fix(orm): escape special characters in string search patterns (#479)

* fix(orm): escape special characters in string search patterns

* fix tests

Author: ymc9

packages/language/package.json

@@ -70,9 +70,5 @@
         "glob": "^11.1.0",
         "langium-cli": "catalog:",
         "tmp": "catalog:"
-    },
-    "volta": {
-        "node": "18.19.1",
-        "npm": "10.2.4"
     }
 }

packages/orm/src/client/crud/dialects/base-dialect.ts

@@ -541,7 +541,7 @@ export abstract class BaseCrudDialect<Schema extends SchemaDef> {
         } else if (isTypeDef(this.schema, fieldDef.type)) {
             return this.buildTypedJsonFilter(receiver, filter, fieldDef.type, !!fieldDef.array);
         } else {
-            return this.true();
+            throw createInvalidInputError(`Invalid JSON filter payload`);
         }
     }
 
@@ -597,7 +597,7 @@ export abstract class BaseCrudDialect<Schema extends SchemaDef> {
                     // already handled
                     break;
                 default:
-                    invariant(false, `Invalid JSON filter key: ${key}`);
+                    throw createInvalidInputError(`Invalid JSON filter key: ${key}`);
             }
         }
         return this.and(...clauses);
@@ -817,22 +817,15 @@ export abstract class BaseCrudDialect<Schema extends SchemaDef> {
                     continue;
                 }
 
+                invariant(typeof value === 'string', `${key} value must be a string`);
+
+                const escapedValue = this.escapeLikePattern(value);
                 const condition = match(key)
-                    .with('contains', () =>
-                        mode === 'insensitive'
-                            ? this.eb(fieldRef, 'ilike', sql.val(`%${value}%`))
-                            : this.eb(fieldRef, 'like', sql.val(`%${value}%`)),
-                    )
+                    .with('contains', () => this.buildStringLike(fieldRef, `%${escapedValue}%`, mode === 'insensitive'))
                     .with('startsWith', () =>
-                        mode === 'insensitive'
-                            ? this.eb(fieldRef, 'ilike', sql.val(`${value}%`))
-                            : this.eb(fieldRef, 'like', sql.val(`${value}%`)),
-                    )
-                    .with('endsWith', () =>
-                        mode === 'insensitive'
-                            ? this.eb(fieldRef, 'ilike', sql.val(`%${value}`))
-                            : this.eb(fieldRef, 'like', sql.val(`%${value}`)),
+                        this.buildStringLike(fieldRef, `${escapedValue}%`, mode === 'insensitive'),
                     )
+                    .with('endsWith', () => this.buildStringLike(fieldRef, `%${escapedValue}`, mode === 'insensitive'))
                     .otherwise(() => {
                         throw createInvalidInputError(`Invalid string filter key: ${key}`);
                     });
@@ -846,6 +839,33 @@ export abstract class BaseCrudDialect<Schema extends SchemaDef> {
         return this.and(...conditions);
     }
 
+    private buildJsonStringFilter(
+        receiver: Expression<any>,
+        operation: 'string_contains' | 'string_starts_with' | 'string_ends_with',
+        value: string,
+        mode: 'default' | 'insensitive',
+    ) {
+        // build LIKE pattern based on operation, note that receiver is quoted
+        const escapedValue = this.escapeLikePattern(value);
+        const pattern = match(operation)
+            .with('string_contains', () => `"%${escapedValue}%"`)
+            .with('string_starts_with', () => `"${escapedValue}%"`)
+            .with('string_ends_with', () => `"%${escapedValue}"`)
+            .exhaustive();
+
+        return this.buildStringLike(receiver, pattern, mode === 'insensitive');
+    }
+
+    private escapeLikePattern(pattern: string) {
+        return pattern.replace(/\\/g, '\\\\').replace(/%/g, '\\%').replace(/_/g, '\\_');
+    }
+
+    private buildStringLike(receiver: Expression<any>, pattern: string, insensitive: boolean) {
+        const { supportsILike } = this.getStringCasingBehavior();
+        const op = insensitive && supportsILike ? 'ilike' : 'like';
+        return sql<SqlBool>`${receiver} ${sql.raw(op)} ${sql.val(pattern)} escape '\\'`;
+    }
+
     private prepStringCasing(
         eb: ExpressionBuilder<any, any>,
         value: unknown,
@@ -1409,16 +1429,6 @@ export abstract class BaseCrudDialect<Schema extends SchemaDef> {
      */
     protected abstract buildJsonPathSelection(receiver: Expression<any>, path: string | undefined): Expression<any>;
 
