Add Fuzz test

erikdubbelboer · koenbollen · erikdubbelboer · commit c11954ec6c29 · 2024-04-19T11:08:42.000+02:00
Co-authored-by: Koen Bollen &lt;213502+koenbollen@users.noreply.github.com&gt;
diff --git a/filter/converter.go b/filter/converter.go
@@ -64,13 +64,16 @@ func (c *Converter) convertFilter(filter map[string]any, paramIndex int) (string
 
 		switch key {
 		case "$or", "$and":
-			orConditions, ok := anyToSliceMapAny(value)
+			opConditions, ok := anyToSliceMapAny(value)
 			if !ok {
 				return "", nil, fmt.Errorf("invalid value for $or operator (must be array of objects): %v", value)
 			}
+			if len(opConditions) == 0 {
+				return "", nil, fmt.Errorf("empty arrays not allowed")
+			}
 
 			inner := []string{}
-			for _, orCondition := range orConditions {
+			for _, orCondition := range opConditions {
 				innerConditions, innerValues, err := c.convertFilter(orCondition, paramIndex)
 				if err != nil {
 					return "", nil, err
@@ -89,8 +92,16 @@ func (c *Converter) convertFilter(filter map[string]any, paramIndex int) (string
 				conditions = append(conditions, strings.Join(inner, " "+op+" "))
 			}
 		default:
+			if !isValidPostgresIdentifier(key) {
+				return "", nil, fmt.Errorf("invalid column name: %s", key)
+			}
+
 			switch v := value.(type) {
 			case map[string]any:
+				if len(v) == 0 {
+					return "", nil, fmt.Errorf("empty objects not allowed")
+				}
+
 				inner := []string{}
 				operators := []string{}
 				for operator := range v {
@@ -104,7 +115,8 @@ func (c *Converter) convertFilter(filter map[string]any, paramIndex int) (string
 					case "$and":
 						return "", nil, fmt.Errorf("$and as scalar operator not supported")
 					case "$in":
-						inner = append(inner, fmt.Sprintf("(%s = ANY(?))", c.columnName(key)))
+						paramIndex++
+						inner = append(inner, fmt.Sprintf("(%s = ANY($%d))", c.columnName(key), paramIndex))
 						if !isScalarSlice(v[operator]) {
 							return "", nil, fmt.Errorf("invalid value for $in operator (must array of primatives): %v", v[operator])
 						}
diff --git a/filter/converter_test.go b/filter/converter_test.go
@@ -77,7 +77,7 @@ func TestConverter_Convert(t *testing.T) {
 			"in-array operator simple",
 			nil,
 			`{"status": {"$in": ["NEW", "OPEN"]}}`,
-			`("status" = ANY(?))`,
+			`("status" = ANY($1))`,
 			[]any{[]any{"NEW", "OPEN"}},
 			nil,
 		},
@@ -101,7 +101,7 @@ func TestConverter_Convert(t *testing.T) {
 			"in-array operator with null value",
 			nil,
 			`{"status": {"$in": ["guest", null]}}`,
-			`("status" = ANY(?))`,
+			`("status" = ANY($1))`,
 			[]any{[]any{"guest", nil}},
 			nil,
 		},
@@ -169,6 +169,30 @@ func TestConverter_Convert(t *testing.T) {
 			[]any{"John", "Jane"},
 			nil,
 		},
+		{
+			"don't allow empty objects",
+			nil,
+			`{"name": {}}`,
+			``,
+			nil,
+			fmt.Errorf("empty objects not allowed"),
+		},
+		{
+			"don't allow empty arrays",
+			nil,
+			`{"$or": []}`,
+			``,
+			nil,
+			fmt.Errorf("empty arrays not allowed"),
+		},
+		{
+			"do allow empty $in arrays",
+			nil,
+			`{"status": {"$in": []}}`,
+			`("status" = ANY($1))`,
+			[]any{[]any{}},
+			nil,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/filter/fuzz_test.go b/filter/fuzz_test.go
@@ -0,0 +1,53 @@
+package filter_test
+
+import (
+	"strings"
+	"testing"
+
+	pg_query "github.com/pganalyze/pg_query_go/v5"
