From da2d123fa96994b2978d4114f20c43ce8602e3f4 Mon Sep 17 00:00:00 2001 From: Brandon Bernard Date: Wed, 22 May 2024 00:43:52 -0500 Subject: [PATCH] - Fix Raw SQL validation logic to handle SQL that has been formatted with line breaks. --- .../RepoDbExtensions.PagingPrimitives.csproj | 9 +++++---- RepoDb.SqlServer.PagingOperations/RawSql.cs | 10 ++++++---- .../RepoDbExtensions.SqlServer.PagingOperations.csproj | 9 +++++---- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/RepoDb.PagingPrimitives/RepoDbExtensions.PagingPrimitives.csproj b/RepoDb.PagingPrimitives/RepoDbExtensions.PagingPrimitives.csproj index ffee730..08d187d 100644 --- a/RepoDb.PagingPrimitives/RepoDbExtensions.PagingPrimitives.csproj +++ b/RepoDb.PagingPrimitives/RepoDbExtensions.PagingPrimitives.csproj @@ -3,9 +3,9 @@ netstandard2.0;netstandard2.1;net6.0; true - 1.1.5.1 - 1.1.5.1 - 1.1.5.1 + 1.1.5.2 + 1.1.5.2 + 1.1.5.2 BBernard / CajunCoding CajunCoding The primitives and helpers needed for RepoDbExtensions.SqlServer.PagingOperations pacakge; used for working with modern pagination approaches such as Cursor based paging, as well as Offset based pagination, using the RepoDb ORM with Sql Server. @@ -16,9 +16,10 @@ repodb, paging, pagination, cursor, offset, skip, take, sorting, graphql, graph-ql, hotchocolate, dapper, sqlkata Release Notes: - - Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps. + - Fix Raw SQL validation logic to handle SQL that has been formatted with line breaks. Prior Release Notes: + - Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps. - Initial release of independent set of primities and helpers for RepoDb to support enhanced Cursor & Offset Paging Query Operations using the RepoDbExtensions.SqlServer.PagingOperations package. diff --git a/RepoDb.SqlServer.PagingOperations/RawSql.cs b/RepoDb.SqlServer.PagingOperations/RawSql.cs index fa71347..4637053 100644 --- a/RepoDb.SqlServer.PagingOperations/RawSql.cs +++ b/RepoDb.SqlServer.PagingOperations/RawSql.cs @@ -1,11 +1,13 @@ using System; +using System.Text.RegularExpressions; namespace RepoDb.SqlServer.PagingOperations { public class RawSql { - const string SELECT_PREFIX = "SELECT "; - const string ORDER_BY_CLAUSE = "ORDER BY"; + private static readonly Regex SelectPrefixValidationRegex = new Regex(@"^\s*SELECT\s+", RegexOptions.Compiled | RegexOptions.IgnoreCase); + private static readonly Regex OrderByValidationRegex = new Regex(@"\s+ORDER BY\s+", RegexOptions.Compiled | RegexOptions.IgnoreCase); + public RawSql(string rawSql, object sqlParams) { var sanitizedRawSql = rawSql.Trim(); @@ -13,10 +15,10 @@ public RawSql(string rawSql, object sqlParams) if (string.IsNullOrWhiteSpace(sanitizedRawSql)) throw new ArgumentException("The raw sql select statement cannot be null or whitespace."); - if (!sanitizedRawSql.StartsWith(SELECT_PREFIX, StringComparison.OrdinalIgnoreCase)) + if (!SelectPrefixValidationRegex.IsMatch(sanitizedRawSql)) throw new ArgumentException("The raw sql select statement provided does not appear to be a valid simple SELECT statement."); - if (sanitizedRawSql.IndexOf(ORDER_BY_CLAUSE, StringComparison.OrdinalIgnoreCase) >= 0) + if (OrderByValidationRegex.IsMatch(sanitizedRawSql)) throw new ArgumentException("The raw sql select statement cannot contains an Order By clause; Order By must be specified using the API for proper Pagination."); RawSqlStatement = sanitizedRawSql; diff --git a/RepoDb.SqlServer.PagingOperations/RepoDbExtensions.SqlServer.PagingOperations.csproj b/RepoDb.SqlServer.PagingOperations/RepoDbExtensions.SqlServer.PagingOperations.csproj index 523a636..c179bad 100644 --- a/RepoDb.SqlServer.PagingOperations/RepoDbExtensions.SqlServer.PagingOperations.csproj +++ b/RepoDb.SqlServer.PagingOperations/RepoDbExtensions.SqlServer.PagingOperations.csproj @@ -2,9 +2,9 @@ netstandard2.0;netstandard2.1;net6.0; - 1.1.5.1 - 1.1.5.1 - 1.1.5.1 + 1.1.5.2 + 1.1.5.2 + 1.1.5.2 BBernard / CajunCoding CajunCoding A set of extensions for working with modern pagination approaches such as Cursor based paging, as well as Offset based pagination, using the RepoDb ORM with Sql Server. @@ -15,9 +15,10 @@ repodb, paging, pagination, cursor, offset, skip, take, sorting, graphql, graph-ql, hotchocolate, dapper, sqlkata Release Notes: - - Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps. + - Fix Raw SQL validation logic to handle SQL that has been formatted with line breaks. Prior Release Notes: + - Eliminate Index fields from ICursorPagingParams interface so they don't pollute the parameter as a primitive to be used by consuming apps. - Initial release of independent custom extensions for RepoDb to support enhanced Cursor & Offset Paging Query Operations. - This allows non-GraphQL projects (e.g. normal REST APIs) to more easily implement modern paging (Cursor or Offset) with the RepoDb ORM and SQL Server. - These extensions have been in use in production applications using GraphQL.RepoDb.SqlServer for a long while, but are now available independently.