Support comparing to null

erikdubbelboer · erikdubbelboer · commit 67bbb4379626 · 2024-06-15T11:12:45.000+02:00
diff --git a/filter/converter.go b/filter/converter.go
@@ -190,6 +190,21 @@ func (c *Converter) convertFilter(filter map[string]any, paramIndex int) (string
 					innerResult = "(" + innerResult + ")"
 				}
 				conditions = append(conditions, innerResult)
+			case nil:
+				// Comparing a column to NULL needs a different implementation depending on if the column is in JSONB or not.
+				// JSONB columns are NULL even if they don't exist, so we need to check if the column exists first.
+				isNestedColumn := c.nestedColumn != ""
+				for _, exemption := range c.nestedExemptions {
+					if exemption == key {
+						isNestedColumn = false
+						break
+					}
+				}
+				if isNestedColumn {
+					conditions = append(conditions, fmt.Sprintf("(jsonb_path_match(%s, 'exists($.%s)') AND %s IS NULL)", c.nestedColumn, key, c.columnName(key)))
+				} else {
+					conditions = append(conditions, fmt.Sprintf("(%s IS NULL)", c.columnName(key)))
+				}
 			default:
 				if !isScalar(value) {
 					return "", nil, fmt.Errorf("invalid comparison value (must be a primitive): %v", value)
diff --git a/filter/converter_test.go b/filter/converter_test.go
@@ -264,6 +264,30 @@ func TestConverter_Convert(t *testing.T) {
 			nil,
 			fmt.Errorf("invalid comparison value (must be a primitive): [200 300]"),
 		},
+		{
+			"sql injection",
+			nil,
+			`{"\"bla = 1 --": 1}`,
+			``,
+			nil,
+			fmt.Errorf("invalid column name: \"bla = 1 --"),
+		},
+		{
+			"null nornal column",
+			nil,
+			`{"name": null}`,
+			`("name" IS NULL)`,
+			nil,
+			nil,
+		},
+		{
+			"null jsonb column",
+			filter.WithNestedJSONB("meta"),
+			`{"name": null}`,
+			`(jsonb_path_match(meta, 'exists($.name)') AND "meta"->>'name' IS NULL)`,
+			nil,
+			nil,
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/fuzz/fuzz_test.go b/fuzz/fuzz_test.go
@@ -39,6 +39,7 @@ func FuzzConverter(f *testing.F) {
 		`{"\"bla = 1 --": 1}`,
 		`{"$not": {"name": "John"}}`,
 		`{"name": {"$not": {"$eq": "John"}}}`,
+		`{"name": null}`,
 	}
 	for _, tc := range tcs {
 		f.Add(tc, true)
diff --git a/integration/postgres_test.go b/integration/postgres_test.go
@@ -322,9 +322,15 @@ func TestIntegration_BasicOperators(t *testing.T) {
 			nil,
 		},
 		{
-			"$gt with jsonb column",
-			`{"guild_id": { "$gt": 40 }}`,
-			[]int{7, 8, 9, 10},
+			`column equal to null`,
+			`{"mount": null}`,
+			[]int{3, 4},
+			nil,
+		},
+		{
+			`jsonb equal to null`,
+			`{"pet": null}`,
+			[]int{10},
 			nil,
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ func FuzzConverter(f *testing.F) {`
`39`	`39`	`{"\"bla = 1 --": 1}`,
`40`	`40`	`{"$not": {"name": "John"}}`,
`41`	`41`	`{"name": {"$not": {"$eq": "John"}}}`,
	`42`	+ `{"name": null}`,
`42`	`43`	`}`
`43`	`44`	`for _, tc := range tcs {`
`44`	`45`	`f.Add(tc, true)`