From 9f2fe5e9d46d8bd2a7a5875235e1f7d36e8e18a5 Mon Sep 17 00:00:00 2001
From: Sean Corfield <sean@worldsingles.com>
Date: Mon, 22 Feb 2021 11:02:19 -0800
Subject: [PATCH] Fixes #299 by treating seqs in VALUES differently

---
 .gitignore                     |  2 ++
 CHANGELOG.md                   |  3 ++-
 README.md                      |  2 +-
 pom.xml                        |  4 ++--
 src/honeysql/format.cljc       |  6 ++++--
 test/honeysql/format_test.cljc | 14 ++++++++++++++
 6 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/.gitignore b/.gitignore
index 64d7077..0c16baa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,7 +11,9 @@
 .cpcache
 .clj-kondo/.cache
 .eastwood
+.lsp
 .nrepl-port
+.socket-repl-port
 .classpath
 .project
 .nrepl-port
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c76344..b274bed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Changes
 
-* 1.0.next in progress
+* 1.0.461 -- 2021-02-22
+  * **Fix #299 potential SQL injection vulnerability.**
   * Fix/Improve `merge-where` (and `merge-having`) behavior. #282 via #283 (@camsaul)
 
 * 1.0.444 -- 2020-05-29
diff --git a/README.md b/README.md
index 649430a..f7bd86a 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ SQL as Clojure data structures. Build queries programmatically -- even at runtim
 
 The latest versions on Clojars and on cljdoc:
 
-[![Clojars Project](https://clojars.org/honeysql/latest-version.svg)](https://clojars.org/honeysql) [![cljdoc badge](https://cljdoc.org/badge/honeysql/honeysql?1.0.444)](https://cljdoc.org/d/honeysql/honeysql/CURRENT)
+[![Clojars Project](https://clojars.org/honeysql/latest-version.svg)](https://clojars.org/honeysql) [![cljdoc badge](https://cljdoc.org/badge/honeysql/honeysql?1.0.461)](https://cljdoc.org/d/honeysql/honeysql/CURRENT)
 
 This project follows the version scheme MAJOR.MINOR.COMMITS where MAJOR and MINOR provide some relative indication of the size of the change, but do not follow semantic versioning. In general, all changes endeavor to be non-breaking (by moving to new names rather than by breaking existing names). COMMITS is an ever-increasing counter of commits since the beginning of this repository.
 
diff --git a/pom.xml b/pom.xml
index fda7cfd..e660f99 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>honeysql</groupId>
   <artifactId>honeysql</artifactId>
-  <version>1.0.444</version>
+  <version>1.0.461</version>
   <name>honeysql</name>
   <description>SQL as Clojure data structures.</description>
   <url>https://github.com/seancorfield/honeysql</url>
@@ -25,7 +25,7 @@
     <url>https://github.com/seancorfield/honeysql</url>
     <connection>scm:git:git://github.com/seancorfield/honeysql.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/seancorfield/honeysql.git</developerConnection>
-    <tag>v1.0.444</tag>
+    <tag>v1.0.461</tag>
   </scm>
   <dependencies>
     <dependency>
diff --git a/src/honeysql/format.cljc b/src/honeysql/format.cljc
index 2eb9c43..7432ecb 100644
--- a/src/honeysql/format.cljc
+++ b/src/honeysql/format.cljc
@@ -635,14 +635,16 @@
 (defmethod format-clause :values [[_ values] _]
   (if (sequential? (first values))
     (str "VALUES " (comma-join (for [x values]
-                                 (str "(" (comma-join (map to-sql x)) ")"))))
+                                 (binding [*fn-context?* true]
+                                   (str "(" (comma-join (map to-sql x)) ")")))))
     (let [cols (keys (first values))]
       (str
        (binding [*namespace-as-table?* false]
          (str "(" (comma-join (map to-sql cols)) ")"))
        " VALUES "
        (comma-join (for [x values]
-                     (str "(" (comma-join (map #(to-sql (get x %)) cols)) ")")))))))
+                     (binding [*fn-context?* true]
+                       (str "(" (comma-join (map #(to-sql (get x %)) cols)) ")"))))))))
 
 (defmethod format-clause :query-values [[_ query-values] _]
   (to-sql query-values))
diff --git a/test/honeysql/format_test.cljc b/test/honeysql/format_test.cljc
index d7fa8c7..7ddea79 100644
--- a/test/honeysql/format_test.cljc
+++ b/test/honeysql/format_test.cljc
@@ -320,3 +320,17 @@
          (format {:select [:*]
                   :from [[:foo :f]]
                   :cross-join [[:bar :b]]}))))
+
+(deftest issue-299-test
+  (let [name    "test field"
+        ;; this was being rendered inline into the SQL
+        ;; creating an injection vulnerability (v1 only)
+        ;; the context for seq->sql here seems to be the
+        ;; 'regular' one so it tries to treat this as an
+        ;; alias: 'value alias' -- the fix was to make it
+        ;; a function context so it becomes (TRUE, ?):
+        enabled [true, "); SELECT case when (SELECT current_setting('is_superuser'))='off' then pg_sleep(0.2) end; -- "]]
+    (is (= ["INSERT INTO table (name, enabled) VALUES (?, (TRUE, ?))" name (second enabled)]
+           (format {:insert-into :table
+                    :values [{:name name
+                              :enabled enabled}]})))))
\ No newline at end of file