connection: interpolate json.RawMessage as string

[alexsn]

json encoded data is represented as bytes however it should be
interpolated as a string.

Signed-off-by: Alex Snast alexsn@fb.com

Description

On argument interpolation treat json.RawMessage as a string instead of []bytes to prevents _binary statement injection.

Checklist

• Code compiles correctly
• Created tests which fail without the change (if possible)
• All tests passing
• Added myself / the copyright holder to the AUTHORS file

[julienschmidt]

LGTM. Thanks!

[dolmen]

I'm sad this has been merged.
The mysql driver now has a strong dependency on a particular implementation of JSON encoding/decoding (this implementation being in the stdlib is not an excuse). How the growth of dependencies will stop if such patches are accepted?

This is just a user error to pass a json.RawMessage to the driver as this is not a driver.Value. The user should just not pass json.RawMessage. Use instead a type that wraps json.RawMessage and implements driver.Valuer and sql.Scanner, but not in the driver itself.

I wrote this function that allows to wrap a json.RawMessage (or any other type that is is serialized as JSON in a DB column), and this doesn't require to patch any SQL drivers.

var errInvalidJSONWrapperValue = errors.New("invalid target value for sqlutil.JSON wrapper")
var errInvalidJSONValue = errors.New("invalid value for sqlutil.JSON target")

// JSON is an helper to wrap a value for I/O to a database column as a JSON string
func JSON(p interface{}) driver.Value {
	if p == nil {
		panic(errInvalidJSONWrapperValue)
	}
	v := reflect.ValueOf(p)
	if v.Kind() == reflect.Ptr && !v.IsNil() && v.Elem().CanSet() {
		return jsonScanner{jsonValuer{p}}
	} else {
		return jsonValuer{p}
	}
}

type jsonValuer struct {
	target interface{}
}

type jsonScanner struct {
	jsonValuer
}

// Value implements interface driver.Valuer for both jsonValuer and jsonScanner
func (j jsonValuer) Value() (driver.Value, error) {
	return json.Marshal(j.target)
}

// Scan implements interface sql.Scanner
func (j jsonScanner) Scan(value interface{}) error {
	switch value := value.(type) {
	case []byte:
		return json.Unmarshal(value, j.target)
	case string:
		return json.Unmarshal([]byte(value), j.target)
	default:
		target := reflect.ValueOf(j.target)
		source := reflect.ValueOf(value)
		if value == nil {
			source = reflect.Zero(target.Elem().Type())
		}
		if !source.Type().AssignableTo(target.Elem().Type()) {
			return errInvalidJSONValue
		}
		target.Elem().Set(source)
		return nil
	}
}

[alexsn]

The fact that we use types from stdlib doesn't add any dependency so I'm not sure what you mean by saying "How the growth of dependencies will stop ...".