wrapAsExpression somehow makes program fail with "debug" log level #…

…1006 Possible injection point in inserts fixed
JetBrains · Aug 7, 2020 · 682f66e · 682f66e
1 parent 99bd4db
commit 682f66e
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 4 deletions.
diff --git a/exposed-core/src/main/kotlin/org/jetbrains/exposed/sql/statements/InsertStatement.kt b/exposed-core/src/main/kotlin/org/jetbrains/exposed/sql/statements/InsertStatement.kt
@@ -157,9 +157,15 @@ open class InsertStatement<Key:Any>(val table: Table, val isIgnore: Boolean = fa
             listOf(result).apply { field = this }
         }
 
-    override fun arguments() = arguments!!.map { args ->
-        args.filter { (_, value) ->
-            value != DefaultValueMarker  && value !is Expression<*>
-        }.map { it.first.columnType to it.second }
+    override fun arguments() : List<Iterable<Pair<IColumnType, Any?>>> {
+        return arguments!!.map { args ->
+            val builder = QueryBuilder(true)
+            args.filter { (_, value) ->
+                value != DefaultValueMarker
+            }.forEach { (column, value) ->
+                builder.registerArgument(column, value)
+            }
+            builder.args
+        }
     }
 }
diff --git a/exposed-tests/src/test/kotlin/org/jetbrains/exposed/sql/tests/shared/dml/InsertTests.kt b/exposed-tests/src/test/kotlin/org/jetbrains/exposed/sql/tests/shared/dml/InsertTests.kt
@@ -244,6 +244,36 @@ class InsertTests : DatabaseTestsBase() {
         }
     }
 
+    @Test fun testInsertWithColumnExpression() {
+
+        val tbl1 = object : IntIdTable("testInsert1") {
+            val string1 = varchar("stringCol", 20)
+        }
+        val tbl2 = object : IntIdTable("testInsert2") {
+            val string2 = varchar("stringCol", 20).nullable()
+        }
+
+        fun verify(value: String) {
+            val row = tbl2.select{ tbl2.string2 eq value }.single()
+            assertEquals(row[tbl2.string2], value)
+        }
+
+        withTables(tbl1, tbl2) {
+            addLogger(StdOutSqlLogger)
+
+            val id = tbl1.insertAndGetId {
+                it[string1] = " _exp1_ "
+            }
+
+            val expr1 = tbl1.string1.trim().substring(2, 4)
+            tbl2.insert {
+                it[string2] = wrapAsExpression(tbl1.slice(expr1).select { tbl1.id eq id })
+            }
+
+            verify("exp1")
+        }
+    }
+
     private object OrderedDataTable : IntIdTable()
     {
         val name = text("name")