Details page for cql-select rule

chgeo · chgeo · commit 0111e430c416 · 2025-08-22T18:30:53.000+02:00
diff --git a/tools/cds-lint/examples/use-cql-select-template-strings/correct/srv/admin-service.js b/tools/cds-lint/examples/use-cql-select-template-strings/correct/srv/admin-service.js
@@ -0,0 +1,10 @@
+const cds = require('@sap/cds')
+module.exports = class AdminService extends cds.ApplicationService { init() {
+  const { Authors } = cds.entities('AdminService')
+
+  this.before (['CREATE', 'UPDATE'], Authors, async (req) => {
+    await SELECT`ID`.from `Authors`.where `name = ${req.data.name}` // [!code highlight]
+  })
+
+  return super.init()
+}}
diff --git a/tools/cds-lint/examples/use-cql-select-template-strings/incorrect/srv/admin-service.js b/tools/cds-lint/examples/use-cql-select-template-strings/incorrect/srv/admin-service.js
@@ -0,0 +1,10 @@
+const cds = require('@sap/cds')
+module.exports = class AdminService extends cds.ApplicationService { init() {
+  const { Authors } = cds.entities('AdminService')
+
+  this.before (['CREATE', 'UPDATE'], Authors, async (req) => {
+    await SELECT`ID`.from `Authors`.where (`name = ${req.data.name}`) // [!code error]
+  })
+
+  return super.init()
+}}
diff --git a/tools/cds-lint/rules/_menu.md b/tools/cds-lint/rules/_menu.md
@@ -17,3 +17,4 @@
 # [start-elements-lowercase](start-elements-lowercase)
 # [start-entities-uppercase](start-entities-uppercase)
 # [valid-csv-header](valid-csv-header)
+# [use-cql-select-template-strings](use-cql-select-template-strings)
diff --git a/tools/cds-lint/rules/use-cql-select-template-strings.md b/tools/cds-lint/rules/use-cql-select-template-strings.md
@@ -0,0 +1,46 @@
+---
+status: released
+---
+
+<script setup>
+  import PlaygroundBadge from '../components/PlaygroundBadge.vue'
+</script>
+
+# use-cql-select-template-strings
+
+## Rule Details
+
+Discourage use of <code>SELECT(\`...\`)</code>, which allows [SQL injection attacks](../../../node.js/cds-ql#avoiding-sql-injection), in favour of <code>SELECT \`...\`</code>.
+
+#### Version
+This rule was introduced in `@sap/eslint-plugin-cds 4.0.2`.
+
+## Examples
+
+### ✅ &nbsp; Correct example
+
+In the following example, the `where` clause is a proper tagged template literal, so that the `req.data.name` expression can be validated before the SELECT is executed:
+
+::: code-group
+<<< ../examples/use-cql-select-template-strings/correct/srv/admin-service.js#snippet{js:line-numbers} [srv/admin-service.js]
+:::
+<PlaygroundBadge
+  name="use-cql-select-template-strings"
+  kind="correct"
+  :files="['srv/admin-service.js']"
+/>
+
+### ❌ &nbsp; Incorrect example
+
+In the following example, the `where` clause is *not* a proper tagged template literal as it's enclosed by parentheses.
+In consequence,  the `req.data.name` expression *cannot* be validated but is added as is to the SELECT statement.
+This is prone to SQL injection attacks.
+
+::: code-group
+<<< ../examples/use-cql-select-template-strings/incorrect/srv/admin-service.js#snippet{js:line-numbers} [srv/admin-service.js]
+:::
+<PlaygroundBadge
+  name="use-cql-select-template-strings"
+  kind="incorrect"
+  :files="['srv/admin-service.js']"
+/>
