From 30e506ef253bc902078aadfb9c841a5f0f907658 Mon Sep 17 00:00:00 2001
From: Oleg Volchkov <oleg@volchkov.net>
Date: Mon, 28 Jul 2025 18:22:22 +0300
Subject: [PATCH] =?UTF-8?q?=D0=97=D0=B0=D0=BC=D0=B5=D0=BB=D0=B8=20=D0=BC?=
 =?UTF-8?q?=D0=B5=D1=82=D0=BE=D0=B4=20lib/orm/models/sql=5Ftable.p@pfSQLTa?=
 =?UTF-8?q?ble.=5F=5FnormalizeWhitespaces=20=D0=BD=D0=B0=20=5F=5FuntaintSQ?=
 =?UTF-8?q?L=20=D1=81=20=D1=8F=D0=B2=D0=BD=D1=8B=D0=BC=20apply-taint?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Иначе при ошибках могли получить untaint outside connect :)
---
 lib/sql/models/sql_table.p | 70 +++++++++++++++++---------------------
 1 file changed, 31 insertions(+), 39 deletions(-)

diff --git a/lib/sql/models/sql_table.p b/lib/sql/models/sql_table.p
index b80ca24..3f433c4 100644
--- a/lib/sql/models/sql_table.p
+++ b/lib/sql/models/sql_table.p
@@ -352,7 +352,7 @@ pfClass
 ##   + Все опции pfSQL.
   ^self.cleanMethodArgument[aOptions;aSQLOptions]
   $lResultType[^if(def $aOptions.asHashOn){table}{^self.__getResultType[$aOptions]}]
-  $result[^self.CSQL.[$lResultType]{^self.__normalizeWhitespaces{^self.__allSQLExpression[$lResultType;$aOptions;$aSQLOptions]}}[][$aSQLOptions]]
+  $result[^self.CSQL.[$lResultType]{^self.__untaintSQL{^self.__allSQLExpression[$lResultType;$aOptions;$aSQLOptions]}}[][$aSQLOptions]]
 
   ^if($result is table && def $aOptions.asHashOn){
     $result[^result.hash[$aOptions.asHashOn;$.type[table] $.distinct(true)]]
@@ -361,10 +361,8 @@ pfClass
 @allSQL[aOptions;aSQLOptions]
 ## Возвращает текст запроса из метода all.
   ^self.cleanMethodArgument[aOptions;aSQLOptions]
-  ^CSQL.connect{
-    $lResultType[^self.__getResultType[$aOptions]]
-    $result[^self.__normalizeWhitespaces{^self.__allSQLExpression[$lResultType;$aOptions;$aSQLOptions]}[$.apply(true)]]
-  }
+  $lResultType[^self.__getResultType[$aOptions]]
+  $result[^self.__untaintSQL{^self.__allSQLExpression[$lResultType;$aOptions;$aSQLOptions]}]
 
 @union[*aConds]
 ## Выполняет несколько запросов и объединяет их в один результат.
@@ -399,7 +397,7 @@ pfClass
 # Если нужны сложные варианты используйте aggregate.
   $aConds[^hash::create[$aConds] $.orderBy[] $.having[]]
   $lExpression[^self._selectExpression[COUNT(*)][;$aConds;$aSQLOptions]]
-  $result[^self.CSQL.int{^self.__normalizeWhitespaces{$lExpression}}[][$aSQLOptions]]
+  $result[^self.CSQL.int{^self.__untaintSQL{$lExpression}}[][$aSQLOptions]]
 
 @aggregate[*aConds]
 ## Выборки с группировкой
@@ -411,7 +409,7 @@ pfClass
   $lConds[^self.__getAgrConds[$aConds]]
   $lResultType[^if(def $lConds.options.asHashOn){table}{^self.__getResultType[$lConds.options]}]
   $lExpression[^self.__aggregateSQLExpression[$lResultType;$lConds]]
-  $result[^self.CSQL.[$lResultType]{^self.__normalizeWhitespaces{$lExpression}}[][$lConds.sqlOptions]]
+  $result[^self.CSQL.[$lResultType]{^self.__untaintSQL{$lExpression}}[][$lConds.sqlOptions]]
 
