Merge pull request sequelize#5381 from Extensis/sqlstring-escape-recu…

…rsion-fix Fix bug in SqlString.escape which caused the function to be recursive…
okyoky · Mar 2, 2016 · ef7793b · ef7793b
2 parents 04695d9 + 3bcae32
commit ef7793b
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/changelog.md b/changelog.md
@@ -3,6 +3,7 @@
 - [ADDED] `validationFailed` hook [#1626](https://github.com/sequelize/sequelize/issues/1626)
 - [FIXED] Mark index as `unique: true` when `type: 'UNIQUE'`. Fixes [#5351](https://github.com/sequelize/sequelize/issues/5351)
 - [ADDED[ Support for IEEE floating point literals in postgres and sqlite [#5194](https://github.com/sequelize/sequelize/issues/5194)
+- [FIXED] Improper escaping of bound arrays of strings on Postgres, SQLite, and Microsoft SQL Server
 
 # 3.19.3
 - [FIXED] `updatedAt` and `createdAt` values are now set before validation [#5367](https://github.com/sequelize/sequelize/pull/5367)

diff --git a/lib/sql-string.js b/lib/sql-string.js
@@ -48,7 +48,7 @@ SqlString.escape = function(val, timeZone, dialect, format) {
   }
 
   if (Array.isArray(val)) {
-    var escape = _.partialRight(SqlString.escape, timeZone, dialect);
+    var escape = _.partial(SqlString.escape, _, timeZone, dialect, format);
     if (dialect === 'postgres' && !format) {
       return dataTypes.ARRAY.prototype.stringify(val, {escape: escape});
     }

diff --git a/test/integration/sequelize.test.js b/test/integration/sequelize.test.js
@@ -583,6 +583,15 @@ describe(Support.getTestDialectTeaser('Sequelize'), function() {
       });
     });
 
+    if (dialect === 'postgres' || dialect === 'sqlite' || dialect === 'mssql') {
+      it ('does not improperly escape arrays of strings bound to named parameters', function() {
+        var logSql;
+        return this.sequelize.query('select :stringArray as foo', { raw: true, replacements: { stringArray: [ '"string"' ] }, logging: function(s) { logSql = s; } }).then(function(result) {
+          expect(result[0]).to.deep.equal([{ foo: '"string"' }]);
+        });
+      });
+    }
+
     it('throw an exception when binds passed with object and numeric $1 is also present', function() {
       var self = this;
       var typeCast = (dialect === 'postgres') ? '::int' : '';

diff --git a/test/unit/sql/select.test.js b/test/unit/sql/select.test.js
@@ -299,7 +299,8 @@ suite(Support.getTestDialectTeaser('SQL'), function() {
         attributes: ['*'],
         having: ['name IN (?)', [1, 'test', 3, "derp"]]
       }), {
-        default: "SELECT * FROM [User] HAVING name IN (1,'test',3,'derp');"
+        default: "SELECT * FROM [User] HAVING name IN (1,'test',3,'derp');",
+        mssql: "SELECT * FROM [User] HAVING name IN (1,N'test',3,N'derp');"
       });
     });
   });