From 12d7f5ccc293e3ba3dccef60a0fb1df6c59ad81c Mon Sep 17 00:00:00 2001 From: Allan SIMON Date: Wed, 16 Oct 2024 15:57:57 +0000 Subject: [PATCH 1/3] Allows :dql_parameters with ARRAY_* functions before it was only possible to do `ARRAY_APPEND(e.myarray, 'a_literal')` so it was impossible to have the value coming from php (without resorting to DQL injection) We now allow also the following syntax `ARRAY_APPEND(e.myarray, :foobar)` --- .../Doctrine/ORM/Query/AST/Functions/ArrayAppend.php | 2 +- .../Doctrine/ORM/Query/AST/Functions/ArrayLength.php | 2 +- .../Doctrine/ORM/Query/AST/Functions/ArrayPrepend.php | 2 +- .../Doctrine/ORM/Query/AST/Functions/ArrayRemove.php | 2 +- .../Doctrine/ORM/Query/AST/Functions/ArrayReplace.php | 4 ++-- .../Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php | 2 ++ .../Doctrine/ORM/Query/AST/Functions/ArrayLengthTest.php | 2 ++ .../Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php | 2 ++ .../Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php | 2 ++ .../Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php | 2 ++ 10 files changed, 16 insertions(+), 6 deletions(-) diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppend.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppend.php index 783a834d..2150a9cc 100644 --- a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppend.php +++ b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppend.php @@ -18,6 +18,6 @@ protected function customiseFunction(): void { $this->setFunctionPrototype('array_append(%s, %s)'); $this->addNodeMapping('StringPrimary'); - $this->addNodeMapping('Literal'); + $this->addNodeMapping('ArithmeticPrimary'); } } diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLength.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLength.php index c25fb061..408ddda3 100644 --- a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLength.php +++ b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLength.php @@ -18,6 +18,6 @@ protected function customiseFunction(): void { $this->setFunctionPrototype('array_length(%s, %s)'); $this->addNodeMapping('StringPrimary'); - $this->addNodeMapping('Literal'); + $this->addNodeMapping('ArithmeticPrimary'); } } diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrepend.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrepend.php index bc139882..04101d08 100644 --- a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrepend.php +++ b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrepend.php @@ -17,7 +17,7 @@ class ArrayPrepend extends BaseFunction protected function customiseFunction(): void { $this->setFunctionPrototype('array_prepend(%s, %s)'); - $this->addNodeMapping('Literal'); + $this->addNodeMapping('ArithmeticPrimary'); $this->addNodeMapping('StringPrimary'); } } diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemove.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemove.php index 1985ef33..62a941eb 100644 --- a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemove.php +++ b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemove.php @@ -18,6 +18,6 @@ protected function customiseFunction(): void { $this->setFunctionPrototype('array_remove(%s, %s)'); $this->addNodeMapping('StringPrimary'); - $this->addNodeMapping('Literal'); + $this->addNodeMapping('ArithmeticPrimary'); } } diff --git a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplace.php b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplace.php index 406da127..72525ee7 100644 --- a/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplace.php +++ b/src/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplace.php @@ -18,7 +18,7 @@ protected function customiseFunction(): void { $this->setFunctionPrototype('array_replace(%s, %s, %s)'); $this->addNodeMapping('StringPrimary'); - $this->addNodeMapping('Literal'); - $this->addNodeMapping('Literal'); + $this->addNodeMapping('ArithmeticPrimary'); + $this->addNodeMapping('ArithmeticPrimary'); } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php index 3b04907e..27c7ea83 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php @@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_append(c0_.array1, 1989) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_append(c0_.array1, 'country') AS sclr_0 FROM ContainsArrays c0_", + "SELECT array_append(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_", ]; } @@ -29,6 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_APPEND(e.array1, 1989) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_APPEND(e.array1, 'country') FROM %s e", ContainsArrays::class), + \sprintf("SELECT ARRAY_APPEND(e.array1, :dql_parameter) FROM %s e", ContainsArrays::class), ]; } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLengthTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLengthTest.php index 9b2b478b..31efad78 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLengthTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayLengthTest.php @@ -20,6 +20,7 @@ protected function getExpectedSqlStatements(): array { return [ 'SELECT array_length(c0_.array1, 1) AS sclr_0 FROM ContainsArrays c0_', + 'SELECT array_length(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_', ]; } @@ -27,6 +28,7 @@ protected function getDqlStatements(): array { return [ \sprintf('SELECT ARRAY_LENGTH(e.array1, 1) FROM %s e', ContainsArrays::class), + \sprintf('SELECT ARRAY_LENGTH(e.array1, :dql_parameter) FROM %s e', ContainsArrays::class), ]; } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php index 90ed70bf..8c9db4f5 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php @@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_prepend(1885, c0_.array1) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_prepend('red', c0_.array1) AS sclr_0 FROM ContainsArrays c0_", + "SELECT array_prepend(?, c0_.array1) AS sclr_0 FROM ContainsArrays c0_", ]; } @@ -29,6 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_PREPEND(1885, e.array1) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_PREPEND('red', e.array1) FROM %s e", ContainsArrays::class), + \sprintf("SELECT ARRAY_PREPEND(:dql_parameter, e.array1) FROM %s e", ContainsArrays::class), ]; } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php index 9aa1a689..9929dd4d 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php @@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_remove(c0_.array1, 1944) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_remove(c0_.array1, 'peach') AS sclr_0 FROM ContainsArrays c0_", + "SELECT array_remove(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_", ]; } @@ -29,6 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_REMOVE(e.array1, 1944) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_REMOVE(e.array1, 'peach') FROM %s e", ContainsArrays::class), + \sprintf("SELECT ARRAY_REMOVE(e.array1, :dql_parameter) FROM %s e", ContainsArrays::class), ]; } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php index d55a74fa..165c3ec4 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php @@ -21,6 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_replace(c0_.array1, 1939, 1957) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_replace(c0_.array1, 'green', 'mint') AS sclr_0 FROM ContainsArrays c0_", + "SELECT array_replace(c0_.array1, 'green', ?) AS sclr_0 FROM ContainsArrays c0_", ]; } @@ -29,6 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_REPLACE(e.array1, 1939, 1957) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', 'mint') FROM %s e", ContainsArrays::class), + \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', :dql_parameter) FROM %s e", ContainsArrays::class), ]; } } From df2eb5366796a76a891522c4bfe6492020cf978c Mon Sep 17 00:00:00 2001 From: Allan Simon Date: Mon, 21 Oct 2024 16:37:00 +0200 Subject: [PATCH 2/3] Apply suggestions from code review coding style --- .../Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php | 4 ++-- .../Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php | 4 ++-- .../Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php | 4 ++-- .../Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php index 27c7ea83..a5eb0fb0 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayAppendTest.php @@ -21,7 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_append(c0_.array1, 1989) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_append(c0_.array1, 'country') AS sclr_0 FROM ContainsArrays c0_", - "SELECT array_append(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_", + 'SELECT array_append(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_', ]; } @@ -30,7 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_APPEND(e.array1, 1989) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_APPEND(e.array1, 