   ^if($result is table && def $lConds.options.asHashOn){
     $result[^result.hash[$lConds.options.asHashOn;$.type[table] $.distinct(true)]]
@@ -419,12 +417,10 @@ pfClass
 
 @aggregateSQL[*aConds]
 ## Возвращает текст запроса из метода aggregate.
-  ^CSQL.connect{
-    $lConds[^self.__getAgrConds[$aConds]]
-    $lResultType[^self.__getResultType[$lConds.options]]
-    $lExpression[^self.__aggregateSQLExpression[$lResultType;$lConds]]
-    $result[^self.CSQL.connect{^self.__normalizeWhitespaces{$lExpression}[$.apply(true)]}]
-  }
+  $lConds[^self.__getAgrConds[$aConds]]
+  $lResultType[^self.__getResultType[$lConds.options]]
+  $lExpression[^self.__aggregateSQLExpression[$lResultType;$lConds]]
+  $result[^self.CSQL.connect{^self.__untaintSQL{$lExpression}}]
 
 #----- Манипуляции с данными -----
 
@@ -437,7 +433,7 @@ pfClass
     ^self.assert(!$self._readOnlyTable){Модель $self.CLASS_NAME в режиме read only (только чтение данных)}
     ^self.cleanMethodArgument[aData;aSQLOptions]
     ^self.asContext[update]{
-      $result[^self.CSQL.void{^self.__normalizeWhitespaces{^self._builder.insertStatement[$self.TABLE_NAME;$self._fields;^if($aData is table){$aData.fields}{$aData};
+      $result[^self.CSQL.void{^self.__untaintSQL{^self._builder.insertStatement[$self.TABLE_NAME;$self._fields;^if($aData is table){$aData.fields}{$aData};
         ^hash::create[$aSQLOptions]
         $.skipFields[$self._skipOnInsert]
         $.schema[$self.SCHEMA]
@@ -456,7 +452,7 @@ pfClass
   ^self.assert(def $aPrimaryKeyValue){Не задано значение первичного ключа}
   ^self.cleanMethodArgument[aData]
   $result[^self.CSQL.void{
-    ^self.asContext[update]{^self.__normalizeWhitespaces{
+    ^self.asContext[update]{^self.__untaintSQL{
       ^self._builder.updateStatement[$self.TABLE_NAME;$self._fields;^if($aData is table){$aData.fields}{$aData}][$self.PRIMARYKEY = ^self.fieldValue[$self._fields.[$self._primaryKey];$aPrimaryKeyValue]][
         $.skipAbsent(true)
         $.skipFields[$self._skipOnUpdate]
@@ -490,7 +486,7 @@ pfClass
   ^self.assert(def $self._primaryKey){Не определен первичный ключ для таблицы ${TABLE_NAME}.}
   ^self.assert(def $aPrimaryKeyValue){Не задано значение первичного ключа}
   $result[^self.CSQL.void{
-    ^self.asContext[update]{^self.__normalizeWhitespaces{
+    ^self.asContext[update]{^self.__untaintSQL{
       DELETE FROM ^if(def $self.SCHEMA){^self._builder.quoteIdentifier[$self.SCHEMA].}^self._builder.quoteIdentifier[$self.TABLE_NAME] WHERE $self.PRIMARYKEY = ^self.fieldValue[$self._fields.[$self._primaryKey];$aPrimaryKeyValue]
     }}
   }[][$aSQLOptions]]
@@ -506,7 +502,7 @@ pfClass
   $aValue(^if(def $aValue){$aValue}{1})
   $lFieldName[^self._builder.sqlFieldName[$self._fields.[$aFieldName]]]]
   $result[^self.CSQL.void{
-    ^self.asContext[update]{^self.__normalizeWhitespaces{
+    ^self.asContext[update]{^self.__untaintSQL{
       UPDATE ^if(def $self.SCHEMA){^self._builder.quoteIdentifier[$self.SCHEMA].}^self._builder.quoteIdentifier[$self.TABLE_NAME]
          SET $lFieldName = $lFieldName ^if($aValue < 0){-}{+} ^self.fieldValue[$self._fields.[$aFieldName]](^math:abs($aValue))
        WHERE $self.PRIMARYKEY = ^self.fieldValue[$self._fields.[$self._primaryKey];$aPrimaryKeyValue]
@@ -521,7 +517,7 @@ pfClass
   ^self.assert(!$self._readOnlyTable){Модель $self.CLASS_NAME в режиме read only (только чтение данных)}
   ^self.cleanMethodArgument[aOptions;aData]
   $result[^self.CSQL.void{
-    ^self.asContext[update]{^self.__normalizeWhitespaces{
+    ^self.asContext[update]{^self.__untaintSQL{
       ^self._builder.updateStatement[$self.TABLE_NAME;$self._fields;$aData][
         ^self._allWhere[$aOptions]
       ][
@@ -538,21 +534,19 @@ pfClass
 ## Возвращает текст запроса метода modifyAll
   ^self.assert(!$self._readOnlyTable){Модель $self.CLASS_NAME в режиме read only (только чтение данных)}
   ^self.cleanMethodArgument[aOptions;aData]
-  ^CSQL.connect{
-    $result[
-      ^self.asContext[update]{^self.__normalizeWhitespaces{
-        ^self._builder.updateStatement[$self.TABLE_NAME;$self._fields;$aData][
-          ^self._allWhere[$aOptions]
-        ][
-          $.schema[$self.SCHEMA]
-          $.skipAbsent(true)
-          $.skipFields[$self._skipOnUpdate]
-          $.emptySetExpression[]
-          $.fieldValueFunction[$self.fieldValue]
-        ]
-      }}
-    ]
-  }
+  $result[
+    ^self.asContext[update]{^self.__untaintSQL{
+      ^self._builder.updateStatement[$self.TABLE_NAME;$self._fields;$aData][
+        ^self._allWhere[$aOptions]
+      ][
+        $.schema[$self.SCHEMA]
+        $.skipAbsent(true)
+        $.skipFields[$self._skipOnUpdate]
+        $.emptySetExpression[]
+        $.fieldValueFunction[$self.fieldValue]
+      ]
+    }}
+  ]
 
