From 89fecb77ef38a583d8a0d5766d9d091f4b34036c Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Thu, 31 Jan 2019 09:47:43 -0500
Subject: [PATCH] Refuse to build unsafe JSON lists for contains in Postgres

---
 src/Adapters/Storage/Postgres/PostgresStorageAdapter.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
index a24aad0e87..94adf0315d 100644
--- a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
+++ b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
@@ -282,6 +282,12 @@ const buildWhereClause = ({ schema, query, index }): WhereClause => {
           name = transformDotFieldToComponents(fieldName).join('->');
           fieldValue.$in.forEach(listElem => {
             if (typeof listElem === 'string') {
+              if (listElem.includes('"') || listElem.includes("'")) {
+                throw new Parse.Error(
+                  Parse.Error.INVALID_JSON,
+                  'bad $in value; Strings with quotes cannot yet be safely escaped'
+                );
+              }
               inPatterns.push(`"${listElem}"`);
             } else {
               inPatterns.push(`${listElem}`);