fix(sql): pin culture-sensitive ToString to InvariantCulture in parameter encoding

vkuttyp · claude · vkuttyp · commit b35d76ed2fe8 · 2026-04-27T11:33:06.000+03:00
Two latent bugs that surfaced today on a Mac with ar-SA culture (UmAlQura
/ Hijri calendar) running CosmoMailAdmin against a prod Postgres:

  1. PgMessage.cs line 411: SqlValueKind.Date encoded via
     `DateValue.ToString("yyyy-MM-dd HH:mm:ss.ffffff")` without an explicit
     culture. The format string only specifies *fields*; the *calendar*
     comes from CurrentThread.CurrentCulture. Under ar-SA, year 2026
     formats as Hijri 1447, so a row inserted today gets stored with
     `created_at = 1447-11-10`, ~579 years in the past. Real example:
     the chalyar.com mail user created via the wizard on 2026-04-27 has
     `created_at = 1447-11-10 00:32:09 UTC`.

  2. SqlValue.cs AsString() / ToString() called .ToString() on numeric
     values (Int8..Int64, Float, Double, Decimal) without a culture.
     Under de-DE/fr-FR/etc., decimal separators flip to ',' which Postgres
     rejects as malformed numeric. Hadn't bitten in production because the
     deployed servers are Linux with en-US default, but any local-Mac
     admin or German-locale CI run would hit it.

Fix: pass `CultureInfo.InvariantCulture` everywhere a numeric or custom
date format is rendered for SQL parameter encoding. The DateTime "O" /
"o" specifier is documented as culture-independent + Gregorian-fixed,
so existing AsString uses of "O" stay as-is.

Tests pin the behavior under deliberately wrong cultures:
  - AsString_Date_UsesGregorianRegardlessOfCulture (ar-SA)
  - AsString_Decimal_UsesPeriodSeparatorRegardlessOfCulture (de-DE)
  - AsString_Double_UsesPeriodSeparatorRegardlessOfCulture (de-DE)
  - AsString_Int64_StableAcrossCultures (ar-SA)

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/CosmoSQLClient.Core/SqlValue.cs b/src/CosmoSQLClient.Core/SqlValue.cs
@@ -1,3 +1,5 @@
+using System.Globalization;
+
 namespace CosmoSQLClient.Core;
 
