Do not sanitize params

ospfranco · ospfranco · commit a3dbfe318c6b · 2026-04-25T13:00:46.000-04:00
diff --git a/cpp/utils.cpp b/cpp/utils.cpp
@@ -100,24 +100,17 @@ inline JSVariant to_variant(jsi::Runtime &rt, const jsi::Value &value) {
     size_t byteOffset = 0;
     size_t byteLength = 0;
     uint8_t *sourceData = nullptr;
+    jsi::Function arrayBufferCtor =
+      rt.global().getPropertyAsFunction(rt, "ArrayBuffer");
+    jsi::Function isViewFn =
+      arrayBufferCtor.getPropertyAsFunction(rt, "isView");
+    bool isArrayBufferView = isViewFn.call(rt, obj).getBool();
 
     if (obj.isArrayBuffer(rt)) {
       auto buffer = obj.getArrayBuffer(rt);
       sourceData = buffer.data(rt);
       byteLength = buffer.size(rt);
-    } else {
-      jsi::Function arrayBufferCtor =
-          rt.global().getPropertyAsFunction(rt, "ArrayBuffer");
-      jsi::Function isViewFn =
-          arrayBufferCtor.getPropertyAsFunction(rt, "isView");
-      bool isArrayBufferView = isViewFn.call(rt, obj).getBool();
-
-      if (!isArrayBufferView) {
-        throw std::runtime_error(
-            "Object is not an ArrayBuffer or ArrayBuffer view, cannot bind "
-            "to SQLite");
-      }
-
+    } else if (isArrayBufferView) {
       jsi::Object bufferObject = obj.getPropertyAsObject(rt, "buffer");
       auto buffer = bufferObject.getArrayBuffer(rt);
 
@@ -132,6 +125,10 @@ inline JSVariant to_variant(jsi::Runtime &rt, const jsi::Value &value) {
       }
 
       sourceData = buffer.data(rt) + byteOffset;
+    } else {
+      throw std::runtime_error(
+          "Object is not an ArrayBuffer or ArrayBuffer view, cannot bind "
+          "to SQLite");
     }
 
     uint8_t *data = new uint8_t[byteLength];
diff --git a/example/src/tests/blob.ts b/example/src/tests/blob.ts
@@ -5,6 +5,7 @@ import {
 	describe,
 	expect,
 	it,
+	itOnly,
 } from "@op-engineering/op-test";
 
 let db: DB;
@@ -56,7 +57,7 @@ describe("Blobs", () => {
 
 		const result = await db.execute("SELECT content FROM BlobTable");
 
-		const finalUint8 = new Uint8Array(result.rows[0]!.content as any);
+		const finalUint8 = new Uint8Array(result.rows[0]?.content as any);
 		expect(finalUint8[0]).toBe(42);
 	});
 
@@ -74,7 +75,9 @@ describe("Blobs", () => {
 		expect(content).toBeTruthy();
 
 		const finalUint8 = new Uint8Array(content as ArrayBuffer);
-		expect(Array.from(finalUint8)).toEqual([98, 99]);
+		const res = Array.from(finalUint8);
+		expect(res[0]).toEqual(98);
+		expect(res[1]).toEqual(99);
 	});
 
 	it("Uint16Array", async () => {
diff --git a/example/src/tests/queries.ts b/example/src/tests/queries.ts
@@ -101,7 +101,7 @@ describe("Queries tests", () => {
 		} catch (e: any) {
 			expect(
 				e.message.includes(
-					"Exception in HostFunction: Object is not an ArrayBuffer, cannot bind to SQLite",
+					"Object is not an ArrayBuffer or ArrayBuffer view",
 				),
 			).toEqual(true);
 		}
diff --git a/src/functions.ts b/src/functions.ts
@@ -68,26 +68,6 @@ function enhanceDB(db: _InternalDB, options: DBParams): DB {
 		}
 	};
 