 @deleteAll[aOptions]
 ## Удаляем все записи из таблицы
@@ -560,7 +554,7 @@ pfClass
   ^self.assert(!$self._readOnlyTable){Модель $self.CLASS_NAME в режиме read only (только чтение данных)}
   ^self.cleanMethodArgument[]
   $result[^self.CSQL.void{
-    ^self.asContext[update]{^self.__normalizeWhitespaces{
+    ^self.asContext[update]{^self.__untaintSQL{
       DELETE FROM ^if(def $self.SCHEMA){^self._builder.quoteIdentifier[$self.SCHEMA].}^self._builder.quoteIdentifier[$self.TABLE_NAME]
        WHERE ^self._allWhere[$aOptions]
     }}
@@ -903,11 +897,9 @@ pfClass
 
   $result[^result.foreach[_;v]{$v.expr^if(def $v.alias){ AS ^self._builder.quoteIdentifier[$v.alias]}}[, ]]
 
-@__normalizeWhitespaces[aQuery;aOptions]
-  $result[^untaint[optimized-as-is]{^untaint[sql]{$aQuery}}]
-
-  ^if(^aOptions.apply.bool(false)){
-    $result[^apply-taint[$result]]
+@__untaintSQL[aQuery]
+  ^CSQL.connect{
+    $result[^apply-taint[sql][$aQuery]]
   }
 
 #----------------------------------------------------------------------------------------------------------------------