fix: Only first single quote in comments is escaped (#7514)

typeorm · Mar 29, 2021 · e1e9423 · e1e9423
1 parent eff43c1
commit e1e9423
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 4 deletions.
diff --git a/src/driver/aurora-data-api/AuroraDataApiQueryRunner.ts b/src/driver/aurora-data-api/AuroraDataApiQueryRunner.ts
@@ -1608,6 +1608,22 @@ export class AuroraDataApiQueryRunner extends BaseQueryRunner implements QueryRu
         };
     }
 
+    /**
+     * Escapes a given comment so it's safe to include in a query.
+     */
+    protected escapeComment(comment?: string) {
+        if (!comment || comment.length === 0) {
+            return `''`;
+        }
+
+        comment = comment
+            .replace("\\", "\\\\") // MySQL allows escaping characters via backslashes
+            .replace(/'/g, "''")
+            .replace("\0", ""); // Null bytes aren't allowed in comments
+
+        return `'${comment}'`;
+    }
+
     /**
      * Escapes given table or view path.
      */
@@ -1650,7 +1666,7 @@ export class AuroraDataApiQueryRunner extends BaseQueryRunner implements QueryRu
         if (column.isGenerated && column.generationStrategy === "increment") // don't use skipPrimary here since updates can update already exist primary without auto inc.
             c += " AUTO_INCREMENT";
         if (column.comment)
-            c += ` COMMENT '${column.comment}'`;
+            c += ` COMMENT ${this.escapeComment(column.comment)}`;
         if (column.default !== undefined && column.default !== null)
             c += ` DEFAULT ${column.default}`;
         if (column.onUpdate)

diff --git a/src/driver/cockroachdb/CockroachQueryRunner.ts b/src/driver/cockroachdb/CockroachQueryRunner.ts
@@ -1892,7 +1892,7 @@ export class CockroachQueryRunner extends BaseQueryRunner implements QueryRunner
         }
 
         comment = comment
-            .replace("'", "''")
+            .replace(/'/g, "''")
             .replace("\0", ""); // Null bytes aren't allowed in comments
 
         return `'${comment}'`;

diff --git a/src/driver/mysql/MysqlQueryRunner.ts b/src/driver/mysql/MysqlQueryRunner.ts
@@ -1818,7 +1818,7 @@ export class MysqlQueryRunner extends BaseQueryRunner implements QueryRunner {
 
         comment = comment
             .replace("\\", "\\\\") // MySQL allows escaping characters via backslashes
-            .replace("'", "''")
+            .replace(/'/g, "''")
             .replace("\0", ""); // Null bytes aren't allowed in comments
 
         return `'${comment}'`;

diff --git a/src/driver/postgres/PostgresQueryRunner.ts b/src/driver/postgres/PostgresQueryRunner.ts
@@ -2173,7 +2173,7 @@ export class PostgresQueryRunner extends BaseQueryRunner implements QueryRunner
         }
 
         comment = comment
-            .replace("'", "''")
+            .replace(/'/g, "''")
             .replace("\0", ""); // Null bytes aren't allowed in comments
 
         return `'${comment}'`;

diff --git a/test/github-issues/7479/entity/Post.ts b/test/github-issues/7479/entity/Post.ts
@@ -0,0 +1,26 @@
+import {Column, Entity, PrimaryGeneratedColumn} from "../../../../src";
+
+@Entity()
+export class Post {
+
+    @PrimaryGeneratedColumn()
+    id: number;
+
+    @Column("text", {
+        nullable: false,
+        comment: `E.g. 'foo', 'bar', or 'baz' etc.`
+    })
+    text: string;
+
+    @Column("text", {
+        nullable: false,
+        comment: `E.g. '''foo, 'bar''', or baz' etc.`
+    })
+    text2: string;
+
+    @Column("text", {
+        nullable: false,
+        comment: `E.g. "foo", "bar", or "baz" etc.`
+    })
+    text3: string;
+}
diff --git a/test/github-issues/7479/issue-7479.ts b/test/github-issues/7479/issue-7479.ts
@@ -0,0 +1,30 @@
+import "reflect-metadata";
+import {Connection} from "../../../src";
+import {createTestingConnections, closeTestingConnections} from "../../utils/test-utils";
+import {Post} from "./entity/Post";
+
+describe("github issues > #7479 Only first single quote in comments is escaped", () => {
+    let connections: Connection[];
+    before(async () => connections = await createTestingConnections({
+        enabledDrivers: ["postgres", "cockroachdb", "mysql"],
+        schemaCreate: true,
+        dropSchema: true,
+        entities: [Post],
+    }));
+    after(() => closeTestingConnections(connections));
+
+    it("should properly escape quotes in comments", () => Promise.all(connections.map(async connection => {
+        const queryRunner = connection.createQueryRunner();
+
+        let table = await queryRunner.getTable("post");
+        const column1 = table!.findColumnByName("text")!;
+        const column2 = table!.findColumnByName("text2")!;
+        const column3 = table!.findColumnByName("text3")!;
+
+        column1.comment!.should.be.equal(`E.g. 'foo', 'bar', or 'baz' etc.`)
+        column2.comment!.should.be.equal(`E.g. '''foo, 'bar''', or baz' etc.`)
+        column3.comment!.should.be.equal(`E.g. "foo", "bar", or "baz" etc.`)
+
+        await queryRunner.release()
+    })));
+});