Fixes #299 by treating seqs in VALUES differently

.gitignore

@@ -11,7 +11,9 @@
 .cpcache
 .clj-kondo/.cache
 .eastwood
+.lsp
 .nrepl-port
+.socket-repl-port
 .classpath
 .project
 .nrepl-port

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Changes
 
-* 1.0.next in progress
+* 1.0.461 -- 2021-02-22
+  * **Fix #299 potential SQL injection vulnerability.**
   * Fix/Improve `merge-where` (and `merge-having`) behavior. #282 via #283 (@camsaul)
 
 * 1.0.444 -- 2020-05-29

README.md

@@ -6,7 +6,7 @@ SQL as Clojure data structures. Build queries programmatically -- even at runtim
 
 The latest versions on Clojars and on cljdoc:
 
-[![Clojars Project](https://clojars.org/honeysql/latest-version.svg)](https://clojars.org/honeysql) [![cljdoc badge](https://cljdoc.org/badge/honeysql/honeysql?1.0.444)](https://cljdoc.org/d/honeysql/honeysql/CURRENT)
+[![Clojars Project](https://clojars.org/honeysql/latest-version.svg)](https://clojars.org/honeysql) [![cljdoc badge](https://cljdoc.org/badge/honeysql/honeysql?1.0.461)](https://cljdoc.org/d/honeysql/honeysql/CURRENT)
 
 This project follows the version scheme MAJOR.MINOR.COMMITS where MAJOR and MINOR provide some relative indication of the size of the change, but do not follow semantic versioning. In general, all changes endeavor to be non-breaking (by moving to new names rather than by breaking existing names). COMMITS is an ever-increasing counter of commits since the beginning of this repository.
 

pom.xml

@@ -3,7 +3,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>honeysql</groupId>
   <artifactId>honeysql</artifactId>
-  <version>1.0.444</version>
+  <version>1.0.461</version>
   <name>honeysql</name>
   <description>SQL as Clojure data structures.</description>
   <url>https://github.com/seancorfield/honeysql</url>
@@ -25,7 +25,7 @@
     <url>https://github.com/seancorfield/honeysql</url>
     <connection>scm:git:git://github.com/seancorfield/honeysql.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/seancorfield/honeysql.git</developerConnection>
-    <tag>v1.0.444</tag>
+    <tag>v1.0.461</tag>
   </scm>
   <dependencies>
     <dependency>

src/honeysql/format.cljc

@@ -635,14 +635,16 @@
 (defmethod format-clause :values [[_ values] _]
   (if (sequential? (first values))
     (str "VALUES " (comma-join (for [x values]
-                                 (str "(" (comma-join (map to-sql x)) ")"))))
+                                 (binding [*fn-context?* true]
+                                   (str "(" (comma-join (map to-sql x)) ")")))))
     (let [cols (keys (first values))]
       (str
        (binding [*namespace-as-table?* false]
          (str "(" (comma-join (map to-sql cols)) ")"))
        " VALUES "
        (comma-join (for [x values]
-                     (str "(" (comma-join (map #(to-sql (get x %)) cols)) ")")))))))
+                     (binding [*fn-context?* true]
+                       (str "(" (comma-join (map #(to-sql (get x %)) cols)) ")"))))))))
 
 (defmethod format-clause :query-values [[_ query-values] _]
   (to-sql query-values))

test/honeysql/format_test.cljc

@@ -320,3 +320,17 @@
          (format {:select [:*]
                   :from [[:foo :f]]
                   :cross-join [[:bar :b]]}))))
+
+(deftest issue-299-test
+  (let [name    "test field"
+        ;; this was being rendered inline into the SQL
+        ;; creating an injection vulnerability (v1 only)
+        ;; the context for seq->sql here seems to be the
+        ;; 'regular' one so it tries to treat this as an
+        ;; alias: 'value alias' -- the fix was to make it
+        ;; a function context so it becomes (TRUE, ?):
+        enabled [true, "); SELECT case when (SELECT current_setting('is_superuser'))='off' then pg_sleep(0.2) end; -- "]]
+    (is (= ["INSERT INTO table (name, enabled) VALUES (?, (TRUE, ?))" name (second enabled)]
+           (format {:insert-into :table
+                    :values [{:name name
+                              :enabled enabled}]})))))