From 258434b3ed50df36290ca4207c361a603c9c2330 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Wed, 30 Mar 2022 14:31:17 +0100 Subject: [PATCH] Fix for #5153 - doing it at the mysql level as it seems to be affected by incorrect types in a way that other SQL databases aren't - limits the possible damage this can do. --- packages/server/src/definitions/datasource.ts | 6 +----- packages/server/src/integrations/mysql.ts | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/packages/server/src/definitions/datasource.ts b/packages/server/src/definitions/datasource.ts index 2e2ad25f58..77239da261 100644 --- a/packages/server/src/definitions/datasource.ts +++ b/packages/server/src/definitions/datasource.ts @@ -181,11 +181,7 @@ export interface QueryJson { export interface SqlQuery { sql: string - bindings?: - | string[] - | { - [key: string]: any - } + bindings?: string[] } export interface QueryOptions { diff --git a/packages/server/src/integrations/mysql.ts b/packages/server/src/integrations/mysql.ts index 8b2c9ac944..6f009bbd4a 100644 --- a/packages/server/src/integrations/mysql.ts +++ b/packages/server/src/integrations/mysql.ts @@ -80,6 +80,20 @@ module MySQLModule { }, } + function bindingTypeCoerce(bindings: any[]) { + for (let i = 0; i < bindings.length; i++) { + const binding = bindings[i] + if (typeof binding !== "string") { + continue + } + const matches = binding.match(/^\d*/g) + if (matches && matches[0] !== "" && !isNaN(Number(matches[0]))) { + bindings[i] = parseFloat(binding) + } + } + return bindings + } + class MySQLIntegration extends Sql implements DatasourcePlus { private config: MySQLConfig private client: any @@ -122,7 +136,7 @@ module MySQLModule { // Node MySQL is callback based, so we must wrap our call in a promise const response = await this.client.query( query.sql, - query.bindings || [] + bindingTypeCoerce(query.bindings || []) ) return response[0] } finally {