Merge branch 'master' of github.com:budibase/budibase into license-auth

package.json

@@ -107,7 +107,6 @@
     "@budibase/shared-core": "*",
     "@budibase/string-templates": "*",
     "@budibase/types": "*",
-    "@budibase/pro": "npm:@budibase/pro@latest",
     "tough-cookie": "4.1.3",
     "node-fetch": "2.6.7",
     "semver": "7.5.3",

packages/server/package.json

@@ -182,6 +182,9 @@
     "yargs": "^13.2.4",
     "zod": "^3.23.8"
   },
+  "resolutions": {
+    "@budibase/pro": "npm:@budibase/pro@latest"
+  },
   "nx": {
     "targets": {
       "dev": {

packages/server/src/api/routes/tests/queries/generic-sql.spec.ts

@@ -16,7 +16,7 @@ const descriptions = datasourceDescribe({
 if (descriptions.length) {
   describe.each(descriptions)(
     "queries ($dbName)",
-    ({ config, dsProvider, isOracle, isMSSQL, isPostgres }) => {
+    ({ config, dsProvider, isOracle, isMSSQL, isPostgres, isMySQL }) => {
       let rawDatasource: Datasource
       let datasource: Datasource
       let client: Knex
@@ -217,6 +217,38 @@ if (descriptions.length) {
               expect(res).toBeDefined()
             })
         })
+
+        isMySQL &&
+          it("should handle ANSI_QUOTE=off MySQL queries with bindings", async () => {
+            const query = await createQuery({
+              fields: {
+                sql: client(tableName)
+                  .select("*")
+                  .where({
+                    name: client.raw("'{{ name }}'"),
+                  })
+                  .toString(),
+              },
+              parameters: [
+                {
+                  name: "name",
+                  default: "",
+                },
+              ],
+              queryVerb: "read",
+            })
+            const res = await config.api.query.execute(
+              query._id!,
+              {
+                parameters: { name: "one" },
+              },
+              {
+                status: 200,
+              }
+            )
+            expect(res.data.length).toEqual(1)
+            expect(res.data[0].name).toEqual("one")
+          })
       })
 
       describe("preview", () => {

packages/server/src/integrations/queries/sql.ts

@@ -1,10 +1,33 @@
 import { findHBSBlocks } from "@budibase/string-templates"
-import { DatasourcePlus } from "@budibase/types"
+import { DatasourcePlus, SourceName } from "@budibase/types"
 import sdk from "../../sdk"
 
-const CONST_CHAR_REGEX = new RegExp("'[^']*'", "g")
+const MYSQL_CONST_CHAR_REGEX = new RegExp(`"[^"]*"|'[^']*'`, "g")
+const CONST_CHAR_REGEX = new RegExp(`'[^']*'`, "g")
+
+function getConstCharRegex(sourceName: SourceName) {
+  // MySQL clients support ANSI_QUOTES mode off, this is by default
+  // but " and ' count as string literals
+  if (sourceName === SourceName.MYSQL) {
+    return MYSQL_CONST_CHAR_REGEX
+  } else {
+    return CONST_CHAR_REGEX
+  }
+}
+
+function getBindingWithinConstCharRegex(
+  sourceName: SourceName,
+  binding: string
+) {
+  if (sourceName === SourceName.MYSQL) {
+    return new RegExp(`[^']*${binding}[^']*'|"[^"]*${binding}[^"]*"`, "g")
+  } else {
+    return new RegExp(`'[^']*${binding}[^']*'`)
+  }
+}
 
 export async function interpolateSQL(
+  sourceName: SourceName,
   fields: { sql: string; bindings: any[] },
   parameters: { [key: string]: any },
   integration: DatasourcePlus,
@@ -24,10 +47,10 @@ export async function interpolateSQL(
     )
     // check if the variable was used as part of a string concat e.g. 'Hello {{binding}}'
     // start by finding all the instances of const character strings
-    const charConstMatch = sql.match(CONST_CHAR_REGEX) || []
+    const charConstMatch = sql.match(getConstCharRegex(sourceName)) || []
     // now look within them to see if a binding is used
     const charConstBindingMatch = charConstMatch.find((string: any) =>
-      string.match(new RegExp(`'[^']*${binding}[^']*'`))
+      string.match(getBindingWithinConstCharRegex(sourceName, binding))
     )
     if (charConstBindingMatch) {
       let [part1, part2] = charConstBindingMatch.split(binding)

packages/server/src/threads/query.ts

@@ -112,9 +112,15 @@ class QueryRunner {
     let query: Record<string, any>
     // handle SQL injections by interpolating the variables
     if (isSQL(datasourceClone)) {
-      query = await interpolateSQL(fieldsClone, enrichedContext, integration, {
-        nullDefaultSupport,
-      })
+      query = await interpolateSQL(
+        datasource.source,
+        fieldsClone,
+        enrichedContext,
+        integration,
+        {
+          nullDefaultSupport,
+        }
+      )
     } else {
       query = await sdk.queries.enrichContext(fieldsClone, enrichedContext)
     }

packages/worker/package.json

@@ -102,6 +102,9 @@
     "typescript": "5.7.2",
     "update-dotenv": "1.1.1"
   },
+  "resolutions": {
+    "@budibase/pro": "npm:@budibase/pro@latest"
+  },
   "nx": {
     "targets": {
       "dev": {

yarn.lock

@@ -2795,28 +2795,6 @@
     pouchdb-promise "^6.0.4"
     through2 "^2.0.0"
 
-"@budibase/pro@npm:@budibase/pro@latest":
-  version "3.4.22"
-  resolved "https://registry.yarnpkg.com/@budibase/pro/-/pro-3.4.22.tgz#943f23cb7056041bc1f433ee60b3d093145e7a4a"
-  integrity sha512-Du3iZsmRLopfoi2SvxQyY1P2Su3Nw0WbITOrKmZFsVLjZ9MzzTZs0Ph/SJHzrfJpM7rn9+8788BLSf3Z3l9KcQ==
-  dependencies:
-    "@anthropic-ai/sdk" "^0.27.3"
-    "@budibase/backend-core" "*"
-    "@budibase/shared-core" "*"
-    "@budibase/string-templates" "*"
-    "@budibase/types" "*"
-    "@koa/router" "13.1.0"
-    bull "4.10.1"
-    dd-trace "5.26.0"
-    joi "17.6.0"
-    jsonwebtoken "9.0.2"
-    lru-cache "^7.14.1"
-    memorystream "^0.3.1"
-    node-fetch "2.6.7"
-    openai "4.59.0"
-    scim-patch "^0.8.1"
-    scim2-parse-filter "^0.2.8"
-
 "@budibase/vm-browserify@^1.1.4":
   version "1.1.4"
   resolved "https://registry.yarnpkg.com/@budibase/vm-browserify/-/vm-browserify-1.1.4.tgz#eecb001bd9521cb7647e26fb4d2d29d0a4dce262"