 /// <summary>Discriminator for the <see cref="SqlValue"/> tagged union.</summary>
@@ -132,13 +134,18 @@ public enum SqlValueKind
         SqlValueKind.Text           => TextValue,
         SqlValueKind.EmptyString    => string.Empty,
         SqlValueKind.Bool           => _bits != 0 ? "true" : "false",
-        SqlValueKind.Int8           => Int8Value.ToString(),
-        SqlValueKind.Int16          => Int16Value.ToString(),
-        SqlValueKind.Int32          => Int32Value.ToString(),
-        SqlValueKind.Int64          => Int64Value.ToString(),
-        SqlValueKind.Float          => FloatValue.ToString(),
-        SqlValueKind.Double         => DoubleValue.ToString(),
-        SqlValueKind.Decimal        => DecimalValue.ToString(),
+        // InvariantCulture on every numeric ToString — without it, decimal
+        // separators flip to ',' on de-DE/fr-FR/etc. and Postgres rejects
+        // "1234,5" as malformed numeric. DateTime "O" / "o" is hardcoded
+        // invariant + Gregorian per .NET docs, so it doesn't need an
+        // explicit culture argument, but every other ToString does.
+        SqlValueKind.Int8           => Int8Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Int16          => Int16Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Int32          => Int32Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Int64          => Int64Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Float          => FloatValue.ToString("R", CultureInfo.InvariantCulture),
+        SqlValueKind.Double         => DoubleValue.ToString("R", CultureInfo.InvariantCulture),
+        SqlValueKind.Decimal        => DecimalValue.ToString(CultureInfo.InvariantCulture),
         SqlValueKind.Uuid           => GuidValue.ToString(),
         SqlValueKind.Date           => DateValue.ToString("O"),
         SqlValueKind.DateTimeOffset => DateTimeOffsetValue.ToString("O"),
@@ -236,13 +243,13 @@ SqlValueKind.Int16 or SqlValueKind.Int32 or
         SqlValueKind.Null           => "NULL",
         SqlValueKind.EmptyString    => string.Empty,
         SqlValueKind.Bool           => _bits != 0 ? "True" : "False",
-        SqlValueKind.Int8           => Int8Value.ToString(),
-        SqlValueKind.Int16          => Int16Value.ToString(),
-        SqlValueKind.Int32          => Int32Value.ToString(),
-        SqlValueKind.Int64          => Int64Value.ToString(),
-        SqlValueKind.Float          => FloatValue.ToString(),
-        SqlValueKind.Double         => DoubleValue.ToString(),
-        SqlValueKind.Decimal        => DecimalValue.ToString(),
+        SqlValueKind.Int8           => Int8Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Int16          => Int16Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Int32          => Int32Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Int64          => Int64Value.ToString(CultureInfo.InvariantCulture),
+        SqlValueKind.Float          => FloatValue.ToString("R", CultureInfo.InvariantCulture),
+        SqlValueKind.Double         => DoubleValue.ToString("R", CultureInfo.InvariantCulture),
+        SqlValueKind.Decimal        => DecimalValue.ToString(CultureInfo.InvariantCulture),
         SqlValueKind.Text           => TextValue,
         SqlValueKind.Bytes          => System.Convert.ToBase64String(BytesValue),
         SqlValueKind.Uuid           => GuidValue.ToString(),
diff --git a/src/CosmoSQLClient.Postgres/Proto/PgMessage.cs b/src/CosmoSQLClient.Postgres/Proto/PgMessage.cs
@@ -1,4 +1,5 @@
 using System.Buffers.Binary;
+using System.Globalization;
 using System.Net;
 using System.Security.Cryptography;
 using System.Text;
@@ -408,7 +409,13 @@ private static byte[] EncodeValue(SqlValue v, bool binary)
         SqlValueKind.Null        => Array.Empty<byte>(),
         SqlValueKind.Bool        => Encoding.UTF8.GetBytes(v.BoolValue ? "t" : "f"),
         SqlValueKind.Bytes       => Encoding.UTF8.GetBytes("\\x" + BitConverter.ToString(v.BytesValue).Replace("-", "").ToLowerInvariant()),
-        SqlValueKind.Date        => Encoding.UTF8.GetBytes(v.DateValue.ToString("yyyy-MM-dd HH:mm:ss.ffffff")),
+        // InvariantCulture is critical: a custom format like "yyyy-MM-dd"
+        // emits the YEAR component using the current thread's calendar.
+        // On ar-SA Macs the calendar is UmAlQura (Hijri), so 2026-04-27
+        // serializes as "1447-11-10" — Postgres parses it as Gregorian and
+        // stores a date 579 years in the past. See the chalyar.com user
+        // incident on 2026-04-27 for an example.
+        SqlValueKind.Date        => Encoding.UTF8.GetBytes(v.DateValue.ToString("yyyy-MM-dd HH:mm:ss.ffffff", CultureInfo.InvariantCulture)),
         SqlValueKind.Uuid        => Encoding.UTF8.GetBytes(v.GuidValue.ToString("D")),
         _                        => Encoding.UTF8.GetBytes(v.AsString() ?? string.Empty),
     };
diff --git a/tests/CosmoSQLClient.Core.Tests/SqlValueTests.cs b/tests/CosmoSQLClient.Core.Tests/SqlValueTests.cs
@@ -96,4 +96,65 @@ public void NullInstance_IsNull_IsTrue()
     {
         Assert.True(SqlValue.Null_.IsNull);
     }
+
+    // ── Culture-leak regressions ──────────────────────────────────────────────
+    // Without InvariantCulture, ToString() in a non-Gregorian / non-period-decimal
+    // culture corrupts SQL parameter encoding. ar-SA flips the calendar (year
+    // 2026 becomes 1447 Hijri); de-DE flips the decimal separator (1234.5
+    // becomes 1234,5 which Postgres rejects as malformed numeric).
+
+    [Fact]
+    public void AsString_Date_UsesGregorianRegardlessOfCulture()
+    {
+        var prev = System.Threading.Thread.CurrentThread.CurrentCulture;
+        try
+        {
+            System.Threading.Thread.CurrentThread.CurrentCulture = new System.Globalization.CultureInfo("ar-SA");
+            var dt = new DateTime(2026, 4, 27, 10, 0, 0, DateTimeKind.Utc);
+            var v = SqlValue.From(dt);
+            var s = v.AsString();
+            Assert.NotNull(s);
+            Assert.StartsWith("2026-04-27", s); // not "1447-..."
+        }
+        finally { System.Threading.Thread.CurrentThread.CurrentCulture = prev; }
+    }
+
+    [Fact]
+    public void AsString_Decimal_UsesPeriodSeparatorRegardlessOfCulture()
+    {
+        var prev = System.Threading.Thread.CurrentThread.CurrentCulture;
+        try
+        {
+            System.Threading.Thread.CurrentThread.CurrentCulture = new System.Globalization.CultureInfo("de-DE");
+            var v = SqlValue.From(1234.5m);
+            Assert.Equal("1234.5", v.AsString());
+        }
+        finally { System.Threading.Thread.CurrentThread.CurrentCulture = prev; }
+    }
+
+    [Fact]
+    public void AsString_Double_UsesPeriodSeparatorRegardlessOfCulture()
+    {
+        var prev = System.Threading.Thread.CurrentThread.CurrentCulture;
+        try
+        {
+            System.Threading.Thread.CurrentThread.CurrentCulture = new System.Globalization.CultureInfo("de-DE");
+            var v = SqlValue.From(1234.5);
+            Assert.Contains(".", v.AsString()!);
+            Assert.DoesNotContain(",", v.AsString()!);
+        }
+        finally { System.Threading.Thread.CurrentThread.CurrentCulture = prev; }
+    }
+
+    [Fact]
+    public void AsString_Int64_StableAcrossCultures()
+    {
+        var prev = System.Threading.Thread.CurrentThread.CurrentCulture;
+        try
+        {
+            System.Threading.Thread.CurrentThread.CurrentCulture = new System.Globalization.CultureInfo("ar-SA");
+            Assert.Equal("1234567", SqlValue.From(1234567L).AsString());
+        }
+        finally { System.Threading.Thread.CurrentThread.CurrentCulture = prev; }
+    }
 }
