diff --git a/.gitignore b/.gitignore
index 64d7077..0c16baa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,7 +11,9 @@
.cpcache
.clj-kondo/.cache
.eastwood
+.lsp
.nrepl-port
+.socket-repl-port
.classpath
.project
.nrepl-port
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c76344..b274bed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
# Changes
-* 1.0.next in progress
+* 1.0.461 -- 2021-02-22
+ * **Fix #299 potential SQL injection vulnerability.**
* Fix/Improve `merge-where` (and `merge-having`) behavior. #282 via #283 (@camsaul)
* 1.0.444 -- 2020-05-29
diff --git a/README.md b/README.md
index 649430a..f7bd86a 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ SQL as Clojure data structures. Build queries programmatically -- even at runtim
The latest versions on Clojars and on cljdoc:
-[](https://clojars.org/honeysql) [](https://cljdoc.org/d/honeysql/honeysql/CURRENT)
+[](https://clojars.org/honeysql) [](https://cljdoc.org/d/honeysql/honeysql/CURRENT)
This project follows the version scheme MAJOR.MINOR.COMMITS where MAJOR and MINOR provide some relative indication of the size of the change, but do not follow semantic versioning. In general, all changes endeavor to be non-breaking (by moving to new names rather than by breaking existing names). COMMITS is an ever-increasing counter of commits since the beginning of this repository.
diff --git a/pom.xml b/pom.xml
index fda7cfd..e660f99 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
4.0.0
honeysql
honeysql
- 1.0.444
+ 1.0.461
honeysql
SQL as Clojure data structures.
https://github.com/seancorfield/honeysql
@@ -25,7 +25,7 @@
https://github.com/seancorfield/honeysql
scm:git:git://github.com/seancorfield/honeysql.git
scm:git:ssh://git@github.com/seancorfield/honeysql.git
- v1.0.444
+ v1.0.461
diff --git a/src/honeysql/format.cljc b/src/honeysql/format.cljc
index 2eb9c43..7432ecb 100644
--- a/src/honeysql/format.cljc
+++ b/src/honeysql/format.cljc
@@ -635,14 +635,16 @@
(defmethod format-clause :values [[_ values] _]
(if (sequential? (first values))
(str "VALUES " (comma-join (for [x values]
- (str "(" (comma-join (map to-sql x)) ")"))))
+ (binding [*fn-context?* true]
+ (str "(" (comma-join (map to-sql x)) ")")))))
(let [cols (keys (first values))]
(str
(binding [*namespace-as-table?* false]
(str "(" (comma-join (map to-sql cols)) ")"))
" VALUES "
(comma-join (for [x values]
- (str "(" (comma-join (map #(to-sql (get x %)) cols)) ")")))))))
+ (binding [*fn-context?* true]
+ (str "(" (comma-join (map #(to-sql (get x %)) cols)) ")"))))))))
(defmethod format-clause :query-values [[_ query-values] _]
(to-sql query-values))
diff --git a/test/honeysql/format_test.cljc b/test/honeysql/format_test.cljc
index d7fa8c7..7ddea79 100644
--- a/test/honeysql/format_test.cljc
+++ b/test/honeysql/format_test.cljc
@@ -320,3 +320,17 @@
(format {:select [:*]
:from [[:foo :f]]
:cross-join [[:bar :b]]}))))
+
+(deftest issue-299-test
+ (let [name "test field"
+ ;; this was being rendered inline into the SQL
+ ;; creating an injection vulnerability (v1 only)
+ ;; the context for seq->sql here seems to be the
+ ;; 'regular' one so it tries to treat this as an
+ ;; alias: 'value alias' -- the fix was to make it
+ ;; a function context so it becomes (TRUE, ?):
+ enabled [true, "); SELECT case when (SELECT current_setting('is_superuser'))='off' then pg_sleep(0.2) end; -- "]]
+ (is (= ["INSERT INTO table (name, enabled) VALUES (?, (TRUE, ?))" name (second enabled)]
+ (format {:insert-into :table
+ :values [{:name name
+ :enabled enabled}]})))))
\ No newline at end of file