chain-builder 3.1.0

A typed, dialect-aware SQL query builder for Rust (PostgreSQL/MySQL/SQLite).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

//! `having()` operator allowlist guard.
//!
//! Unlike every other operator-bearing method (`where_eq`, `where_column`,
//! `JoinClause::on`, …) which take `op: &'static str` and so cannot receive a
//! runtime string, `having()` takes `op: &str` for ergonomics. To keep that
//! from becoming a SQL-injection vector when a caller wires an
//! attacker-controlled operator into the HAVING clause, the operator is
//! validated against a fixed allowlist. A disallowed operator records a
//! deferred `BuildError`: `try_to_sql()` returns it as `Err` (covered in
//! `tests/build_error.rs`), while `to_sql()` panics with the same message
//! (fail-loud, matching the `offset`/`distinct_on`/lock guards). Arbitrary
//! aggregate expressions go through `having_raw` instead.

use chain_builder::{Postgres, QueryBuilder};

#[test]
fn allowed_operators_compile() {
    for op in ["=", "!=", "<>", ">", ">=", "<", "<=", "LIKE", "NOT LIKE"] {
        let (sql, _) = QueryBuilder::<Postgres>::table("orders")
            .select(["user_id"])
            .group_by(["user_id"])
            .having("total", op, 100i64)
            .to_sql();
        assert_eq!(
            sql,
            format!(r#"SELECT "user_id" FROM "orders" GROUP BY "user_id" HAVING "total" {op} $1"#)
        );
    }
}

#[test]
fn operator_is_case_insensitive_and_trimmed() {
    // `like` (lowercase, padded) is accepted and stored trimmed.
    let (sql, _) = QueryBuilder::<Postgres>::table("orders")
        .select(["user_id"])
        .having("name", "  like  ", "a%")
        .to_sql();
    assert_eq!(
        sql,
        r#"SELECT "user_id" FROM "orders" HAVING "name" like $1"#
    );
}

#[test]
#[should_panic(expected = "not an allowed")]
fn injection_via_operator_panics() {
    // The classic generic-filter-API injection: an attacker-controlled operator.
    let _ = QueryBuilder::<Postgres>::table("orders")
        .select(["user_id"])
        .having("amount", ">= 0 UNION SELECT password FROM users --", 0i64)
        .to_sql();
}

#[test]
#[should_panic(expected = "not an allowed")]
fn arbitrary_operator_panics() {
    let _ = QueryBuilder::<Postgres>::table("orders")
        .select(["user_id"])
        .having("amount", "; DROP TABLE users", 0i64)
        .to_sql();
}