-    /**
-     * Builds a JSON string filter expression.
-     */
-    protected abstract buildJsonStringFilter(
-        receiver: Expression<any>,
-        operation: 'string_contains' | 'string_starts_with' | 'string_ends_with',
-        value: string,
-        mode: 'default' | 'insensitive',
-    ): Expression<SqlBool>;
-
     /**
      * Builds a JSON array filter expression.
      */

packages/orm/src/client/crud/dialects/postgresql.ts

@@ -462,22 +462,6 @@ export class PostgresCrudDialect<Schema extends SchemaDef> extends BaseCrudDiale
         }
     }
 
-    protected override buildJsonStringFilter(
-        receiver: Expression<any>,
-        operation: 'string_contains' | 'string_starts_with' | 'string_ends_with',
-        value: string,
-        mode: 'default' | 'insensitive',
-    ) {
-        // build LIKE pattern based on operation
-        const pattern = match(operation)
-            .with('string_contains', () => `"%${value}%"`)
-            .with('string_starts_with', () => `"${value}%"`)
-            .with('string_ends_with', () => `"%${value}"`)
-            .exhaustive();
-
-        return this.eb(receiver, mode === 'insensitive' ? 'ilike' : 'like', sql.val(pattern));
-    }
-
     protected override buildJsonArrayFilter(
         lhs: Expression<any>,
         operation: 'array_contains' | 'array_starts_with' | 'array_ends_with',

packages/orm/src/client/crud/dialects/sqlite.ts

@@ -368,22 +368,6 @@ export class SqliteCrudDialect<Schema extends SchemaDef> extends BaseCrudDialect
         }
     }
 
-    protected override buildJsonStringFilter(
-        lhs: Expression<any>,
-        operation: 'string_contains' | 'string_starts_with' | 'string_ends_with',
-        value: string,
-        _mode: 'default' | 'insensitive',
-    ) {
-        // JSON strings are quoted, so we need to add quotes to the pattern
-        const pattern = match(operation)
-            .with('string_contains', () => `"%${value}%"`)
-            .with('string_starts_with', () => `"${value}%"`)
-            .with('string_ends_with', () => `"%${value}"`)
-            .exhaustive();
-
-        return this.eb(lhs, 'like', sql.val(pattern));
-    }
-
     protected override buildJsonArrayFilter(
         lhs: Expression<any>,
         operation: 'array_contains' | 'array_starts_with' | 'array_ends_with',

packages/orm/src/client/functions.ts

@@ -1,5 +1,5 @@
 import { invariant, lowerCaseFirst, upperCaseFirst } from '@zenstackhq/common-helpers';
-import { sql, ValueNode, type BinaryOperator, type Expression, type ExpressionBuilder } from 'kysely';
+import { sql, ValueNode, type BinaryOperator, type Expression, type ExpressionBuilder, type SqlBool } from 'kysely';
 import { match } from 'ts-pattern';
 import type { ZModelFunction, ZModelFunctionContext } from './options';
 
@@ -53,13 +53,16 @@ const textMatch = (
         op = 'like';
     }
 
+    // escape special characters in search string
+    const escapedSearch = sql`REPLACE(REPLACE(REPLACE(CAST(${searchExpr} as text), '\\', '\\\\'), '%', '\\%'), '_', '\\_')`;
+
     searchExpr = match(method)
-        .with('contains', () => eb.fn('CONCAT', [sql.lit('%'), sql`CAST(${searchExpr} as text)`, sql.lit('%')]))
-        .with('startsWith', () => eb.fn('CONCAT', [sql`CAST(${searchExpr} as text)`, sql.lit('%')]))
-        .with('endsWith', () => eb.fn('CONCAT', [sql.lit('%'), sql`CAST(${searchExpr} as text)`]))
+        .with('contains', () => eb.fn('CONCAT', [sql.lit('%'), escapedSearch, sql.lit('%')]))
+        .with('startsWith', () => eb.fn('CONCAT', [escapedSearch, sql.lit('%')]))
+        .with('endsWith', () => eb.fn('CONCAT', [sql.lit('%'), escapedSearch]))
         .exhaustive();
 
-    return eb(fieldExpr, op, searchExpr);
+    return sql<SqlBool>`${fieldExpr} ${sql.raw(op)} ${searchExpr} escape '\\'`;
 };
 
 export const has: ZModelFunction<any> = (eb, args) => {

tests/e2e/orm/client-api/filter.test.ts

@@ -7,7 +7,7 @@ describe('Client filter tests ', () => {
     let client: ClientContract<typeof schema>;
 
     beforeEach(async () => {
-        client = (await createTestClient(schema)) as any;
+        client = await createTestClient(schema);
     });
 
     afterEach(async () => {
@@ -44,6 +44,7 @@ describe('Client filter tests ', () => {
     it('supports string filters', async () => {
         const user1 = await createUser('u1@test.com');
         const user2 = await createUser('u2@test.com', { name: null });
+        await createUser('u3%@test.com', { name: null });
 
         // equals
         await expect(client.user.findFirst({ where: { id: user1.id } })).toResolveTruthy();
@@ -93,6 +94,21 @@ describe('Client filter tests ', () => {
                     where: { email: { contains: 'test' } },
                 }),
             ).toResolveTruthy();
+            await expect(
+                client.user.findFirst({
+                    where: { email: { contains: '%test' } },
+                }),
+            ).toResolveNull();
+            await expect(
+                client.user.findFirst({
+                    where: { email: { contains: 'u3%' } },
+                }),
+            ).toResolveTruthy();
+            await expect(
+                client.user.findFirst({
+                    where: { email: { contains: 'u3a' } },
+                }),
+            ).toResolveNull();
             await expect(
                 client.user.findFirst({
                     where: { email: { contains: 'Test' } },
@@ -104,11 +120,26 @@ describe('Client filter tests ', () => {
                     where: { email: { startsWith: 'u1' } },
                 }),
             ).toResolveTruthy();
+            await expect(
+                client.user.findFirst({
+                    where: { email: { startsWith: '%u1' } },
+                }),
+            ).toResolveNull();
             await expect(
                 client.user.findFirst({
                     where: { email: { startsWith: 'U1' } },
                 }),
             ).toResolveTruthy();
+            await expect(
+                client.user.findFirst({
+                    where: { email: { startsWith: 'u3a' } },
+                }),
+            ).toResolveNull();
+            await expect(
+                client.user.findFirst({
+                    where: { email: { startsWith: 'u3%' } },
+                }),
+            ).toResolveTruthy();
 
             await expect(
                 client.user.findFirst({
@@ -155,6 +186,28 @@ describe('Client filter tests ', () => {
                 }),
             ).toResolveTruthy();
 
+            await expect(
+                client.user.findFirst({
+                    where: {
+                        email: { contains: '%u1', mode: 'insensitive' } as any,
+                    },
+                }),
+            ).toResolveNull();
+            await expect(
+                client.user.findFirst({
+                    where: {
+                        email: { contains: 'u3%', mode: 'insensitive' } as any,
+                    },
+                }),
+            ).toResolveTruthy();
+            await expect(
+                client.user.findFirst({
+                    where: {
+                        email: { contains: 'u3a', mode: 'insensitive' } as any,
+                    },
+                }),
+            ).toResolveNull();
+
             await expect(
                 client.user.findFirst({
                     where: {
@@ -211,7 +264,7 @@ describe('Client filter tests ', () => {
         ).toResolveTruthy();
         await expect(
             client.user.findFirst({
-                where: { email: { notIn: ['u1@test.com', 'u2@test.com'] } },
+                where: { email: { notIn: ['u1@test.com', 'u2@test.com', 'u3%@test.com'] } },
             }),
         ).toResolveFalsy();
         await expect(
@@ -230,7 +283,7 @@ describe('Client filter tests ', () => {
             client.user.findMany({
                 where: { email: { lt: 'z@test.com' } },
             }),
-        ).toResolveWithLength(2);
+        ).toResolveWithLength(3);
         await expect(
             client.user.findMany({
                 where: { email: { lte: 'u1@test.com' } },
@@ -245,7 +298,7 @@ describe('Client filter tests ', () => {
             client.user.findMany({
                 where: { email: { gt: 'a@test.com' } },
             }),
-        ).toResolveWithLength(2);
+        ).toResolveWithLength(3);
         await expect(
             client.user.findMany({
                 where: { email: { gt: 'z@test.com' } },
@@ -255,12 +308,12 @@ describe('Client filter tests ', () => {
             client.user.findMany({
                 where: { email: { gte: 'u1@test.com' } },
             }),
-        ).toResolveWithLength(2);
+        ).toResolveWithLength(3);
         await expect(
             client.user.findMany({
                 where: { email: { gte: 'u2@test.com' } },
             }),
-        ).toResolveWithLength(1);
+        ).toResolveWithLength(2);
 
         // contains
         await expect(
@@ -270,7 +323,7 @@ describe('Client filter tests ', () => {
         ).toResolveTruthy();
         await expect(
             client.user.findFirst({
-                where: { email: { contains: '3@' } },
+                where: { email: { contains: '4@' } },
             }),
         ).toResolveFalsy();