Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(client): throw when executeRaw is used with Alter and parameters (…
- Loading branch information
1 parent
337b901
commit 650cfcc
Showing
3 changed files
with
111 additions
and
2 deletions.
There are no files selected for viewing
13 changes: 13 additions & 0 deletions
13
src/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/schema.prisma
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
datasource db { | ||
provider = "postgresql" | ||
url = env("TEST_POSTGRES_URI") | ||
} | ||
|
||
generator client { | ||
provider = "prisma-client-js" | ||
previewFeatures = ["nativeTypes"] | ||
} | ||
|
||
model A { | ||
id String @id @default(uuid()) | ||
} |
69 changes: 69 additions & 0 deletions
69
src/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
import { getTestClient } from '../../../../utils/getTestClient' | ||
import sql from 'sql-template-tag' | ||
|
||
let prisma | ||
|
||
beforeAll(async () => { | ||
const PrismaClient = await getTestClient() | ||
prisma = new PrismaClient() | ||
}) | ||
|
||
afterAll(() => { | ||
prisma.$disconnect() | ||
}) | ||
|
||
test('executeRaw-alter-postgres', async () => { | ||
const password = 'prisma' | ||
// Should Throw | ||
try { | ||
await prisma.$executeRaw`ALTER USER prisma WITH PASSWORD '${password}'` | ||
} catch (err) { | ||
//isReadonlyArray | ||
expect(err).toMatchInlineSnapshot(` | ||
Running ALTER using prisma.$executeRaw\`<SQL>\` is not supported | ||
Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injection attacks and requires you to take care of input sanitization. | ||
Example: | ||
await prisma.$executeRaw(\`ALTER USER prisma WITH PASSWORD '\${password}'\`) | ||
More Information: https://pris.ly/d/execute-raw | ||
`) | ||
} | ||
try { | ||
await prisma.$executeRaw(`ALTER USER prisma WITH PASSWORD $1`, password) | ||
} catch (err) { | ||
// String | ||
expect(err).toMatchInlineSnapshot(` | ||
Running ALTER using prisma.$executeRaw(<SQL>, [...values]) is not supported | ||
Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injection attacks and requires you to take care of input sanitization. | ||
Example: | ||
await prisma.$executeRaw(\`ALTER USER prisma WITH PASSWORD '\${password}'\`) | ||
More Information: https://pris.ly/d/execute-raw | ||
`) | ||
} | ||
try { | ||
await prisma.$executeRaw(sql`ALTER USER prisma WITH PASSWORD '${password}'`) | ||
} catch (err) { | ||
// Else | ||
expect(err).toMatchInlineSnapshot(` | ||
Running ALTER using prisma.$executeRaw(sql\`<SQL>\`) is not supported | ||
Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injection attacks and requires you to take care of input sanitization. | ||
Example: | ||
await prisma.$executeRaw(\`ALTER USER prisma WITH PASSWORD '\${password}'\`) | ||
More Information: https://pris.ly/d/execute-raw | ||
`) | ||
} | ||
|
||
// Should Work | ||
const result = await prisma.$executeRaw( | ||
`ALTER USER prisma WITH PASSWORD '${password}'`, | ||
) | ||
expect(result).toMatchInlineSnapshot(`0`) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters