Merge pull request #1090 from sproctor/fix-escaping

only escape filters inside logical expressions and `in` lists

Author: jan-tennert

Postgrest/src/commonMain/kotlin/io/github/jan/supabase/postgrest/query/filter/FilterOperation.kt

@@ -11,7 +11,7 @@ package io.github.jan.supabase.postgrest.query.filter
  */
 data class FilterOperation(val column: String, val operator: FilterOperator, val value: Any?)
 
-fun FilterOperation.escapedValue(): String =
+fun FilterOperation.escapedValue(isInLogicalExpression: Boolean): String =
     when (operator) {
         FilterOperator.EQ,
         FilterOperator.NEQ,
@@ -23,8 +23,15 @@ fun FilterOperation.escapedValue(): String =
         FilterOperator.ILIKE,
         FilterOperator.MATCH,
         FilterOperator.IMATCH,
-        FilterOperator.IS ->
-            escapeValue(value)
+        FilterOperator.IS,
+        FilterOperator.FTS,
+        FilterOperator.WFTS,
+        FilterOperator.PHFTS,
+        FilterOperator.PLFTS ->
+            if (isInLogicalExpression)
+                escapeValue(value)
+            else
+                value.toString()
         FilterOperator.IN ->
             if (value is List<*>) {
                 encodeAsList(value)
@@ -35,9 +42,15 @@ fun FilterOperation.escapedValue(): String =
         FilterOperator.CD,
         FilterOperator.OV ->
             when (value) {
-                is List<*> -> encodeOverlapAsArray(value)
-                is Pair<*, *> -> encodeOverlapAsRange(value)
-                else -> escapeValue(value)
+                is List<*> ->
+                    encodeOverlapAsArray(value)
+                is Pair<*, *> ->
+                    encodeOverlapAsRange(value)
+                else ->
+                    if (isInLogicalExpression)
+                        escapeValue(value)
+                    else
+                        value.toString()
             }
         FilterOperator.SL,
         FilterOperator.SR,
@@ -49,35 +62,30 @@ fun FilterOperation.escapedValue(): String =
                 is List<*> -> encodeAsRange(value)
                 else -> escapeValue(value)
             }
-        FilterOperator.FTS,
-        FilterOperator.WFTS,
-        FilterOperator.PHFTS,
-        FilterOperator.PLFTS ->
-            escapeValue(value) // Do these need special handling?
     }
 
 private fun encodeAsList(values: List<*>): String =
     values.joinToString(",", prefix = "(", postfix = ")") { escapeValue(it) }
 
 private fun encodeAsRange(range: Pair<*, *>): String =
-    "(${escapeValue(range.first)},${escapeValue(range.second)})"
+    "(${range.first},${range.second})"
 
 private fun encodeAsRange(range: List<*>): String =
-    "(${escapeValue(range[0])},${escapeValue(range[1])})"
+    "(${range[0]},${range[1]})"
 
 private fun encodeOverlapAsRange(range: Pair<*, *>): String =
-    "[${escapeValue(range.first)},${escapeValue(range.second)}]"
+    "[${range.first},${range.second}]"
 
 private fun encodeOverlapAsArray(values: List<*>): String =
-    values.joinToString(",", prefix = "{", postfix = "}") { escapeValue(it) }
+    values.joinToString(",", prefix = "{", postfix = "}")
 
 private val quotedCharacters = listOf(",", ".", ":", "(", ")")
 
 internal fun escapeValue(value: Any?): String {
     val asString = value.toString()
         .replace("\\", "\\\\")
         .replace("\"", "\\\"")
-    return if (value !is Number && quotedCharacters.any { asString.contains(it) }) {
+    return if (quotedCharacters.any { asString.contains(it) }) {
         "\"$asString\""
     } else {
         asString

Postgrest/src/commonMain/kotlin/io/github/jan/supabase/postgrest/query/filter/PostgrestFilterBuilder.kt

@@ -28,7 +28,7 @@ class PostgrestFilterBuilder(
      */
     fun filterNot(operation: FilterOperation) {
         val columnValue = params[operation.column] ?: emptyList()
-        _params[operation.column] = columnValue + listOf("not.${operation.operator.identifier}.${operation.escapedValue()}")
+        _params[operation.column] = columnValue + listOf("not.${operation.operator.identifier}.${operation.escapedValue(isInLogicalExpression)}")
     }
 
