Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Escape strings in RemoveClause #334

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Escape strings in RemoveClause #334

wants to merge 1 commit into from

Conversation

NickTaylor-
Copy link

Currently in RemoveClause only symbols are escaped with backticks, meaning that using .remove will fail on labels with special characters. This can be encountered with a namespaced label name, such as MyModule::MyThing.

This just makes the switch process strings and symbols in the same block.

@NickTaylor-
Escape strings in RemoveClause
26c9844 
Currently in RemoveClause only symbols are escaped with backticks,
meaning that using `.remove` will fail on labels with special
characters. This can be encountered with a namespaced label name, such
as MyModule::MyThing.
@coveralls
Copy link

Coverage Status

Coverage decreased (-3.8%) to 86.804% when pulling 26c9844 on NickTaylor-:escape-string-values-in-remove-clause into 4b649fc on neo4jrb:master.

2 similar comments
@coveralls
Copy link

Coverage Status

Coverage decreased (-3.8%) to 86.804% when pulling 26c9844 on NickTaylor-:escape-string-values-in-remove-clause into 4b649fc on neo4jrb:master.

@coveralls
Copy link

Coverage Status

Coverage decreased (-3.8%) to 86.804% when pulling 26c9844 on NickTaylor-:escape-string-values-in-remove-clause into 4b649fc on neo4jrb:master.

@NickTaylor-
Copy link
Author

So it seems like this broke a lot of the tests due to it having some expectations that the generated queries not be escaped. I want to make sure that this PR makes sense before I try and fix those, so if I can get a 👍 that this is a reasonable change, I'll go through with it.

klobuczek
klobuczek requested changes Dec 18, 2019
View reviewed changes
lib/neo4j/core/query_clauses.rb
when String
"#{key}.#{value}"
when Symbol
when String, Symbol
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change does not make sense.

"#{key}.#{value}"

is not the same as

"#{key}:`#{value}`"

The former references a property the latter tests a node if it has a label. Use dot notation with escape and that probably will be good although readability of logs may suffer. Maybe there is a way to escape only when necessary.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I completely missed that there was a different delimiter there, good catch, that is probably also a semi-significant cause of the test errors. It seems like escape handling isn't really standardized, I discovered this particular issue in a chained method that ended in .delete, where it properly escaped everything up until then.

I'm not sure if it makes sense to check if a string needs to be delimited, that is a recipe for injection attacks, and it would incur a slight performance penalty.

This is my first contribution, but it also seems strange to have a distiction between passing a string vs. a symbol to delete. The documentation for delete seems to indicate that there shouldn't be a difference: https://neo4jrb.readthedocs.io/en/v9.4.0/QueryClauseMethods.html#delete. If there should be a distinction, it should be documented.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@klobuczek klobuczek klobuczek requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NickTaylor- @coveralls @klobuczek