+	"github.com/poki/mongodb-filter-to-postgres/filter"
+)
+
+func FuzzConverter(f *testing.F) {
+	tcs := []string{
+		`{"name": "John"}`,
+		`{"age": 30, "name": "John"}`,
+		`{"players": {"$gt": 0}}`,
+		`{"age": {"$gte": 18}, "name": "John"}`,
+		`{"created_at": {"$gte": "2020-01-01T00:00:00Z"}, "name": "John", "role": "admin"}`,
+		`{"b": 1, "c": 2, "a": 3}`,
+		`{"status": {"$in": ["NEW", "OPEN"]}}`,
+		`{"status": {"$in": [{"hacker": 1}, "OPEN"]}}`,
+		`{"status": {"$in": "text"}}`,
+		`{"status": {"$in": ["guest", null]}}`,
+		`{"$or": [{"name": "John"}, {"name": "Doe"}]}`,
+		`{"$or": [{"org": "poki", "admin": true}, {"age": {"$gte": 18}}]}`,
+		`{"$or": [{"$or": [{"name": "John"}, {"name": "Doe"}]}, {"name": "Jane"}]}`,
+		`{"foo": { "$or": [ "bar", "baz" ] }}`,
+		`{"$and": [{"name": "John"}, {"version": 3}]}`,
+		`{"$and": [{"name": "John", "version": 3}]}`,
+		`{"name": {"$regex": "John"}}`,
+		`{"$or": [{"name": {"$regex": "John"}}, {"name": {"$regex": "Jane"}}]}`,
+		`{"name": {}}`,
+		`{"$or": []}`,
+		`{"status": {"$in": []}}`,
+	}
+	for _, tc := range tcs {
+		f.Add(tc)
+	}
+
+	f.Fuzz(func(t *testing.T, in string) {
+		c := filter.NewConverter()
+		where, _, err := c.Convert([]byte(in))
+		if err == nil && where != "" {
+			j, err := pg_query.ParseToJSON("SELECT * FROM test WHERE 1 AND " + where)
+			if err != nil {
+				t.Fatalf("%q %q %v", in, where, err)
+			}
+
+			if strings.Contains(j, "CommentStmt") {
+				t.Fatal(where, "CommentStmt found")
+			}
+		}
+	})
+}
diff --git a/filter/testdata/fuzz/FuzzConverter/3e813b4e3bbd8eca b/filter/testdata/fuzz/FuzzConverter/3e813b4e3bbd8eca
@@ -0,0 +1,2 @@
+go test fuzz v1
+string("{\"A00\":{}, \"A\":\"\"}")
diff --git a/filter/testdata/fuzz/FuzzConverter/cbbad75732661f48 b/filter/testdata/fuzz/FuzzConverter/cbbad75732661f48
@@ -0,0 +1,2 @@
+go test fuzz v1
+string("{}")
diff --git a/filter/testdata/fuzz/FuzzConverter/f7947d6c886ffd04 b/filter/testdata/fuzz/FuzzConverter/f7947d6c886ffd04
@@ -0,0 +1,2 @@
+go test fuzz v1
+string("{\"\":\"0\"}")
diff --git a/filter/util.go b/filter/util.go
@@ -44,3 +44,23 @@ func anyToSliceMapAny(v any) ([]map[string]any, bool) {
 		return nil, false
 	}
 }
+
+func isValidPostgresIdentifier(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+
+	// The first character needs to be a letter or _
+	if !(s[0] >= 'a' && s[0] <= 'z') && !(s[0] >= 'A' && s[0] <= 'Z') && s[0] != '_' {
+		return false
+	}
+
+	for _, r := range s {
+		if (r >= '0' && r <= '9') || (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || r == '_' {
+			continue
+		}
+		return false
+	}
+
+	return true
+}
diff --git a/go.mod b/go.mod
@@ -1,3 +1,7 @@
 module github.com/poki/mongodb-filter-to-postgres
 
 go 1.21.0
+
+require github.com/pganalyze/pg_query_go/v5 v5.1.0
+
+require google.golang.org/protobuf v1.31.0 // indirect
diff --git a/go.sum b/go.sum
@@ -0,0 +1,10 @@
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/pganalyze/pg_query_go/v5 v5.1.0 h1:MlxQqHZnvA3cbRQYyIrjxEjzo560P6MyTgtlaf3pmXg=
+github.com/pganalyze/pg_query_go/v5 v5.1.0/go.mod h1:FsglvxidZsVN+Ltw3Ai6nTgPVcK2BPukH3jCDEqc1Ug=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+go test fuzz v1`
	`2`	`+string("{\"A00\":{}, \"A\":\"\"}")`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+go test fuzz v1`
	`2`	`+string("{\"\":\"0\"}")`