     /**
@@ -43,7 +43,7 @@ class PostgrestFilterBuilder(
      */
     fun filter(operation: FilterOperation) {
         val columnValue = params[operation.column] ?: emptyList()
-        _params[operation.column] = columnValue + listOf("${operation.operator.identifier}.${operation.escapedValue()}")
+        _params[operation.column] = columnValue + listOf("${operation.operator.identifier}.${operation.escapedValue(isInLogicalExpression)}")
     }
 
     /**

Postgrest/src/commonTest/kotlin/PostgrestFilterBuilderTest.kt

@@ -34,19 +34,27 @@ class PostgrestFilterBuilderTest {
     }
 
     @Test
-    fun eq_reserved() {
+    fun eq_with_reserved() {
         val filter = filterToString {
-            eq("id", "2004-09-16T23:59:58.75")
+            eq("time", "2004-09-16T23:59:58.75")
         }
-        assertEquals("id=eq.\"2004-09-16T23:59:58.75\"", filter)
+        assertEquals("time=eq.2004-09-16T23:59:58.75", filter)
     }
 
     @Test
-    fun eq_quoted() {
+    fun eq_with_quotes() {
         val filter = filterToString {
-            eq("id", "Hello, \"World\"")
+            eq("message", "Hello, \"World\"")
         }
-        assertEquals("id=eq.\"Hello,+\\\"World\\\"\"", filter)
+        assertEquals("message=eq.Hello,+\"World\"", filter)
+    }
+
+    @Test
+    fun in_quoted() {
+        val filter = filterToString {
+            isIn("message", listOf("\"Hello, World\"", "Goodbye.", "Greetings"))
+        }
+        assertEquals("message=in.(\"\\\"Hello,+World\\\"\",\"Goodbye.\",Greetings)", filter)
     }
 
     @Test
@@ -148,15 +156,15 @@ class PostgrestFilterBuilderTest {
     @Test
     fun contained() {
         val filter = filterToString {
-            contained("id", listOf(1,2,3))
+            contained("id", listOf(1, 2, 3))
         }
         assertEquals("id=cd.{1,2,3}", filter)
     }
 
     @Test
     fun overlaps() {
         val filter = filterToString {
-            overlaps("id", listOf(1,2,3))
+            overlaps("id", listOf(1, 2, 3))
         }
         assertEquals("id=ov.{1,2,3}", filter)
     }
@@ -293,15 +301,19 @@ class PostgrestFilterBuilderTest {
 
     @Test
     fun propertyConversionWithSerialName() {
-        if(CurrentPlatformTarget in listOf(PlatformTarget.JVM, PlatformTarget.ANDROID)) {
+        if (CurrentPlatformTarget in listOf(PlatformTarget.JVM, PlatformTarget.ANDROID)) {
             assertEquals("created_at", PropertyConversionMethod.SERIAL_NAME(TestData::createdAt))
         } else {
             assertFails { PropertyConversionMethod.SERIAL_NAME(TestData::createdAt) }
         }
     }
 
     private fun filterToString(builder: PostgrestFilterBuilder.() -> Unit): String {
-        return PostgrestFilterBuilder(PropertyConversionMethod.NONE).apply(block = builder).params.mapValues { (_, value) -> listOf(value.first()) }.let {
+        return PostgrestFilterBuilder(PropertyConversionMethod.NONE).apply(block = builder).params.mapValues { (_, value) ->
+            listOf(
+                value.first()
+            )
+        }.let {
             parametersOf(it).formUrlEncode()
         }.decodeURLQueryComponent()
     }

Realtime/src/commonMain/kotlin/io/github/jan/supabase/realtime/PostgresChangeFilter.kt

@@ -35,7 +35,7 @@ class PostgresChangeFilter(private val event: String, private val schema: String
             FilterOperator.LT,
             FilterOperator.LTE,
             FilterOperator.IN ->
-                filter.escapedValue()
+                filter.escapedValue(false)
             else -> throw UnsupportedOperationException("Unsupported filter operator: ${filter.operator}")
         }
         this.filter = "${filter.column}=${filter.operator.name.lowercase()}.$filterValue"