Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape strings in RemoveClause #334

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Escape strings in RemoveClause #334

wants to merge 1 commit into from

Conversation

NickTaylor-
Copy link

Currently in RemoveClause only symbols are escaped with backticks, meaning that using .remove will fail on labels with special characters. This can be encountered with a namespaced label name, such as MyModule::MyThing.

This just makes the switch process strings and symbols in the same block.

@NickTaylor-
Escape strings in RemoveClause
26c9844 
Currently in RemoveClause only symbols are escaped with backticks,
meaning that using `.remove` will fail on labels with special
characters. This can be encountered with a namespaced label name, such
as MyModule::MyThing.
@coveralls
Copy link

Coverage Status

Coverage decreased (-3.8%) to 86.804% when pulling 26c9844 on NickTaylor-:escape-string-values-in-remove-clause into 4b649fc on neo4jrb:master.

2 similar comments
@coveralls
Copy link

Coverage Status

Coverage decreased (-3.8%) to 86.804% when pulling 26c9844 on NickTaylor-:escape-string-values-in-remove-clause into 4b649fc on neo4jrb:master.

@coveralls
Copy link

Coverage Status

Coverage decreased (-3.8%) to 86.804% when pulling 26c9844 on NickTaylor-:escape-string-values-in-remove-clause into 4b649fc on neo4jrb:master.

@NickTaylor-
Copy link
Author

So it seems like this broke a lot of the tests due to it having some expectations that the generated queries not be escaped. I want to make sure that this PR makes sense before I try and fix those, so if I can get a 👍 that this is a reasonable change, I'll go through with it.

klobuczek
klobuczek requested changes Dec 18, 2019
View reviewed changes
lib/neo4j/core/query_clauses.rb
when String
"#{key}.#{value}"
when Symbol
when String, Symbol
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change does not make sense.

"#{key}.#{value}"

is not the same as

"#{key}:`#{value}`"

The former references a property the latter tests a node if it has a label. Use dot notation with escape and that probably will be good although readability of logs may suffer. Maybe there is a way to escape only when necessary.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I completely missed that there was a different delimiter there, good catch, that is probably also a semi-significant cause of the test errors. It seems like escape handling isn't really standardized, I discovered this particular issue in a chained method that ended in .delete, where it properly escaped everything up until then.

I'm not sure if it makes sense to check if a string needs to be delimited, that is a recipe for injection attacks, and it would incur a slight performance penalty.

This is my first contribution, but it also seems strange to have a distiction between passing a string vs. a symbol to delete. The documentation for delete seems to indicate that there shouldn't be a difference: https://neo4jrb.readthedocs.io/en/v9.4.0/QueryClauseMethods.html#delete. If there should be a distinction, it should be documented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klobuczek klobuczek klobuczek requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NickTaylor- @coveralls @klobuczek