Skip to content

Rewrite escape/unescape for SQL#1245

Draft
ukrbublik wants to merge 5 commits intomasterfrom
alert-autofix-10
Draft

Rewrite escape/unescape for SQL#1245
ukrbublik wants to merge 5 commits intomasterfrom
alert-autofix-10

Conversation

@ukrbublik
Copy link
Owner

@ukrbublik ukrbublik commented Apr 25, 2025

Potential fix for https://github.com/ukrbublik/react-awesome-query-builder/security/code-scanning/10

To fix the issue, we need to ensure that backslashes are properly escaped in the default branch of the escapeLike function. This can be achieved by modifying the regular expression in the res.replace call on line 40 to include backslashes (\\) as part of the characters to escape. The replacement string should also escape backslashes correctly.

The updated regular expression will be /[%_\\]/g, and the replacement string will be "\\\\$&". This ensures that all occurrences of %, _, and \ are escaped consistently.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@codesandbox
Copy link

codesandbox bot commented Apr 25, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@vercel
Copy link

vercel bot commented Apr 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
react-awesome-query-builder-examples ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 23, 2025 0:12am
react-awesome-query-builder-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 23, 2025 0:12am
react-awesome-query-builder-sandbox-next ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 23, 2025 0:12am

@codesandbox-ci
Copy link

codesandbox-ci bot commented Apr 25, 2025
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit df97ffd:

Sandbox Source
@react-awesome-query-builder/examples Configuration
@react-awesome-query-builder/sandbox Configuration
@react-awesome-query-builder/sandbox-simple Configuration
@react-awesome-query-builder/sandbox-next Configuration

@ukrbublik
Copy link
Owner Author

ukrbublik commented Apr 26, 2025

https://github.com/brianc/node-postgres/blob/684cd09bcecbf5ad5f451fdf608a3e9a9444524e/packages/pg/lib/client.js#L448-L463

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 29, 2025
View reviewed changes
packages/core/modules/utils/export.js
// escape \ -> \\\\
res = res.replace(/(\\\\)/g, "\\\\$&");
// escape % and _ with \
res = res.replace(/[%_]/g, "\\$&");

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.
@codecov
Copy link

codecov bot commented Apr 29, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 57.54717% with 90 lines in your changes missing coverage. Please review.
✅ Project coverage is 8.05%. Comparing base (2fc26f3) to head (df97ffd).
⚠️ Report is 4 commits behind head on master.

Files with missing lines Patch % Lines
packages/core/modules/utils/export.js 68.15% 57 Missing ⚠️
packages/sql/modules/import/ast.ts 0.00% 13 Missing ⚠️
packages/core/modules/config/index.js 0.00% 11 Missing ⚠️
packages/sql/modules/import/convert.ts 0.00% 8 Missing ⚠️
packages/sql/modules/import/index.ts 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #1245       +/-   ##
==========================================
- Coverage   79.62%   8.05%   -71.58%     
==========================================
  Files         246     246               
  Lines       13145   13312      +167     
  Branches     1743    1749        +6     
==========================================
- Hits        10467    1072     -9395     
- Misses       1800   12230    +10430     
+ Partials      878      10      -868

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ukrbublik ukrbublik changed the title Potential fix for code scanning alert no. 10: Incomplete string escaping or encoding Rewrite escape/unescape for SQL May 7, 2025
@ukrbublik ukrbublik force-pushed the alert-autofix-10 branch from 1ae4589 to f3082b7 Compare May 9, 2025 14:34
@vercel
Copy link

vercel bot commented Jul 19, 2025

Deployment failed with the following error:

Resource is limited - try again in 2 hours (more than 100, code: "api-deployments-free-per-day").

ukrbublik and others added 5 commits July 19, 2025 13:42
@ukrbublik @github-advanced-security
Potential fix for code scanning alert no. 10: Incomplete string escap…
9f68953 
…ing or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@ukrbublik
!tmp
84be74a
@ukrbublik
Revert "!!!tmp"
b5d7c5d 
This reverts commit 566572b.
@ukrbublik
wip
cfcd1ee 
.

pg done

like for pg

better LIKE E'' (pg)

.

.

.

.
@ukrbublik
!!!tmp
df97ffd
@vercel
Copy link

vercel bot commented Jul 19, 2025

Deployment failed with the following error:

Resource is limited - try again in 60 minutes (more than 100, code: "api-deployments-free-per-day").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ukrbublik