-	function sanitizeArrayBuffersInArray(
-		params?: any[] | any[][],
-	): any[] | undefined {
-		if (!params) {
-			return params;
-		}
-
-		return params.map((p) => {
-			if (Array.isArray(p)) {
-				return sanitizeArrayBuffersInArray(p);
-			}
-
-			if (ArrayBuffer.isView(p)) {
-				return p.buffer;
-			}
-
-			return p;
-		});
-	}
-
 	// spreading the object does not work with HostObjects (db)
 	// We need to manually assign the fields
 	const enhancedDb = {
@@ -112,14 +92,6 @@ function enhanceDB(db: _InternalDB, options: DBParams): DB {
 		executeBatch: async (
 			commands: SQLBatchTuple[],
 		): Promise<BatchQueryResult> => {
-			// Do normal for loop and replace in place for performance
-			for (let i = 0; i < commands.length; i++) {
-				// [1] is the params arg
-				if (commands[i]![1]) {
-					commands[i]![1] = sanitizeArrayBuffersInArray(commands[i]![1]) as any;
-				}
-			}
-
 			async function run() {
 				try {
 					enhancedDb.executeSync("BEGIN TRANSACTION;");
@@ -160,33 +132,24 @@ function enhanceDB(db: _InternalDB, options: DBParams): DB {
 			query: string,
 			params?: Scalar[],
 		): Promise<QueryResult> => {
-			const sanitizedParams = sanitizeArrayBuffersInArray(params);
-
-			return sanitizedParams
-				? await db.executeWithHostObjects(query, sanitizedParams as Scalar[])
+			return params
+				? await db.executeWithHostObjects(query, params)
 				: await db.executeWithHostObjects(query);
 		},
 		executeRaw: async (query: string, params?: Scalar[]) => {
-			const sanitizedParams = sanitizeArrayBuffersInArray(params);
-
-			return db.executeRaw(query, sanitizedParams as Scalar[]);
+			return db.executeRaw(query, params as Scalar[]);
 		},
 		executeRawSync: (query: string, params?: Scalar[]) => {
-			const sanitizedParams = sanitizeArrayBuffersInArray(params);
-			return db.executeRawSync(query, sanitizedParams as Scalar[]);
+			return db.executeRawSync(query, params as Scalar[]);
 		},
 		// Wrapper for executeRaw, drizzleORM uses this function
 		// at some point I changed the API but they did not pin their dependency to a specific version
 		// so re-inserting this so it starts working again
 		executeRawAsync: async (query: string, params?: Scalar[]) => {
-			const sanitizedParams = sanitizeArrayBuffersInArray(params);
-
-			return db.executeRaw(query, sanitizedParams as Scalar[]);
+			return db.executeRaw(query, params as Scalar[]);
 		},
 		executeSync: (query: string, params?: Scalar[]): QueryResult => {
-			let res = params
-				? db.executeSync(query, sanitizeArrayBuffersInArray(params) as Scalar[])
-				: db.executeSync(query);
+			let res = params ? db.executeSync(query, params) : db.executeSync(query);
 
 			if (!res.rows) {
 				const rows: Record<string, Scalar>[] = [];
@@ -222,12 +185,7 @@ function enhanceDB(db: _InternalDB, options: DBParams): DB {
 			query: string,
 			params?: Scalar[] | undefined,
 		): Promise<QueryResult> => {
-			let res = params
-				? await db.execute(
-						query,
-						sanitizeArrayBuffersInArray(params) as Scalar[],
-					)
-				: await db.execute(query);
+			let res = params ? await db.execute(query, params) : await db.execute(query);
 
 			if (!res.rows) {
 				const rows: Record<string, Scalar>[] = [];
@@ -258,14 +216,10 @@ function enhanceDB(db: _InternalDB, options: DBParams): DB {
 
 			return {
 				bindSync: (params: Scalar[]) => {
-					const sanitizedParams = sanitizeArrayBuffersInArray(params);
-
-					stmt.bindSync(sanitizedParams!);
+					stmt.bindSync(params);
 				},
 				bind: async (params: Scalar[]) => {
-					const sanitizedParams = sanitizeArrayBuffersInArray(params);
-
-					await stmt.bind(sanitizedParams!);
+					await stmt.bind(params);
 				},
 				execute: stmt.execute,
 			};

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ describe("Queries tests", () => {`
`101`	`101`	`} catch (e: any) {`
`102`	`102`	`expect(`
`103`	`103`	`e.message.includes(`
`104`		`- "Exception in HostFunction: Object is not an ArrayBuffer, cannot bind to SQLite",`
	`104`	`+ "Object is not an ArrayBuffer or ArrayBuffer view",`
`105`	`105`	`),`
`106`	`106`	`).toEqual(true);`
`107`	`107`	`}`