fix(schema-compiler): Escape quotes in column names

Author: mcheshkov

packages/cubejs-schema-compiler/src/adapter/BaseQuery.js

@@ -466,12 +466,16 @@ export class BaseQuery {
   }
 
   /**
-   * Wrap specified column/table name with the double quote.
+   * Wrap specified column/table name with the double quote and escape quotes inside.
    * @param {string} name
    * @returns {string}
    */
   escapeColumnName(name) {
-    return `"${name}"`;
+    // Identifier is wrapped with double quotes
+    // https://ronsavage.github.io/SQL/sql-2003-2.bnf.html#delimited%20identifier
+    // Double quote inside is represented by double double quote
+    // https://ronsavage.github.io/SQL/sql-2003-2.bnf.html#doublequote%20symbol
+    return `"${name.replaceAll('"', '""')}"`;
   }
 
   /**

packages/cubejs-schema-compiler/src/adapter/BigqueryQuery.ts

@@ -54,7 +54,12 @@ export class BigqueryQuery extends BaseQuery {
   }
 
   public escapeColumnName(name) {
-    return `\`${name}\``;
+    // Quoted identifiers must be enclosed by `
+    // Identifiers have the same escape sequences as string literals
+    // https://cloud.google.com/bigquery/docs/reference/standard-sql/lexical#quoted_identifiers
+    // \` is escape sequence for `
+    // https://cloud.google.com/bigquery/docs/reference/standard-sql/lexical#escape_sequences
+    return `\`${name.replaceAll('`', '\\`')}\``;
   }
 
   public timeGroupedColumn(granularity, dimension) {

packages/cubejs-schema-compiler/src/adapter/ClickHouseQuery.ts

@@ -36,7 +36,13 @@ export class ClickHouseQuery extends BaseQuery {
   }
 
   public escapeColumnName(name) {
-    return `\`${name}\``;
+    // ClickHouse does not document it's exact rules regarding identifiers
+    // https://clickhouse.com/docs/en/sql-reference/syntax#identifiers
+    // But there's a bit about escaping in string
+    // https://clickhouse.com/docs/en/sql-reference/syntax#string
+    // Note that documentation does not allow to use \` sequence
+    // See https://github.com/ClickHouse/ClickHouse/issues/71310
+    return `\`${name.replaceAll('`', '\\x60')}\``;
   }
 
   public convertTz(field) {
@@ -274,7 +280,8 @@ export class ClickHouseQuery extends BaseQuery {
     templates.expressions.timestamp_literal = 'parseDateTimeBestEffort(\'{{ value }}\')';
     delete templates.expressions.like_escape;
     templates.quotes.identifiers = '`';
-    templates.quotes.escape = '\\`';
+    // See escapeColumnName comment
+    templates.quotes.escape = '\\x60';
     templates.types.boolean = 'BOOL';
     templates.types.timestamp = 'DATETIME';
     delete templates.types.time;

packages/cubejs-schema-compiler/src/adapter/CubeStoreQuery.ts

@@ -130,7 +130,7 @@ export class CubeStoreQuery extends BaseQuery {
   }
 
   public escapeColumnName(name) {
-    return `\`${name}\``;
+    return `\`${name.replaceAll('`', '``')}\``;
   }
 
   public seriesSql(timeDimension) {

packages/cubejs-schema-compiler/src/adapter/HiveQuery.ts

@@ -55,7 +55,9 @@ export class HiveQuery extends BaseQuery {
   }
 
   public escapeColumnName(name) {
-    return `\`${name}\``;
+    // Within a backtick string, use double backticks (``) to represent a backtick character
+    // https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=27362043#LanguageManualSelect-SelectSyntax
+    return `\`${name.replaceAll('`', '``')}\``;
   }
 
   public simpleQuery() {
@@ -71,7 +73,7 @@ export class HiveQuery extends BaseQuery {
         ungroupedAliases: R.fromPairs(this.forSelect().map((m: any) => [m.measure || m.dimension, m.aliasName()]))
       }
     );
-    return `SELECT ${select} FROM (${ungrouped}) AS ${this.escapeColumnName('hive_wrapper')} 
+    return `SELECT ${select} FROM (${ungrouped}) AS ${this.escapeColumnName('hive_wrapper')}
     ${this.groupByClause()}${this.baseHaving(this.measureFilters)}${this.orderBy()}${this.groupByDimensionLimit()}`;
   }
 

packages/cubejs-schema-compiler/src/adapter/MysqlQuery.ts

@@ -124,7 +124,9 @@ export class MysqlQuery extends BaseQuery {
   }
 
   public escapeColumnName(name) {
-    return `\`${name}\``;
+    // If the character to be included within the identifier is the same as that used to quote the identifier itself, then you need to double the character
+    // https://dev.mysql.com/doc/refman/8.0/en/identifiers.html
+    return `\`${name.replaceAll('`', '``')}\``;
   }
 
   public seriesSql(timeDimension) {

packages/cubejs-schema-compiler/test/unit/base-query.test.ts

@@ -2240,6 +2240,16 @@ describe('Class unit tests', () => {
     expect(baseQuery.cubeAlias('CamelCaseCube.id')).toEqual('"camel_case_cube__id"');
     expect(baseQuery.cubeAlias('CamelCaseCube.description')).toEqual('"camel_case_cube__description"');
     expect(baseQuery.cubeAlias('CamelCaseCube.grant_total')).toEqual('"camel_case_cube__grant_total"');
+
+    // aliasName + memberToAlias
+    const memberAliasQuery = new BaseQuery(set, {
+      memberToAlias: {
+        'CamelCaseCube.id': 'alias("id")'
+      }
+    });
+    expect(memberAliasQuery.aliasName('CamelCaseCube.id', false)).toEqual('alias("id")');
+    // Should escape quotes
+    expect(memberAliasQuery.newDimension('CamelCaseCube.id').aliasName()).toEqual('"alias(""id"")"');
   });
 
   it('Test BaseQuery with aliased cube', async () => {
@@ -2289,6 +2299,17 @@ describe('Class unit tests', () => {
     expect(baseQuery.cubeAlias('CamelCaseCube.id')).toEqual('"t1__id"');
     expect(baseQuery.cubeAlias('CamelCaseCube.description')).toEqual('"t1__description"');
     expect(baseQuery.cubeAlias('CamelCaseCube.grant_total')).toEqual('"t1__grant_total"');
+
+    // aliasName + memberToAlias
+    // Should ignore cube alias
+    const memberAliasQuery = new BaseQuery(set, {
+      memberToAlias: {
+        'CamelCaseCube.id': 'alias("id")'
+      }
+    });
+    expect(memberAliasQuery.aliasName('CamelCaseCube.id', false)).toEqual('alias("id")');
+    // Should escape quotes
+    expect(memberAliasQuery.newDimension('CamelCaseCube.id').aliasName()).toEqual('"alias(""id"")"');
   });
 
   it('Test BaseQuery columns order for the query with the sub-query', async () => {