'country') FROM %s e", ContainsArrays::class), - \sprintf("SELECT ARRAY_APPEND(e.array1, :dql_parameter) FROM %s e", ContainsArrays::class), + \sprintf('SELECT ARRAY_APPEND(e.array1, :dql_parameter) FROM %s e', ContainsArrays::class), ]; } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php index 8c9db4f5..e8de2f7c 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayPrependTest.php @@ -21,7 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_prepend(1885, c0_.array1) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_prepend('red', c0_.array1) AS sclr_0 FROM ContainsArrays c0_", - "SELECT array_prepend(?, c0_.array1) AS sclr_0 FROM ContainsArrays c0_", + 'SELECT array_prepend(?, c0_.array1) AS sclr_0 FROM ContainsArrays c0_', ]; } @@ -30,7 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_PREPEND(1885, e.array1) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_PREPEND('red', e.array1) FROM %s e", ContainsArrays::class), - \sprintf("SELECT ARRAY_PREPEND(:dql_parameter, e.array1) FROM %s e", ContainsArrays::class), + \sprintf('SELECT ARRAY_PREPEND(:dql_parameter, e.array1) FROM %s e', ContainsArrays::class), ]; } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php index 9929dd4d..427cc6e7 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayRemoveTest.php @@ -21,7 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_remove(c0_.array1, 1944) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_remove(c0_.array1, 'peach') AS sclr_0 FROM ContainsArrays c0_", - "SELECT array_remove(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_", + 'SELECT array_remove(c0_.array1, ?) AS sclr_0 FROM ContainsArrays c0_', ]; } @@ -30,7 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_REMOVE(e.array1, 1944) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_REMOVE(e.array1, 'peach') FROM %s e", ContainsArrays::class), - \sprintf("SELECT ARRAY_REMOVE(e.array1, :dql_parameter) FROM %s e", ContainsArrays::class), + \sprintf('SELECT ARRAY_REMOVE(e.array1, :dql_parameter) FROM %s e', ContainsArrays::class), ]; } } diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php index 165c3ec4..5e95d1fa 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php @@ -21,7 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_replace(c0_.array1, 1939, 1957) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_replace(c0_.array1, 'green', 'mint') AS sclr_0 FROM ContainsArrays c0_", - "SELECT array_replace(c0_.array1, 'green', ?) AS sclr_0 FROM ContainsArrays c0_", + 'SELECT array_replace(c0_.array1, 'green', ?) AS sclr_0 FROM ContainsArrays c0_', ]; } @@ -30,7 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_REPLACE(e.array1, 1939, 1957) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', 'mint') FROM %s e", ContainsArrays::class), - \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', :dql_parameter) FROM %s e", ContainsArrays::class), + \sprintf('SELECT ARRAY_REPLACE(e.array1, 'green', :dql_parameter) FROM %s e', ContainsArrays::class), ]; } } From 0f842ab7b5b0b4dd3af4816b8d2266df082dc622 Mon Sep 17 00:00:00 2001 From: Allan Simon Date: Mon, 21 Oct 2024 22:35:13 +0200 Subject: [PATCH 3/3] Apply suggestions from code review --- .../Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php index 5e95d1fa..165c3ec4 100644 --- a/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php +++ b/tests/MartinGeorgiev/Doctrine/ORM/Query/AST/Functions/ArrayReplaceTest.php @@ -21,7 +21,7 @@ protected function getExpectedSqlStatements(): array return [ 'SELECT array_replace(c0_.array1, 1939, 1957) AS sclr_0 FROM ContainsArrays c0_', "SELECT array_replace(c0_.array1, 'green', 'mint') AS sclr_0 FROM ContainsArrays c0_", - 'SELECT array_replace(c0_.array1, 'green', ?) AS sclr_0 FROM ContainsArrays c0_', + "SELECT array_replace(c0_.array1, 'green', ?) AS sclr_0 FROM ContainsArrays c0_", ]; } @@ -30,7 +30,7 @@ protected function getDqlStatements(): array return [ \sprintf('SELECT ARRAY_REPLACE(e.array1, 1939, 1957) FROM %s e', ContainsArrays::class), \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', 'mint') FROM %s e", ContainsArrays::class), - \sprintf('SELECT ARRAY_REPLACE(e.array1, 'green', :dql_parameter) FROM %s e', ContainsArrays::class), + \sprintf("SELECT ARRAY_REPLACE(e.array1, 'green', :dql_parameter) FROM %s e", ContainsArrays::class), ]; } }