sqlite: reject invalid qualified refs in correlated subqueries

Signed-off-by: Amirhossein Akhlaghpour <[email protected]>

Author: Mehrbod2002

internal/compiler/analyze.go

@@ -182,8 +182,8 @@ func (c *Compiler) _analyzeQuery(raw *ast.RawStmt, query string, failfast bool)
 	}
 
 	if c.conf.Engine == config.EngineSQLite {
-		if err := validateSQLiteQualifiedColumnRefs(raw.Stmt); err != nil {
-			return nil, check(err)
+		if err := check(validate.ValidateSQLiteQualifiedColumnRefs(raw.Stmt)); err != nil {
+			return nil, err
 		}
 	}
 

internal/engine/sqlite/analyzer/analyze.go

@@ -17,6 +17,7 @@ import (
 	"github.com/sqlc-dev/sqlc/internal/sql/catalog"
 	"github.com/sqlc-dev/sqlc/internal/sql/named"
 	"github.com/sqlc-dev/sqlc/internal/sql/sqlerr"
+	"github.com/sqlc-dev/sqlc/internal/sql/validate"
 )
 
 type Analyzer struct {
@@ -76,6 +77,16 @@ func (a *Analyzer) Analyze(ctx context.Context, n ast.Node, query string, migrat
 		}
 	}
 
+	// SQLite-specific validation
+	toValidate := n
+	if raw, ok := n.(*ast.RawStmt); ok && raw != nil && raw.Stmt != nil {
+		toValidate = raw.Stmt
+	}
+
+	if err := validate.ValidateSQLiteQualifiedColumnRefs(toValidate); err != nil {
+		return nil, err
+	}
+
 	// Prepare the statement to get column and parameter information
 	stmt, _, err := a.conn.Prepare(query)
 	if err != nil {

internal/compiler/validator.go …al/sql/validate/sqlite_qualified_refs.gointernal/compiler/validator.go renamed to internal/sql/validate/sqlite_qualified_refs.go internal/compiler/validator.go renamed to internal/sql/validate/sqlite_qualified_refs.go

@@ -1,4 +1,4 @@
-package compiler
+package validate
 
 import (
 	"fmt"
@@ -8,47 +8,28 @@ import (
 	"github.com/sqlc-dev/sqlc/internal/sql/sqlerr"
 )
 
-/*
-This file implements SQLite-specific validation for qualified column references.
-
-Problem:
-  SQLite allows invalid correlated references to pass parsing, e.g.
-
-    SELECT *
-    FROM locations l
-    WHERE EXISTS (
-      SELECT 1
-      FROM projects p
-      WHERE p.id = location.project_id -- invalid: "location" not in scope
-    )
-
-SQLite itself errors at runtime, but sqlc historically accepted this query.
-This validator rejects such queries during compilation, matching SQLite behavior.
-*/
+// ValidateSQLiteQualifiedColumnRefs validates that qualified column references
+// only use visible tables/aliases in the current or outer SELECT scopes.
+func ValidateSQLiteQualifiedColumnRefs(root ast.Node) error {
+	return validateNodeSQLite(root, nil)
+}
 
-// scope represents the set of visible table names and aliases at a SELECT level.
-// parent enables correlated subqueries to see outer query tables.
 type scope struct {
 	parent *scope
 	names  map[string]struct{}
 }
 
 func newScope(parent *scope) *scope {
-	return &scope{
-		parent: parent,
-		names:  map[string]struct{}{},
-	}
+	return &scope{parent: parent, names: map[string]struct{}{}}
 }
 
-// add registers a visible table name or alias.
 func (s *scope) add(name string) {
 	if name == "" {
 		return
 	}
 	s.names[name] = struct{}{}
 }
 
-// has checks whether a name is visible in this scope or any parent scope.
 func (s *scope) has(name string) bool {
 	for cur := s; cur != nil; cur = cur.parent {
 		if _, ok := cur.names[name]; ok {
@@ -58,13 +39,19 @@ func (s *scope) has(name string) bool {
 	return false
 }
 
-// qualifierFromColumnRef extracts the table/alias portion of a qualified ref.
-//
-// Examples:
-//
-//	a.b       -> "a"
-//	s.a.b     -> "a"  (schema.table.column)
-//	b         -> ""   (unqualified)
+func stringSlice(list *ast.List) []string {
+	if list == nil {
+		return nil
+	}
+	out := make([]string, 0, len(list.Items))
+	for _, it := range list.Items {
+		if s, ok := it.(*ast.String); ok {
+			out = append(out, s.Str)
+		}
+	}
+	return out
+}
+
 func qualifierFromColumnRef(ref *ast.ColumnRef) (string, bool) {
 	if ref == nil || ref.Fields == nil {
 		return "", false
@@ -80,7 +67,6 @@ func qualifierFromColumnRef(ref *ast.ColumnRef) (string, bool) {
 	}
 }
 
