Add unit tests for sql sanitization

stevensJourney · stevensJourney · commit 1a193ba89460 · 2025-08-25T09:52:56.000+02:00
diff --git a/packages/common/src/client/triggers/sanitizeSQL.ts b/packages/common/src/client/triggers/sanitizeSQL.ts
@@ -49,9 +49,9 @@ export function sanitizeSQL(strings: TemplateStringsArray, ...values: any[]): st
     if (i < values.length) {
       // For SQL, escape single quotes in string values
       const value = values[i];
-      if (typeof value === 'string') {
+      if (typeof value == 'string') {
         result += sanitizeString(value);
-      } else if (value === null || value === undefined) {
+      } else if (value == null) {
         result += 'NULL';
       } else if (typeof value == 'object') {
         // Stringify the object and escape single quotes in the result
diff --git a/packages/common/tests/sql.test.ts b/packages/common/tests/sql.test.ts
@@ -0,0 +1,41 @@
+import { describe, expect, it } from 'vitest';
+import { sanitizeSQL } from '../src/client/triggers/sanitizeSQL.js';
+describe('SQL', () => {
+  describe('sanitization', () => {
+    it('should sanitize quoted strings', () => {
+      expect(sanitizeSQL`New.id = ${"O'Reilly"}`).toBe("New.id = 'O''Reilly'");
+    });
+
+    it('should handle null and undefined', () => {
+      expect(sanitizeSQL`val = ${null}`).toBe('val = NULL');
+      expect(sanitizeSQL`val = ${undefined}`).toBe('val = NULL');
+    });
+
+    it('should handle numbers', () => {
+      expect(sanitizeSQL`age = ${42}`).toBe('age = 42');
+      expect(sanitizeSQL`price = ${3.14}`).toBe('price = 3.14');
+    });
+
+    it('should handle objects', () => {
+      expect(sanitizeSQL`data = ${{ foo: 'bar' }}`).toBe(`data = '{"foo":"bar"}'`);
+    });
+
+    it('should escape single quotes in stringified objects', () => {
+      const obj = { foo: "O'Reilly" };
+      const clause = sanitizeSQL`data = ${obj}`;
+      expect(clause).toBe(`data = '{"foo":"O''Reilly"}'`);
+    });
+
+    it('should interpolate multiple values', () => {
+      const name = 'Alice';
+      const age = 30;
+      const clause = sanitizeSQL`name = ${name} AND age = ${age}`;
+      expect(clause).toBe("name = 'Alice' AND age = 30");
+    });
+
+    it('should stringify arrays', () => {
+      expect(sanitizeSQL`arr = ${[1, 2, 3]}`).toBe(`arr = '[1,2,3]'`);
+      expect(sanitizeSQL`arr = ${['a', "O'Reilly", null]}`).toBe(`arr = '["a","O''Reilly",null]'`);
+    });
+  });
+});
diff --git a/packages/node/tests/trigger.test.ts b/packages/node/tests/trigger.test.ts
@@ -24,7 +24,11 @@ describe('Triggers', () => {
       source: 'todos',
       destination: tempTable,
       columns: filteredColumns,
-      operations: [DiffTriggerOperation.INSERT, DiffTriggerOperation.UPDATE, DiffTriggerOperation.DELETE]
+      when: {
+        [DiffTriggerOperation.INSERT]: 'TRUE',
+        [DiffTriggerOperation.UPDATE]: 'TRUE',
+        [DiffTriggerOperation.DELETE]: 'TRUE'
+      }
     });
 
     const results = [] as TriggerDiffRecord[];
@@ -116,7 +120,6 @@ describe('Triggers', () => {
       when: {
         [DiffTriggerOperation.INSERT]: sanitizeSQL`json_extract(NEW.data, '$.list_id') = ${sanitizeUUID(firstList.id)}`
       },
-      operations: [DiffTriggerOperation.INSERT],
       onChange: async (context) => {
         // Fetches the current state of  todo records that were inserted during this diff window.
         const newTodos = await context.withDiff<Database['todos']>(/* sql */ `
@@ -193,8 +196,10 @@ describe('Triggers', () => {
      */
     await database.triggers.trackTableDiff({
       source: 'lists',
-      when: { [DiffTriggerOperation.UPDATE]: sanitizeSQL`NEW.id = ${sanitizeUUID(list.id)}` },
-      operations: [DiffTriggerOperation.UPDATE, DiffTriggerOperation.DELETE],
+      when: {
+        [DiffTriggerOperation.UPDATE]: sanitizeSQL`NEW.id = ${sanitizeUUID(list.id)}`,
+        [DiffTriggerOperation.DELETE]: 'TRUE'
+      },
       onChange: async (context) => {
         // Fetches the todo records that were inserted during this diff
         const diffs = await context.withExtractedDiff<ExtractedTriggerDiffRecord<Database['lists']>>(/* sql */ `
@@ -305,7 +310,6 @@ describe('Triggers', () => {
       when: {
         [DiffTriggerOperation.INSERT]: sanitizeSQL`json_extract(NEW.data, '$.list_id') = ${sanitizeUUID(firstList.id)}`
       },
-      operations: [DiffTriggerOperation.INSERT],
       onChange: async (context) => {
         // Fetches the todo records that were inserted during this diff
         const newTodos = await context.withDiff<Database['todos']>(/* sql */ `
@@ -395,7 +399,6 @@ describe('Triggers', () => {
       when: {
         [DiffTriggerOperation.INSERT]: sanitizeSQL`json_extract(NEW.data, '$.list_id') = ${sanitizeUUID(firstList.id)}`
       },
-      operations: [DiffTriggerOperation.INSERT],
       onChange: async (context) => {
         // Fetches the content of the records at the time of the operation
         const extractedDiff = await context.withExtractedDiff<{ content: string; operation: DiffTriggerOperation }>(
@@ -456,7 +459,11 @@ describe('Triggers', () => {
 
     await database.triggers.trackTableDiff({
       source: 'todos',
-      operations: [DiffTriggerOperation.INSERT, DiffTriggerOperation.UPDATE, DiffTriggerOperation.DELETE],
+      when: {
+        [DiffTriggerOperation.INSERT]: 'TRUE',
+        [DiffTriggerOperation.UPDATE]: 'TRUE',
+        [DiffTriggerOperation.DELETE]: 'TRUE'
+      },
       // Only track the row ids
       columns: [],
       onChange: async (context) => {
@@ -535,7 +542,11 @@ describe('Triggers', () => {
 
     await database.triggers.trackTableDiff({
       source: 'todos',
-      operations: [DiffTriggerOperation.INSERT, DiffTriggerOperation.UPDATE, DiffTriggerOperation.DELETE],
+      when: {
+        [DiffTriggerOperation.INSERT]: 'TRUE',
+        [DiffTriggerOperation.UPDATE]: 'TRUE',
+        [DiffTriggerOperation.DELETE]: 'TRUE'
+      },
       columns: ['columnA'],
       onChange: async (context) => {
         // Fetches the content of the records at the time of the operation
