🙊 escape sql strings

apps/dashboard/src/trpc/api/routers/chart.helpers.ts

@@ -2,6 +2,7 @@ import { round } from '@/utils/math';
 import { subDays } from 'date-fns';
 import * as mathjs from 'mathjs';
 import { repeat, reverse, sort } from 'ramda';
+import { escape } from 'sqlstring';
 
 import { alphabetIds, NOT_SET_VALUE } from '@openpanel/constants';
 import {
@@ -430,7 +431,7 @@ export async function getFunnelData({ projectId, ...payload }: IChartInput) {
   const funnels = payload.events.map((event) => {
     const { sb, getWhere } = createSqlBuilder();
     sb.where = getEventFiltersWhereClause(event.filters);
-    sb.where.name = `name = '${event.name}'`;
+    sb.where.name = `name = ${escape(event.name)}`;
     return getWhere().replace('WHERE ', '');
   });
 
@@ -438,7 +439,7 @@ export async function getFunnelData({ projectId, ...payload }: IChartInput) {
     session_id,
     windowFunnel(6048000000000000,'strict_increase')(toUnixTimestamp(created_at), ${funnels.join(', ')}) AS level
   FROM events
-  WHERE (project_id = '${projectId}' AND created_at >= '${formatClickhouseDate(startDate)}') AND (created_at <= '${formatClickhouseDate(endDate)}')
+  WHERE (project_id = ${escape(projectId)} AND created_at >= '${formatClickhouseDate(startDate)}') AND (created_at <= '${formatClickhouseDate(endDate)}')
   GROUP BY session_id`;
 
   const sql = `SELECT level, count() AS count FROM (${innerSql}) GROUP BY level ORDER BY level DESC`;
@@ -446,7 +447,7 @@ export async function getFunnelData({ projectId, ...payload }: IChartInput) {
   const [funnelRes, sessionRes] = await Promise.all([
     chQuery<{ level: number; count: number }>(sql),
     chQuery<{ count: number }>(
-      `SELECT count(name) as count FROM events WHERE project_id = '${projectId}' AND name = 'session_start' AND (created_at >= '${formatClickhouseDate(startDate)}') AND (created_at <= '${formatClickhouseDate(endDate)}')`
+      `SELECT count(name) as count FROM events WHERE project_id = ${escape(projectId)} AND name = 'session_start' AND (created_at >= '${formatClickhouseDate(startDate)}') AND (created_at <= '${formatClickhouseDate(endDate)}')`
     ),
   ]);
 

apps/dashboard/src/trpc/api/routers/chart.ts

@@ -5,6 +5,7 @@ import {
 } from '@/trpc/api/trpc';
 import { average, max, min, round, sum } from '@/utils/math';
 import { flatten, map, pipe, prop, sort, uniq } from 'ramda';
+import { escape } from 'sqlstring';
 import { z } from 'zod';
 
 import { chQuery, createSqlBuilder } from '@openpanel/db';
@@ -60,7 +61,7 @@ export const chartRouter = createTRPCRouter({
     .input(z.object({ projectId: z.string() }))
     .query(async ({ input: { projectId } }) => {
       const events = await chQuery<{ name: string }>(
-        `SELECT DISTINCT name FROM events WHERE project_id = '${projectId}'`
+        `SELECT DISTINCT name FROM events WHERE project_id = ${escape(projectId)}`
       );
 
       return [
@@ -76,8 +77,8 @@ export const chartRouter = createTRPCRouter({
     .query(async ({ input: { projectId, event } }) => {
       const events = await chQuery<{ keys: string[] }>(
         `SELECT distinct mapKeys(properties) as keys from events where ${
-          event && event !== '*' ? `name = '${event}' AND ` : ''
-        } project_id = '${projectId}';`
+          event && event !== '*' ? `name = ${escape(event)} AND ` : ''
+        } project_id = ${escape(projectId)};`
       );
 
       const properties = events
@@ -122,14 +123,14 @@ export const chartRouter = createTRPCRouter({
     )
     .query(async ({ input: { event, property, projectId } }) => {
       const { sb, getSql } = createSqlBuilder();
-      sb.where.project_id = `project_id = '${projectId}'`;
+      sb.where.project_id = `project_id = ${escape(projectId)}`;
       if (event !== '*') {
-        sb.where.event = `name = '${event}'`;
+        sb.where.event = `name = ${escape(event)}`;
       }
       if (property.startsWith('properties.')) {
-        sb.select.values = `distinct mapValues(mapExtractKeyLike(properties, '${property
-          .replace(/^properties\./, '')
-          .replace('.*.', '.%.')}')) as values`;
+        sb.select.values = `distinct mapValues(mapExtractKeyLike(properties, ${escape(
+          property.replace(/^properties\./, '').replace('.*.', '.%.')
+        )})) as values`;
       } else {
         sb.select.values = `distinct ${property} as values`;
       }

apps/dashboard/src/trpc/api/routers/profile.ts

@@ -4,6 +4,7 @@ import {
   publicProcedure,
 } from '@/trpc/api/trpc';
 import { flatten, map, pipe, prop, sort, uniq } from 'ramda';
+import { escape } from 'sqlstring';
 import { z } from 'zod';
 
 import { chQuery, createSqlBuilder } from '@openpanel/db';
@@ -13,7 +14,7 @@ export const profileRouter = createTRPCRouter({
     .input(z.object({ projectId: z.string() }))
     .query(async ({ input: { projectId } }) => {
       const events = await chQuery<{ keys: string[] }>(
-        `SELECT distinct mapKeys(properties) as keys from profiles where project_id = '${projectId}';`
+        `SELECT distinct mapKeys(properties) as keys from profiles where project_id = ${escape(projectId)};`
       );
 
       const properties = events
@@ -40,11 +41,11 @@ export const profileRouter = createTRPCRouter({
     .query(async ({ input: { property, projectId } }) => {
       const { sb, getSql } = createSqlBuilder();
       sb.from = 'profiles';
-      sb.where.project_id = `project_id = '${projectId}'`;
+      sb.where.project_id = `project_id = ${escape(projectId)}`;
       if (property.startsWith('properties.')) {
-        sb.select.values = `distinct mapValues(mapExtractKeyLike(properties, '${property
-          .replace(/^properties\./, '')
-          .replace('.*.', '.%.')}')) as values`;
+        sb.select.values = `distinct mapValues(mapExtractKeyLike(properties, ${escape(
+          property.replace(/^properties\./, '').replace('.*.', '.%.')
+        )})) as values`;
       } else {
         sb.select.values = `${property} as values`;
       }