Skip to content

v0.12.0 — Enterprise Audit: Security, API Pre-freeze, Zero Panics

Choose a tag to compare

@kolkov kolkov released this 03 Jul 16:39
50e4c34

Enterprise-level audit of the entire codebase: 32 findings from 4 independent audits, all resolved. 7 PRs merged (#23-#29).

Breaking Changes

  • varfunc — All 32 exported expression builders and error helpers are now proper functions. Improves godoc, prevents reassignment. ErrNotFound remains var.
  • Distinct(bool)Distinct() — No parameter, always enables DISTINCT.
  • GenerateParamName()GenerateParamName(index int) — Now dialect-aware.
  • QueryParams() deprecated — Use Params() instead.

Security

  • All column names in INSERT/UPDATE/UPSERT SQL now properly quoted via QuoteIdentifier()
  • Model API PK columns use Eq() expression instead of raw string interpolation
  • Null-byte defense added to QuoteIdentifier() in all 3 dialects
  • Functional expressions (CASE, COALESCE, etc.) now handle table-aliased columns

Zero Panics

17 panic paths converted to stored buildErr errors. Affected: Where(), OrWhere(), Having(), FromSelect(), With(), WithRecursive(), JOIN ON, BatchInsert, LikeExp.EscapeChars(). Model(nil) returns clean error. pgx driver registered.

New Features

  • Tx symmetry: BatchInsert(), BatchUpdate(), Upsert(), NewQuery() on transactions
  • ToSQL() on all 6 query types (was 3)
  • ModelQuery.WithContext(ctx) — per-operation context
  • Query.Params() — canonical parameter accessor

Correctness Fixes

  • HAVING placeholder renumber for multi-arg clauses on PostgreSQL
  • QuoteTableName/QuoteColumnName now use dialect (was hardcoded ")
  • Validator applied to builder queries (was raw SQL only)
  • Empty Insert()/Update() returns error instead of broken SQL
  • Missing named params {:name} detected and reported
  • Schema-qualified tables: From("public.users u")"public"."users" AS "u"
  • SQL operator spacing: "col" = ? instead of "col"=?

Testing

  • 1576 lines of new integration tests with reserved word columns (order, select, group, user, table, where, index)
  • All 3 databases tested in CI: PostgreSQL 15, MySQL 8, SQLite
  • 50+ subtests covering security, table aliases, Model API, ToSQL consistency, Tx symmetry, schema-qualified tables

Full Changelog: v0.11.1...v0.12.0