From 0f2d85f0b2d556f2b6c70423dcebdbd29d95e3dc Mon Sep 17 00:00:00 2001
From: David Luecke <daff@neyeon.com>
Date: Wed, 8 Jun 2022 12:51:08 -0700
Subject: [PATCH] Do not allow raw attribute selects (#393)

---
 lib/index.js       | 2 +-
 test/index.test.js | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/index.js b/lib/index.js
index ad1d760..a034d5e 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -133,7 +133,7 @@ class Service extends AdapterService {
     }, params.sequelize);
 
     if (filters.$select) {
-      q.attributes = filters.$select;
+      q.attributes = filters.$select.map(select => `${select}`);
     }
 
     const Model = this.applyScope(params);
diff --git a/test/index.test.js b/test/index.test.js
index 896c617..6f95af6 100644
--- a/test/index.test.js
+++ b/test/index.test.js
@@ -293,6 +293,12 @@ describe('Feathers Sequelize Service', () => {
         await people.remove(person.id);
       });
 
+      it('does not allow raw attribute $select ', async () => {
+        await assert.rejects(() => people.find({
+          query: { $select: [['(sqlite_version())', 'x']] }
+        }));
+      });
+
       it('hides the Sequelize error in ERROR symbol', async () => {
         try {
           await people.create({