Added back CONCAT() to prevent sql injection

casab · casab · commit dd2fd32e3831 · 2025-01-24T17:09:33.000+03:00
diff --git a/packages/cubejs-schema-compiler/src/adapter/ClickHouseQuery.ts b/packages/cubejs-schema-compiler/src/adapter/ClickHouseQuery.ts
@@ -20,7 +20,7 @@ class ClickHouseFilter extends BaseFilter {
   public likeIgnoreCase(column, not, param, type) {
     const p = (!type || type === 'contains' || type === 'ends') ? '%' : '';
     const s = (!type || type === 'contains' || type === 'starts') ? '%' : '';
-    return `lowerUTF8(${column}) ${not ? 'NOT' : ''} LIKE lowerUTF8(${p}${this.allocateParam(param)}${s})`;
+    return `lowerUTF8(${column}) ${not ? 'NOT' : ''} LIKE CONCAT('${p}', lowerUTF8(${this.allocateParam(param)}), '${s}')`;
   }
 
   public castParameter() {

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ class ClickHouseFilter extends BaseFilter {`
`20`	`20`	`public likeIgnoreCase(column, not, param, type) {`
`21`	`21`	`const p = (!type \|\| type === 'contains' \|\| type === 'ends') ? '%' : '';`
`22`	`22`	`const s = (!type \|\| type === 'contains' \|\| type === 'starts') ? '%' : '';`
`23`		- return `lowerUTF8(${column}) ${not ? 'NOT' : ''} LIKE lowerUTF8(${p}${this.allocateParam(param)}${s})`;
	`23`	+ return `lowerUTF8(${column}) ${not ? 'NOT' : ''} LIKE CONCAT('${p}', lowerUTF8(${this.allocateParam(param)}), '${s}')`;
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`public castParameter() {`