customer_id: '7',
+          orders__total_order_amount: 100,
+        },
         {
           orders__customer_id: null,
           orders__total_order_amount: 100,
@@ -292,6 +297,15 @@ export const TEST_DATA = [
           order_amount: 0.0,
           vendors: ['amazon'],
         },
+        {
+          order_id: 13,
+          customer_id: '7',
+          orders__customer_id: '7',
+          product_id: '6',
+          order_date: '2024-08-01',
+          order_amount: 100.0,
+          vendors: ["swiggy's"],
+        },
       ],
     },
   ],
@@ -377,6 +391,16 @@ export const TEST_DATA = [
           order_amount: 120,
           vendors: ['myntra', 'amazon'],
         },
+        {
+          customer_id: '7',
+          order_amount: 100,
+          order_date: '2024-08-01T00:00:00.000Z',
+          order_id: 13,
+          orders__customer_id: '7',
+          orders__order_date: undefined,
+          product_id: '6',
+          vendors: ["swiggy's"],
+        },
       ],
     },
   ],
@@ -469,6 +493,16 @@ export const TEST_DATA = [
           product_id: '3',
           vendors: ['flipkart'],
         },
+        {
+          customer_id: '7',
+          order_amount: 100,
+          order_date: '2024-08-01T00:00:00.000Z',
+          order_id: 13,
+          orders__order_amount: 100,
+          orders__order_date: undefined,
+          product_id: '6',
+          vendors: ["swiggy's"],
+        },
       ],
     },
   ],
@@ -661,6 +695,15 @@ export const TEST_DATA = [
           product_id: '3',
           vendors: ['flipkart'],
         },
+        {
+          customer_id: '7',
+          order_amount: 100,
+          order_date: '2024-08-01T00:00:00.000Z',
+          order_id: 13,
+          orders__order_date: '2024-08-01T00:00:00.000Z',
+          product_id: '6',
+          vendors: ["swiggy's"],
+        },
       ],
     },
   ],
@@ -989,6 +1032,37 @@ export const TEST_DATA = [
         },
       ],
     },
+    {
+      testName: 'In with single quotes',
+      expectedSQL: `SELECT orders.* FROM (SELECT *, vendors AS orders__vendors FROM (select * from orders) AS orders) AS orders WHERE ((orders__vendors && (ARRAY['swiggy''s'])))`,
+      cubeInput: {
+        measures: ['*'],
+        filters: [
+          {
+            and: [
+              {
+                member: 'orders.vendors',
+                operator: 'in',
+                values: ["swiggy's"],
+              },
+            ],
+          },
+        ],
+        dimensions: [],
+      },
+      expectedOutput: [
+        {
+          customer_id: '7',
+          order_amount: 100,
+          order_date: '2024-08-01T00:00:00.000Z',
+          order_id: 13,
+          orders__order_date: undefined,
+          orders__vendors: ["swiggy's"],
+          product_id: '6',
+          vendors: ["swiggy's"],
+        },
+      ],
+    },
   ],
   [
     {
@@ -1048,6 +1122,17 @@ export const TEST_DATA = [
           product_id: '3',
           vendors: ['amazon'],
         },
+        {
+          customer_id: '7',
+          order_amount: 100,
+          order_date: '2024-08-01T00:00:00.000Z',
+          order_id: 13,
+          orders__customer_id: '7',
+          orders__order_date: undefined,
+          orders__vendors: ["swiggy's"],
+          product_id: '6',
+          vendors: ["swiggy's"],
+        },
       ],
     },
   ],