From f6a00fa55b38646b2e88fa2aa4dc2770ee3d507b Mon Sep 17 00:00:00 2001
From: Swastik Baranwal <swstkbaranwal@gmail.com>
Date: Wed, 27 Mar 2024 19:05:11 +0530
Subject: [PATCH]  parser: disallow invalid infix for where clause in `delete`
 and `update`  (#21113)

---
 vlib/v/parser/orm.v                           | 12 +++++++++
 .../orm_delete_where_invalid_inifx_err.out    |  7 ++++++
 .../orm_delete_where_invalid_inifx_err.vv     | 25 +++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.out
 create mode 100644 vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv

diff --git a/vlib/v/parser/orm.v b/vlib/v/parser/orm.v
index ded79dad21ce54..105d835d05e852 100644
--- a/vlib/v/parser/orm.v
+++ b/vlib/v/parser/orm.v
@@ -295,11 +295,23 @@ fn (mut p Parser) parse_sql_stmt_line() ast.SqlStmtLine {
 	} else if kind == .update {
 		p.check_sql_keyword('where') or { return ast.SqlStmtLine{} }
 		where_expr = p.expr(0)
+
+		where_expr_result := p.check_sql_where_expr_has_no_undefined_variables(&where_expr,
+			[])
+		if where_expr_result is ast.NodeError {
+			return ast.SqlStmtLine{}
+		}
 	} else if kind == .delete {
 		table_pos = p.tok.pos()
 		table_type = p.parse_type()
 		p.check_sql_keyword('where') or { return ast.SqlStmtLine{} }
 		where_expr = p.expr(0)
+
+		where_expr_result := p.check_sql_where_expr_has_no_undefined_variables(&where_expr,
+			[])
+		if where_expr_result is ast.NodeError {
+			return ast.SqlStmtLine{}
+		}
 	}
 	return ast.SqlStmtLine{
 		table_expr: ast.TypeNode{
diff --git a/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.out b/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.out
new file mode 100644
index 00000000000000..0e68f34444bd0f
--- /dev/null
+++ b/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.out
@@ -0,0 +1,7 @@
+vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv:23:49: error: undefined variable: `client_id`
+   21 |     }!
+   22 |     sql db {
+   23 |         delete from ParameterTable where client_id == client_id && name == name
+      |                                                       ~~~~~~~~~
+   24 |     } or { panic(err) }    
+   25 | }
diff --git a/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv b/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv
new file mode 100644
index 00000000000000..e5df20d0627a41
--- /dev/null
+++ b/vlib/v/parser/tests/orm_delete_where_invalid_inifx_err.vv
@@ -0,0 +1,25 @@
+import db.sqlite
+import rand
+import time
+
+@[table: 'parameter_tables']
+struct ParameterTable {
+	id          string = rand.ulid()    @[primary]
+	name  		string    @[unique: 'client_table']
+	description string
+	table_type  string = 'parameter'
+	client_id   string    @[unique: 'client_table']
+	created     time.Time @[default: 'CURRENT_TIMESTAMP'; sql_type: 'datetime']
+}
+
+fn main() {
+	mut db := sqlite.connect('test.db')!
+	db.synchronization_mode(sqlite.SyncMode.off)!
+	db.journal_mode(sqlite.JournalMode.memory)!	
+	sql db {
+		create table ParameterTable
+	}!
+	sql db {
+		delete from ParameterTable where client_id == client_id && name == name
+	} or { panic(err) }	
+}