fix: escapes sequelize literal query params

rsksmart · Sep 7, 2020 · 7bec56b · 7bec56b
1 parent b1b4c32
commit 7bec56b
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/src/services/storage/hooks/offers.hooks.ts b/src/services/storage/hooks/offers.hooks.ts
@@ -3,8 +3,7 @@ import BillingPlan from '../models/billing-plan.model'
 import { disallow, discard } from 'feathers-hooks-common'
 import Agreement from '../models/agreement.model'
 import { hooks } from 'feathers-sequelize'
-import { Op } from 'sequelize'
-import Sequelize from 'sequelize/lib/sequelize'
+import { Op, literal, Sequelize } from 'sequelize'
 import dehydrate = hooks.dehydrate
 
 export default {
@@ -59,10 +58,11 @@ export default {
             }
 
             if (totalCapacity) {
-              const rawQ = 'cast(totalCapacity as integer) BETWEEN ' +
-                  totalCapacity.min + ' AND ' + totalCapacity.max
-              context.params.sequelize.where.totalCapacity =
-                Sequelize.literal(rawQ)
+              const sequelize = context.app.get('sequelize') as Sequelize
+              const minCap = sequelize.escape(totalCapacity.min)
+              const maxCap = sequelize.escape(totalCapacity.max)
+              const rawQ = `cast(totalCapacity as integer) BETWEEN ${minCap} AND ${maxCap}`
+              context.params.sequelize.where.totalCapacity = literal(rawQ)
             }
 
             if (periods?.length) {