- Fix Raw SQL validation logic to handle SQL that has been formatted …

…with line breaks.
cajuncoding · May 22, 2024 · da2d123 · da2d123
1 parent b182a9b
commit da2d123
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 12 deletions.
diff --git a/RepoDb.PagingPrimitives/RepoDbExtensions.PagingPrimitives.csproj b/RepoDb.PagingPrimitives/RepoDbExtensions.PagingPrimitives.csproj
@@ -3,9 +3,9 @@
 	<PropertyGroup>
 		<TargetFrameworks>netstandard2.0;netstandard2.1;net6.0;</TargetFrameworks>
 		<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-		<Version>1.1.5.1</Version>
-		<AssemblyVersion>1.1.5.1</AssemblyVersion>
-		<FileVersion>1.1.5.1</FileVersion>
+		<Version>1.1.5.2</Version>
+		<AssemblyVersion>1.1.5.2</AssemblyVersion>
+		<FileVersion>1.1.5.2</FileVersion>
 		<Authors>BBernard / CajunCoding</Authors>
 		<Company>CajunCoding</Company>
 		<Description>The primitives and helpers needed for RepoDbExtensions.SqlServer.PagingOperations pacakge; used for working with modern pagination approaches such as Cursor based paging, as well as Offset based pagination, using the RepoDb ORM with Sql Server.</Description>
@@ -16,9 +16,10 @@
 		<PackageTags>repodb, paging, pagination, cursor, offset, skip, take, sorting, graphql, graph-ql, hotchocolate, dapper, sqlkata</PackageTags>
 		<PackageReleaseNotes>
 			Release Notes:
-			- Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps.
+			- Fix Raw SQL validation logic to handle SQL that has been formatted with line breaks.
 
 			Prior Release Notes:
+			- Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps.
 			- Initial release of independent set of primities and helpers for RepoDb to support enhanced Cursor &amp; Offset Paging Query Operations using the RepoDbExtensions.SqlServer.PagingOperations package.
 		</PackageReleaseNotes>
 	</PropertyGroup>

diff --git a/RepoDb.SqlServer.PagingOperations/RawSql.cs b/RepoDb.SqlServer.PagingOperations/RawSql.cs
@@ -1,22 +1,24 @@
 using System;
+using System.Text.RegularExpressions;
 
 namespace RepoDb.SqlServer.PagingOperations
 {
     public class RawSql
     {
-        const string SELECT_PREFIX = "SELECT ";
-        const string ORDER_BY_CLAUSE = "ORDER BY";
+        private static readonly Regex SelectPrefixValidationRegex = new Regex(@"^\s*SELECT\s+", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+        private static readonly Regex OrderByValidationRegex = new Regex(@"\s+ORDER BY\s+", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
         public RawSql(string rawSql, object sqlParams)
         {
             var sanitizedRawSql = rawSql.Trim();
 
             if (string.IsNullOrWhiteSpace(sanitizedRawSql))
                 throw new ArgumentException("The raw sql select statement cannot be null or whitespace.");
 
-            if (!sanitizedRawSql.StartsWith(SELECT_PREFIX, StringComparison.OrdinalIgnoreCase))
+            if (!SelectPrefixValidationRegex.IsMatch(sanitizedRawSql))
                 throw new ArgumentException("The raw sql select statement provided does not appear to be a valid simple SELECT statement.");
 
-            if (sanitizedRawSql.IndexOf(ORDER_BY_CLAUSE, StringComparison.OrdinalIgnoreCase) >= 0)
+            if (OrderByValidationRegex.IsMatch(sanitizedRawSql))
                 throw new ArgumentException("The raw sql select statement cannot contains an Order By clause; Order By must be specified using the API for proper Pagination.");
 
             RawSqlStatement = sanitizedRawSql;

diff --git a/RepoDb.SqlServer.PagingOperations/RepoDbExtensions.SqlServer.PagingOperations.csproj b/RepoDb.SqlServer.PagingOperations/RepoDbExtensions.SqlServer.PagingOperations.csproj
@@ -2,9 +2,9 @@
 
 	<PropertyGroup>
 		<TargetFrameworks>netstandard2.0;netstandard2.1;net6.0;</TargetFrameworks>
-		<Version>1.1.5.1</Version>
-		<AssemblyVersion>1.1.5.1</AssemblyVersion>
-		<FileVersion>1.1.5.1</FileVersion>
+		<Version>1.1.5.2</Version>
+		<AssemblyVersion>1.1.5.2</AssemblyVersion>
+		<FileVersion>1.1.5.2</FileVersion>
 		<Authors>BBernard / CajunCoding</Authors>
 		<Company>CajunCoding</Company>
 		<Description>A set of extensions for working with modern pagination approaches such as Cursor based paging, as well as Offset based pagination, using the RepoDb ORM with Sql Server.</Description>
@@ -15,9 +15,10 @@
 		<PackageTags>repodb, paging, pagination, cursor, offset, skip, take, sorting, graphql, graph-ql, hotchocolate, dapper, sqlkata</PackageTags>
 		<PackageReleaseNotes>
 			Release Notes:
-			- Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps.
+			- Fix Raw SQL validation logic to handle SQL that has been formatted with line breaks.
 
 			Prior Release Notes:
+			- Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps.
 			- Initial release of independent custom extensions for RepoDb to support enhanced Cursor &amp; Offset Paging Query Operations.
 			- This allows non-GraphQL projects (e.g. normal REST APIs) to more easily implement modern paging (Cursor or Offset) with the RepoDb ORM and SQL Server.
 			- These extensions have been in use in production applications using GraphQL.RepoDb.SqlServer for a long while, but are now available independently.