Do not allow raw attribute selects (#393)

feathersjs-ecosystem · Jun 8, 2022 · 0f2d85f · 0f2d85f
1 parent 4c536cc
commit 0f2d85f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/lib/index.js b/lib/index.js
@@ -133,7 +133,7 @@ class Service extends AdapterService {
     }, params.sequelize);
 
     if (filters.$select) {
-      q.attributes = filters.$select;
+      q.attributes = filters.$select.map(select => `${select}`);
     }
 
     const Model = this.applyScope(params);

diff --git a/test/index.test.js b/test/index.test.js
@@ -293,6 +293,12 @@ describe('Feathers Sequelize Service', () => {
         await people.remove(person.id);
       });
 
+      it('does not allow raw attribute $select ', async () => {
+        await assert.rejects(() => people.find({
+          query: { $select: [['(sqlite_version())', 'x']] }
+        }));
+      });
+
       it('hides the Sequelize error in ERROR symbol', async () => {
         try {
           await people.create({