Ensure values from parser are escaped

[Raynos]

We have an example like

const expression = 'SET $(elevation) = 46.6'
const { err, data } = await table.update('oregon', 'salem', expression)

Our users are going to do something like

const expression = 'SET $(elevation) = ' + newValue
const { err, data } = await table.update('oregon', 'salem', expression)

^ This is a DynamoDB injection waiting to happen.

We should have something like

const expression = table.expr`SET $(elevation) = ${newValue}`
const { err, data } = await table.update('oregon', 'salem', expression)

With a function that does escaping for whatever

[heapwolf]

It would actually be like this which prevents injection. The example you give with concat and template literal would throw a parse error.

const expression = `SET $(elevation) = S(${newValue})`
const { err, data } = await table.update('oregon', 'salem', expression)

all values must be typed.

[Raynos]

hmm after reading the docs & source code more I think this just needs docs & tests.

I don't know if table.expr is going to be necessary but it would be more like table.parseQuery.

If we did it so that the update method took the { expression, attributeNames, attributeValues }as a parameter and the users has to doparseQuery`...`` to create such an object.

I don't know if a templat eliteral is necessary for the parseQuery() fn or if a string is enough.

[heapwolf]

in theory you could do some fancy stuff with template-tags, but I think having explicit types is probably less error prone. you can still use template tags to emplace values.

[heapwolf]

... N(100) ... is 1. contained 2. isolates the value from the query, 3. requires a type.

[Raynos]

👍 I think that syntax is good.

We just need to add more tests to make sure theres no injection attack on our syntax.

[Raynos]

For example

const newValue = '100) AND SET $(rekt) = S(100'
const expression = `SET $(elevation) = S(${newValue})`

[Raynos]

basically // TODO escaping