adding safeguard preventing injection of WKT strings

pacesm · pacesm · commit ccfe94ead408 · 2025-11-04T15:40:41.000+01:00
- WKT geometry in the CQL2-text is not supposed to quoted as a string
- Postgres tries to cast WKT string to an incorrect geometry type
  which consequently leads to a confusing error.
diff --git a/src/stac_fastapi_pgstac_pair_search/sql/pair_search_alt.sql b/src/stac_fastapi_pgstac_pair_search/sql/pair_search_alt.sql
@@ -834,7 +834,7 @@ $$ LANGUAGE PLPGSQL; -- STABLE;
 
 -- handle spatial operators
 CREATE OR REPLACE FUNCTION _spatial_operators(
-    IN query jsonb,
+    query jsonb,
     prefixes text[] DEFAULT NULL
 ) RETURNS text AS $$
 DECLARE
@@ -896,6 +896,8 @@ BEGIN
         RETURN format('%L::geometry', bbox_geom(query->'bbox')::text);
     ELSIF jsonb_typeof(query) = 'array' THEN
         RETURN format('%L::geometry', bbox_geom(query)::text);
+    ELSIF jsonb_typeof(query) IN ('string', 'number') THEN
+        RAISE EXCEPTION 'A % literal is not allowed as an argument of spatial operator.', jsonb_typeof(query);
     END IF;
 
     IF query ? 'op' AND query ? 'args' THEN
