drizzle-team
diff --git a/‎changelogs/drizzle-orm/1.0.0-beta.20.md‎
Lines changed: 4 additions & 0 deletions b/‎changelogs/drizzle-orm/1.0.0-beta.20.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎drizzle-kit/package.json‎
Lines changed: 1 addition & 1 deletion b/‎drizzle-kit/package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎drizzle-kit/tests/postgres/pg-constraints.test.ts‎
Lines changed: 2 additions & 2 deletions b/‎drizzle-kit/tests/postgres/pg-constraints.test.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎drizzle-kit/tests/postgres/pg-indexes.test.ts‎
Lines changed: 1 addition & 1 deletion b/‎drizzle-kit/tests/postgres/pg-indexes.test.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎drizzle-kit/tests/postgres/pg-views.test.ts‎
Lines changed: 3 additions & 3 deletions b/‎drizzle-kit/tests/postgres/pg-views.test.ts‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎drizzle-orm/package.json‎
Lines changed: 1 addition & 1 deletion b/‎drizzle-orm/package.json‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,4 @@
+- Fixed `sql.identifier()`, `sql.as()` escaping issues. Previously all the values passed to this functions were not properly escaped
+causing a possible SQL Injection (CWE-89) vulnerability
+
+Thanks to @EthanKim88, @0x90sh and @wgoodall01 for reaching out to us with a reproduction and suggested fix
@@ -1,6 +1,6 @@
 {
 	"name": "drizzle-kit",
-	"version": "1.0.0-beta.19",
+	"version": "1.0.0-beta.20",
 	"homepage": "https://orm.drizzle.team",
 	"keywords": [
 		"drizzle",
 
@@ -2419,7 +2419,7 @@ test('generated + unique', async (t) => {
 	expect(st).toStrictEqual([
 		`ALTER TABLE \"table\" RENAME COLUMN \"column2\" TO \"column3\";`,
 		`ALTER TABLE \"table\" DROP COLUMN \"bool\";`,
-		`ALTER TABLE \"table\" ADD COLUMN \"bool\" boolean GENERATED ALWAYS AS (((\"table\".\"column1\" is null) and (\"table\".\"column3\" is null))) STORED;`,
+		`ALTER TABLE \"table\" ADD COLUMN \"bool\" boolean GENERATED ALWAYS AS ((((\"table\".\"column1\" is null)) and ((\"table\".\"column3\" is null)))) STORED;`,
 		'ALTER TABLE "table" ADD CONSTRAINT "table_bool_key" UNIQUE("bool");',
 	]);
 	// push is not triggered on generated change
@@ -2467,7 +2467,7 @@ test('generated + pk', async (t) => {
 	expect(st).toStrictEqual([
 		`ALTER TABLE \"table\" RENAME COLUMN \"column2\" TO \"column3\";`,
 		`ALTER TABLE \"table\" DROP COLUMN \"bool\";`,
-		`ALTER TABLE \"table\" ADD COLUMN \"bool\" boolean PRIMARY KEY GENERATED ALWAYS AS (((\"table\".\"column1\" is null) and (\"table\".\"column3\" is null))) STORED;`,
+		`ALTER TABLE \"table\" ADD COLUMN \"bool\" boolean PRIMARY KEY GENERATED ALWAYS AS ((((\"table\".\"column1\" is null)) and ((\"table\".\"column3\" is null)))) STORED;`,
 	]);
 	// push is not triggered on generated change
 	expect(pst).toStrictEqual([
 
@@ -570,7 +570,7 @@ test('index #4', async (t) => {
 	expect(st).toStrictEqual([
 		`ALTER TABLE \"table\" RENAME COLUMN \"column2\" TO \"column3\";`,
 		`ALTER TABLE \"table\" DROP COLUMN \"bool\";`,
-		`ALTER TABLE \"table\" ADD COLUMN \"bool\" boolean GENERATED ALWAYS AS (((\"table\".\"column1\" is null) and (\"table\".\"column3\" is null))) STORED;`,
+		`ALTER TABLE \"table\" ADD COLUMN \"bool\" boolean GENERATED ALWAYS AS ((((\"table\".\"column1\" is null)) and ((\"table\".\"column3\" is null)))) STORED;`,
 		`CREATE INDEX "table_uid_bool_idx" ON "table" ("uid","bool");`,
 	]);
 	// push is not triggered on generated change
 
@@ -2045,7 +2045,7 @@ test('.as in view select', async () => {
 				.from(user)
 				.leftJoin(
 					userSubscription,
-					sql`(${user.id} = ${userSubscription.userId} and (${userSubscription.status} = 'active' or ${userSubscription.status} = 'trialing'))`,
+					sql`((${user.id} = ${userSubscription.userId}) and (((${userSubscription.status} = 'active') or (${userSubscription.status} = 'trialing'))))`,
 				);
 		},
 	);
@@ -2084,8 +2084,8 @@ test('.as in view select', async () => {
 	const expectedSt1View = (viewName: string) =>
 		`CREATE VIEW "${viewName}" AS `
 		+ `(select "user"."id" as "userId", "user"."email", "user"."name", "user_subscription"."id" as "subscriptionId", "user_subscription"."status" `
-		+ `from "user" left join "user_subscription" on ("user"."id" = "user_subscription"."userId" `
-		+ `and ("user_subscription"."status" = 'active' or "user_subscription"."status" = 'trialing')));`;
+		+ `from "user" left join "user_subscription" on (("user"."id" = "user_subscription"."userId") `
+		+ `and ((("user_subscription"."status" = 'active') or ("user_subscription"."status" = 'trialing')))));`;
 	const expectedSt1 = [
 		'CREATE TABLE "user" (\n\t"id" serial PRIMARY KEY,\n\t"email" text,\n\t"name" text\n);\n',
 		'CREATE TABLE "user_subscription" (\n\t"id" serial PRIMARY KEY,\n\t"userId" integer,\n\t"status" text\n);\n',
 
@@ -1,6 +1,6 @@
 {
 	"name": "drizzle-orm",
-	"version": "1.0.0-beta.19",
+	"version": "1.0.0-beta.20",
 	"description": "Drizzle ORM package for SQL databases",
 	"type": "module",
 	"scripts": {
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "drizzle-kit",`
`3`		`- "version": "1.0.0-beta.19",`
	`3`	`+ "version": "1.0.0-beta.20",`
`4`	`4`	`"homepage": "https://orm.drizzle.team",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"drizzle",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "drizzle-orm",`
`3`		`- "version": "1.0.0-beta.19",`
	`3`	`+ "version": "1.0.0-beta.20",`
`4`	`4`	`"description": "Drizzle ORM package for SQL databases",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"scripts": {`