New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malformed array literal: Knex 2.4.0 regression #5430
Comments
Just Confirmed that 2.3.0 downgrade fixes the issue |
I'm also experiencing this breaking issue, confirmed downgrading fixed. |
After trying to upgrade to 2.4.0 to fix the CVE, our tests started failing, exmple:
|
2.3.0 fixes the issue. Just FYI, when I was testing this issue, I added |
FYI, this comes from the parameterize function in the client. From
To: // json columns can have object in values.
if (isPlainObject(value) || Array.isArray(value)) {
value = JSON.stringify(value);
} I suppose that the intent of the fix was to allow JSON columns having arrays (as it's totally legit), but without introspection (or another hint), it's not possible to distinguish legit array columns from JSON columns with an array value. |
I get the same issue, by trying to update Knex from 2.3.0 to 2.4.0 due to the CVE. As knex does know the column type, we implement on our side the |
Same here. All JSON inserts of empty arrays fail. |
+1 on this, had to downgrade to 2.3.0. A workaround for inserting arrays is like so |
Is there any plan to release a fix for CVE reported in 2.3.0 without the regression introduced in 2.4.0? |
Not to 2.4.0 because of knex/knex#5430
I submitted a new PR to add a check for array containing plain object rather than just do an Array.isArray check #5444 // check for plain object and array containing at least one plain object
if (isPlainObject(value) || (Array.isArray(value) && value.some(isPlainObject))) {
value = JSON.stringify(value);
} |
@minh-hoang-trinh We use Pretty sure the only option here is revert the change #5431 |
@caseywebdev, I might have missed something, but IMHO, my suggestion to change is to able to distinguish between primitive array value (such as string array, number array) versus plain object array (that should be store using but I also noted that it might be better to serialize value base by column type, and not by the structure of input |
We prefer to use Again, knex has serialized this way for so long now, I don't see another option besides reverting this breaking change. |
@caseywebdev I'm sorry, I have surely missed something (it's friday 👀)... Normally, the change suggested is just to Can you please give me an example for case with |
Our app has several instances of storing arrays of objects in select '[{"foo":"bar"}]'::json[] is invalid
The correct way to serialize an array with one item of select E'{"{\\"foo\\":\\"bar\\"}"}'::json[] Hope that clears it up. |
thank @caseywebdev. Indeed it's now much clearer ! seems to me that insert json object (plain and array) tests are missing in integration tests. Maybe I can try to add some. |
Released in 2.4.1 |
Environment
Knex version: 2.4.0
Database + version: postgre 14
OS: windows & unix
Bug
Explain what kind of behaviour you are getting and how you think it should do
Error message
Hello! due to investion in my own Project I was able to pinpoint issue with Knex in just released 2.4.0 version.
One of my table rows uses a text array (
_text
) as type. Until 2.4.0 I'd inserted js-array as values w/o any problem.However new version introduces the error posted above. I;' #5321 PR just introduced to be a cause.
The text was updated successfully, but these errors were encountered: