Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(MySQL Node): Only escape table names when needed #8246

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions packages/nodes-base/nodes/MySql/test/v2/utils.test.ts
Original file line number Diff line number Diff line change
@@ -7,6 +7,7 @@ import {
addWhereClauses,
addSortRules,
replaceEmptyStringsByNulls,
escapeSqlIdentifier,
} from '../../v2/helpers/utils';

const mySqlMockNode: INode = {
@@ -148,3 +149,29 @@ describe('Test MySql V2, replaceEmptyStringsByNulls', () => {
expect(replacedData).toEqual([{ json: { id: 1, name: '' } }]);
});
});

describe('Test MySql V2, escapeSqlIdentifier', () => {
it('should escape fully qualified identifier', () => {
const input = 'db_name.tbl_name.col_name';
const escapedIdentifier = escapeSqlIdentifier(input);
expect(escapedIdentifier).toEqual('`db_name`.`tbl_name`.`col_name`');
});

it('should escape table name only', () => {
const input = 'tbl_name';
const escapedIdentifier = escapeSqlIdentifier(input);
expect(escapedIdentifier).toEqual('`tbl_name`');
});

it('should escape fully qualified identifier with backticks', () => {
const input = '`db_name`.`tbl_name`.`col_name`';
const escapedIdentifier = escapeSqlIdentifier(input);
expect(escapedIdentifier).toEqual('`db_name`.`tbl_name`.`col_name`');
});

it('should escape identifier with dots', () => {
const input = '`db_name`.`some.dotted.tbl_name`';
const escapedIdentifier = escapeSqlIdentifier(input);
expect(escapedIdentifier).toEqual('`db_name`.`some.dotted.tbl_name`');
});
});
Original file line number Diff line number Diff line change
@@ -13,7 +13,7 @@ import type {
WhereClause,
} from '../../helpers/interfaces';

import { addWhereClauses } from '../../helpers/utils';
import { addWhereClauses, escapeSqlIdentifier } from '../../helpers/utils';

import {
optionsCollection,
@@ -98,11 +98,11 @@ export async function execute(
let values: QueryValues = [];

if (deleteCommand === 'drop') {
query = `DROP TABLE IF EXISTS \`${table}\``;
query = `DROP TABLE IF EXISTS ${escapeSqlIdentifier(table)}`;
}

if (deleteCommand === 'truncate') {
query = `TRUNCATE TABLE \`${table}\``;
query = `TRUNCATE TABLE ${escapeSqlIdentifier(table)}`;
}

if (deleteCommand === 'delete') {
@@ -114,7 +114,7 @@ export async function execute(
[query, values] = addWhereClauses(
this.getNode(),
i,
`DELETE FROM \`${table}\``,
`DELETE FROM ${escapeSqlIdentifier(table)}`,
whereClauses,
values,
combineConditions,
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ import type {

import { AUTO_MAP, BATCH_MODE, DATA_MODE } from '../../helpers/interfaces';

import { replaceEmptyStringsByNulls } from '../../helpers/utils';
import { escapeSqlIdentifier, replaceEmptyStringsByNulls } from '../../helpers/utils';

import { optionsCollection } from '../common.descriptions';
import { updateDisplayOptions } from '@utils/utilities';
@@ -171,11 +171,13 @@ export async function execute(
];
}

const escapedColumns = columns.map((column) => `\`${column}\``).join(', ');
const escapedColumns = columns.map(escapeSqlIdentifier).join(', ');
const placeholder = `(${columns.map(() => '?').join(',')})`;
const replacements = items.map(() => placeholder).join(',');

const query = `INSERT ${priority} ${ignore} INTO \`${table}\` (${escapedColumns}) VALUES ${replacements}`;
const query = `INSERT ${priority} ${ignore} INTO ${escapeSqlIdentifier(
table,
)} (${escapedColumns}) VALUES ${replacements}`;

const values = insertItems.reduce(
(acc: IDataObject[], item) => acc.concat(Object.values(item) as IDataObject[]),
@@ -214,10 +216,12 @@ export async function execute(
columns = Object.keys(insertItem);
}

const escapedColumns = columns.map((column) => `\`${column}\``).join(', ');
const escapedColumns = columns.map(escapeSqlIdentifier).join(', ');
const placeholder = `(${columns.map(() => '?').join(',')})`;

const query = `INSERT ${priority} ${ignore} INTO \`${table}\` (${escapedColumns}) VALUES ${placeholder};`;
const query = `INSERT ${priority} ${ignore} INTO ${escapeSqlIdentifier(
table,
)} (${escapedColumns}) VALUES ${placeholder};`;

const values = Object.values(insertItem) as QueryValues;

Original file line number Diff line number Diff line change
@@ -13,7 +13,7 @@ import type {
WhereClause,
} from '../../helpers/interfaces';

import { addSortRules, addWhereClauses } from '../../helpers/utils';
import { addSortRules, addWhereClauses, escapeSqlIdentifier } from '../../helpers/utils';

import {
optionsCollection,
@@ -91,10 +91,10 @@ export async function execute(
const SELECT = selectDistinct ? 'SELECT DISTINCT' : 'SELECT';

if (outputColumns.includes('*')) {
query = `${SELECT} * FROM \`${table}\``;
query = `${SELECT} * FROM ${escapeSqlIdentifier(table)}`;
} else {
const escapedColumns = outputColumns.map((column) => `\`${column}\``).join(', ');
query = `${SELECT} ${escapedColumns} FROM \`${table}\``;
const escapedColumns = outputColumns.map(escapeSqlIdentifier).join(', ');
query = `${SELECT} ${escapedColumns} FROM ${escapeSqlIdentifier(table)}`;
}

