Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/frontend/utilities/sql_tools.tests.ts
Scott Gress 02c5026436
Allow ESCAPE in LIKE clauses to be valid SQL (#31222) 
for #30109

# Details

This PR fixes an issue in our current SQL parsing library that was
causing queries like this to be marked invalid:

```
SELECT * FROM table_name WHERE column_name LIKE '\_%' ESCAPE '\'
```

This is valid in SQLite because the `\` is not considered an escape
character by default. From [the SQLite
docs](https://www.sqlite.org/lang_expr.html) (see section 3 "Literal
Values (Constants)"; emphasis mine):

> A string constant is formed by enclosing the string in single quotes
('). A single quote within the string can be encoded by putting two
single quotes in a row - as in Pascal. C-style escapes using the
backslash character are not supported because they are not standard SQL.

# Use of forked code

Part of the fix for this was [submitted as a PR to the node-sql-parser
library](https://github.com/taozhi8833998/node-sql-parser/pull/2496) we
now use, and merged. I then found that another fix was needed, which I
submitted as [a separate
PR](https://github.com/taozhi8833998/node-sql-parser/pull/2512). As
these fixes have yet to be made part of an official release of the
library, I made a fork off of the release we were using (5.3.10) and
bundled the necessary build artifacts with Fleet. We have an [ADR
proposing the use of submodules for this
purpose](https://github.com/fleetdm/fleet/pull/31079); I'm happy to
implement that instead if we approve that, although for a front-end
module with a build step it's a bit more complicated. Hopefully this
code will be released in `node-sql-parser` soon and we can revert back
to using the dependency.

Here is the [full set of
changes](https://github.com/taozhi8833998/node-sql-parser/compare/master...sgress454:node-sql-parser:5.3.10-plus).

# Checklist for submitter

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Manual QA for all new/changed functionality
2025-07-25 10:13:55 -05:00

72 lines
2.6 KiB
TypeScript
Raw Blame History

import { checkTable } from "./sql_tools";
describe("checkTable", () => {
// from https://github.com/fleetdm/fleet/issues/26366
// and https://github.com/fleetdm/fleet/issues/30109
const SQL = `
WITH extension_safety_hub_menu_notifications AS (
SELECT
parse_json.key,
parse_json.fullkey,
parse_json.path,
parse_json.value
FROM (
SELECT file.filename, file.path, file.btime FROM file WHERE path LIKE "/Users/%/Library/Application Support/Google/Chrome/%/Preferences" ORDER BY file.btime DESC limit 20
) as chrome_preferences
JOIN parse_json ON chrome_preferences.path = parse_json.path
WHERE parse_json.path LIKE "/Users/%/Library/Application Support/Google/Chrome/%/Preferences" AND (
fullkey IN ("profile/name", "profile/safety_hub_menu_notifications/extensions/isCurrentlyActive", "profile/safety_hub_menu_notifications/extensions/result/timestamp")
OR fullkey Like "profile/safety_hub_menu_notifications/extensions/result/triggeringExtensions%"
)
),
extension_details AS (
SELECT path,
CASE WHEN key = 'name' THEN value END AS profile_name,
CASE WHEN key = 'isCurrentlyActive' THEN value END AS notification_active,
CASE WHEN key GLOB '*[0-9]' THEN value END AS triggering_extension,
CASE WHEN key = 'timestamp' THEN value END AS timestamp
FROM extension_safety_hub_menu_notifications
GROUP BY path, profile_name, notification_active, triggering_extension, timestamp
),
problematic_extensions AS (
SELECT
path,
MAX(profile_name) OVER (PARTITION by path) AS profile_name,
MAX(notification_active) AS notification_active,
MAX(timestamp) AS timestamp,
triggering_extension
FROM extension_details
)
SELECT path,
profile_name,
notification_active,
timestamp,
triggering_extension
FROM problematic_extensions
WHERE triggering_extension IS NOT NULL AND username NOT LIKE '\\_%' ESCAPE '\\';
`;
it("should return only real tables by default", () => {
const { tables, error } = checkTable(SQL);
expect(error).toBeNull();
expect(tables).toEqual(["file", "parse_json"]);
});
it("should return all tables if 'includeVirtualTables' is set", () => {
const { tables, error } = checkTable(SQL, true);
expect(error).toBeNull();
// Note that json_each is _not_ returned here, as it is a function table.
expect(tables).toEqual([
"file",
"parse_json",
"chrome_preferences",
"extension_safety_hub_menu_notifications",
"extension_details",
"problematic_extensions",
]);
});
it("should return an error if SQL is in valid", () => {
const result = checkTable("SELECTx * FROM users");
expect(result.error).not.toBeNull();
});
});
Reference in a new issue View git blame Copy permalink