-// addFromItemToScope records tables and aliases introduced by FROM/JOIN items.
 func addFromItemToScope(sc *scope, n ast.Node) {
 	switch t := n.(type) {
 	case *ast.RangeVar:
@@ -90,59 +76,40 @@ func addFromItemToScope(sc *scope, n ast.Node) {
 		if t.Alias != nil && t.Alias.Aliasname != nil {
 			sc.add(*t.Alias.Aliasname)
 		}
-
 	case *ast.JoinExpr:
 		addFromItemToScope(sc, t.Larg)
 		addFromItemToScope(sc, t.Rarg)
-
 	case *ast.RangeSubselect:
 		if t.Alias != nil && t.Alias.Aliasname != nil {
 			sc.add(*t.Alias.Aliasname)
 		}
-
 	case *ast.RangeFunction:
 		if t.Alias != nil && t.Alias.Aliasname != nil {
 			sc.add(*t.Alias.Aliasname)
 		}
 	}
 }
 
-// validateSQLiteQualifiedColumnRefs is the public entry point.
-// It validates that qualified column references only use visible tables/aliases.
-func validateSQLiteQualifiedColumnRefs(root ast.Node) error {
-	return validateNodeSQLite(root, nil)
-}
-
-// validateNodeSQLite validates a SELECT node and establishes a new scope.
-// Nested SELECTs receive the current scope as their parent.
 func validateNodeSQLite(node ast.Node, parent *scope) error {
 	switch n := node.(type) {
 	case *ast.SelectStmt:
 		sc := newScope(parent)
-
-		// Collect visible names from FROM clause
 		if n.FromClause != nil {
 			for _, item := range n.FromClause.Items {
 				addFromItemToScope(sc, item)
 			}
 		}
-
-		// Walk this SELECT subtree with the new scope
 		return walkSQLite(n, sc)
-
 	default:
-		// Only SELECTs introduce scopes; other nodes are irrelevant here.
 		return nil
 	}
 }
 
-// walkSQLite recursively walks an AST node, validating ColumnRef qualifiers.
 func walkSQLite(node ast.Node, sc *scope) error {
 	if node == nil {
 		return nil
 	}
 
-	// Pre-order validation: check ColumnRef immediately
 	if ref, ok := node.(*ast.ColumnRef); ok {
 		if qual, ok := qualifierFromColumnRef(ref); ok && !sc.has(qual) {
 			return &sqlerr.Error{
@@ -153,27 +120,22 @@ func walkSQLite(node ast.Node, sc *scope) error {
 		}
 	}
 
-	// Explicit handling of subquery boundaries
 	switch n := node.(type) {
 	case *ast.SubLink:
 		if n.Subselect != nil {
 			return validateNodeSQLite(n.Subselect, sc)
 		}
 		return nil
-
 	case *ast.RangeSubselect:
 		if n.Subquery != nil {
 			return validateNodeSQLite(n.Subquery, sc)
 		}
 		return nil
 	}
 
-	// Generic recursion for all other node types
 	return walkSQLiteReflect(node, sc)
 }
 
-// walkSQLiteReflect traverses AST nodes via reflection.
-// This avoids dependency on astutils.Walk, whose signature varies.
 func walkSQLiteReflect(node ast.Node, sc *scope) error {
 	v := reflect.ValueOf(node)
 	if v.Kind() == reflect.Pointer {
@@ -188,25 +150,21 @@ func walkSQLiteReflect(node ast.Node, sc *scope) error {
 
 	t := v.Type()
 	for i := 0; i < v.NumField(); i++ {
-		// Skip unexported fields
 		if t.Field(i).PkgPath != "" {
 			continue
 		}
-
 		f := v.Field(i)
 		if !f.IsValid() {
 			continue
 		}
 
-		// Dereference pointers
 		for f.Kind() == reflect.Pointer {
 			if f.IsNil() {
 				goto next
 			}
 			f = f.Elem()
 		}
 
-		// Handle ast.List
 		if f.Type() == reflect.TypeOf(ast.List{}) {
 			list := f.Addr().Interface().(*ast.List)
 			for _, n := range list.Items {
@@ -217,7 +175,6 @@ func walkSQLiteReflect(node ast.Node, sc *scope) error {
 			continue
 		}
 
-		// Handle *ast.List
 		if f.CanAddr() {
 			if pl, ok := f.Addr().Interface().(**ast.List); ok && *pl != nil {
 				for _, n := range (*pl).Items {
@@ -229,7 +186,6 @@ func walkSQLiteReflect(node ast.Node, sc *scope) error {
 			}
 		}
 
-		// Handle single ast.Node
 		if f.CanInterface() {
 			if n, ok := f.Interface().(ast.Node); ok {
 				if err := walkSQLite(n, sc); err != nil {
@@ -239,7 +195,6 @@ func walkSQLiteReflect(node ast.Node, sc *scope) error {
 			}
 		}
 
-		// Handle slices of ast.Node
 		if f.Kind() == reflect.Slice {
 			for j := 0; j < f.Len(); j++ {
 				elem := f.Index(j)