let values: QueryValues = [];
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ import type {
import type { QueryRunner, QueryValues, QueryWithValues } from '../../helpers/interfaces';
import { AUTO_MAP, DATA_MODE } from '../../helpers/interfaces';

import { replaceEmptyStringsByNulls } from '../../helpers/utils';
import { escapeSqlIdentifier, replaceEmptyStringsByNulls } from '../../helpers/utils';

import { optionsCollection } from '../common.descriptions';
import { updateDisplayOptions } from '@utils/utilities';
@@ -182,14 +182,16 @@ export async function execute(
const updates: string[] = [];

for (const column of updateColumns) {
updates.push(`\`${column}\` = ?`);
updates.push(`${escapeSqlIdentifier(column)} = ?`);
values.push(item[column] as string);
}

const condition = `\`${columnToMatchOn}\` = ?`;
const condition = `${escapeSqlIdentifier(columnToMatchOn)} = ?`;
values.push(valueToMatchOn);

const query = `UPDATE \`${table}\` SET ${updates.join(', ')} WHERE ${condition}`;
const query = `UPDATE ${escapeSqlIdentifier(table)} SET ${updates.join(
', ',
)} WHERE ${condition}`;

queries.push({ query, values });
}
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ import type {
import type { QueryRunner, QueryValues, QueryWithValues } from '../../helpers/interfaces';
import { AUTO_MAP, DATA_MODE } from '../../helpers/interfaces';

import { replaceEmptyStringsByNulls } from '../../helpers/utils';
import { escapeSqlIdentifier, replaceEmptyStringsByNulls } from '../../helpers/utils';

import { optionsCollection } from '../common.descriptions';
import { updateDisplayOptions } from '@utils/utilities';
@@ -177,10 +177,12 @@ export async function execute(
const onConflict = 'ON DUPLICATE KEY UPDATE';

const columns = Object.keys(item);
const escapedColumns = columns.map((column) => `\`${column}\``).join(', ');
const escapedColumns = columns.map(escapeSqlIdentifier).join(', ');
const placeholder = `${columns.map(() => '?').join(',')}`;

const insertQuery = `INSERT INTO \`${table}\`(${escapedColumns}) VALUES(${placeholder})`;
const insertQuery = `INSERT INTO ${escapeSqlIdentifier(
table,
)}(${escapedColumns}) VALUES(${placeholder})`;

const values = Object.values(item) as QueryValues;

@@ -189,7 +191,7 @@ export async function execute(
const updates: string[] = [];

for (const column of updateColumns) {
updates.push(`\`${column}\` = ?`);
updates.push(`${escapeSqlIdentifier(column)} = ?`);
values.push(item[column] as string);
}

24 changes: 21 additions & 3 deletions packages/nodes-base/nodes/MySql/v2/helpers/utils.ts
Original file line number Diff line number Diff line change
@@ -21,6 +21,22 @@ import type {

import { BATCH_MODE } from './interfaces';

export function escapeSqlIdentifier(identifier: string): string {
const parts = identifier.match(/(`[^`]*`|[^.`]+)/g) ?? [];

return parts
.map((part) => {
const trimmedPart = part.trim();

if (trimmedPart.startsWith('`') && trimmedPart.endsWith('`')) {
return trimmedPart;
}

return `\`${trimmedPart}\``;
})
.join('.');
}

export const prepareQueryAndReplacements = (rawQuery: string, replacements?: QueryValues) => {
if (replacements === undefined) {
return { query: rawQuery, values: [] };
@@ -35,7 +51,7 @@ export const prepareQueryAndReplacements = (rawQuery: string, replacements?: Que
for (const match of matches) {
if (match.includes(':name')) {
const matchIndex = Number(match.replace('$', '').replace(':name', '')) - 1;
query = query.replace(match, `\`${replacements[matchIndex]}\``);
query = query.replace(match, escapeSqlIdentifier(replacements[matchIndex].toString()));
} else {
const matchIndex = Number(match.replace('$', '')) - 1;
query = query.replace(match, '?');
@@ -379,7 +395,9 @@ export function addWhereClauses(

const operator = index === clauses.length - 1 ? '' : ` ${combineWith}`;

whereQuery += ` \`${clause.column}\` ${clause.condition}${valueReplacement}${operator}`;
whereQuery += ` ${escapeSqlIdentifier(clause.column)} ${
clause.condition
}${valueReplacement}${operator}`;
});

return [`${query}${whereQuery}`, replacements.concat(...values)];
@@ -398,7 +416,7 @@ export function addSortRules(
rules.forEach((rule, index) => {
const endWith = index === rules.length - 1 ? '' : ',';

orderByQuery += ` \`${rule.column}\` ${rule.direction}${endWith}`;
orderByQuery += ` ${escapeSqlIdentifier(rule.column)} ${rule.direction}${endWith}`;
});

return [`${query}${orderByQuery}`, replacements.concat(...values)];
5 changes: 4 additions & 1 deletion packages/nodes-base/nodes/MySql/v2/methods/loadOptions.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import type { IDataObject, ILoadOptionsFunctions, INodePropertyOptions } from 'n8n-workflow';
import { Client } from 'ssh2';
import { createPool } from '../transport';
import { escapeSqlIdentifier } from '../helpers/utils';

export async function getColumns(this: ILoadOptionsFunctions): Promise<INodePropertyOptions[]> {
const credentials = await this.getCredentials('mySql');
@@ -22,7 +23,9 @@ export async function getColumns(this: ILoadOptionsFunctions): Promise<INodeProp

const columns = (
await connection.query(
`SHOW COLUMNS FROM \`${table}\` FROM \`${credentials.database as string}\``,
`SHOW COLUMNS FROM ${escapeSqlIdentifier(table)} FROM ${escapeSqlIdentifier(
credentials.database as string,
)}`,
)
)[0] as IDataObject[];

Loading