chain-builder 1.0.2

A query builder for MySQL for Rust is designed to be flexible and easy to use.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

//! Security regression tests: identifier interpolation must not allow SQL
//! injection. Values are always bound; identifiers (columns/tables/aliases)
//! are dialect-escaped so attacker-controlled names cannot break out.

use chain_builder::{ChainBuilder, Client, JoinMethods, QueryCommon, Select, WhereClauses};
use serde_json::Value;

#[test]
fn mysql_where_column_is_escaped() {
    let mut builder = ChainBuilder::new(Client::Mysql);
    builder
        .select(Select::Columns(vec!["*".into()]))
        .table("users")
        .query(|qb| {
            // A malicious "column" coming from untrusted input.
            qb.where_eq("name`; DROP TABLE users; --", Value::String("x".to_string()));
        });
    let (sql, binds) = builder.to_sql();

    // The injection payload is contained inside a single backtick-quoted
    // identifier (backticks doubled); it is NOT executable SQL.
    assert_eq!(
        sql,
        "SELECT * FROM `users` WHERE `name``; DROP TABLE users; --` = ?"
    );
    // The value is still bound, not inlined.
    assert_eq!(binds, vec![Value::String("x".to_string())]);
    // No unescaped statement terminator leaked into the SQL.
    assert!(!sql.contains("; DROP TABLE users; --` = ? ;"));
}

#[test]
fn mysql_order_by_column_is_escaped() {
    // Classic dynamic-sort injection vector.
    let mut builder = ChainBuilder::new(Client::Mysql);
    builder
        .select(Select::Columns(vec!["*".into()]))
        .table("users")
        .query(|qb| {
            qb.order_by("id`; DROP TABLE users; --", "ASC");
        });
    let (sql, _) = builder.to_sql();
    assert_eq!(
        sql,
        "SELECT * FROM `users` ORDER BY `id``; DROP TABLE users; --` ASC"
    );
}

#[test]
fn sqlite_identifiers_use_double_quotes() {
    let mut builder = ChainBuilder::new(Client::Sqlite);
    builder
        .select(Select::Columns(vec!["id".into(), "name".into()]))
        .table("users")
        .query(|qb| {
            qb.where_eq("name\" OR \"1\"=\"1", Value::String("x".to_string()));
        });
    let (sql, _) = builder.to_sql();
    assert_eq!(
        sql,
        "SELECT \"id\", \"name\" FROM \"users\" WHERE \"name\"\" OR \"\"1\"\"=\"\"1\" = ?"
    );
}

#[test]
fn mysql_qualified_and_wildcard_identifiers() {
    let mut builder = ChainBuilder::new(Client::Mysql);
    builder
        .db("mydb")
        .select(Select::Columns(vec!["users.*".into()]))
        .table("users")
        .query(|qb| {
            qb.left_join("profiles", |j| {
                j.on("users.id", "=", "profiles.user_id");
            });
            qb.where_eq("users.status", Value::String("active".to_string()));
        });
    let (sql, _) = builder.to_sql();
    assert_eq!(
        sql,
        "SELECT `users`.* FROM `mydb`.`users` \
         LEFT JOIN `mydb`.`profiles` ON `users`.`id` = `profiles`.`user_id` \
         WHERE `users`.`status` = ?"
    );
}

#[test]
fn mysql_insert_keys_are_escaped() {
    let mut builder = ChainBuilder::new(Client::Mysql);
    builder.table("users").insert(serde_json::json!({
        "name": "John",
        "email": "john@example.com",
    }));
    let (sql, _) = builder.to_sql();
    assert_eq!(
        sql,
        "INSERT INTO `users` (`email`, `name`) VALUES (?, ?)"
    );
}