postgres: Refuse to build unsafe JSON lists for contains in Postgres (p…

…arse-community#5337)
UnderratedDev · Jan 31, 2019 · 9b95ae9 · 9b95ae9
1 parent 7d409d8
commit 9b95ae9
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
@@ -282,6 +282,12 @@ const buildWhereClause = ({ schema, query, index }): WhereClause => {
           name = transformDotFieldToComponents(fieldName).join('->');
           fieldValue.$in.forEach(listElem => {
             if (typeof listElem === 'string') {
+              if (listElem.includes('"') || listElem.includes("'")) {
+                throw new Parse.Error(
+                  Parse.Error.INVALID_JSON,
+                  'bad $in value; Strings with quotes cannot yet be safely escaped'
+                );
+              }
               inPatterns.push(`"${listElem}"`);
             } else {
               inPatterns.push(`${listElem}`);