Account for CR and other whitespace in prepared statements, add tests (…

…#1322) * Account for CR in prepared statements tail, add tests * Add additional whitespace characters * Add \r\n into whitespace test
cloudflare · Jul 4, 2024 · de0c66d · de0c66d
1 parent c4d67b9
commit de0c66d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/src/workerd/api/sql-test.js b/src/workerd/api/sql-test.js
@@ -238,6 +238,21 @@ async function test(storage) {
     'Error: Wrong number of parameter bindings for SQL query.'
   )
 
+  // Prepared statement with whitespace
+  const whitespace = [' ', '\t', '\n', '\r', '\v', '\f', '\r\n']
+
+  for (const char of whitespace) {
+    const prepared = sql.prepare(`SELECT 1;${char}`);
+    const result = [...prepared()]
+
+    assert.equal(result.length, 1)
+  }
+
+  // Prepared statement with multiple statements
+  assert.throws(() => {
+    sql.prepare('SELECT 1; SELECT 2;');
+  }, /A prepared SQL statement must contain only one statement./)
+
   // Accessing a hidden _cf_ table
   assert.throws(
     () => sql.exec('CREATE TABLE _cf_invalid (name TEXT)'),

diff --git a/src/workerd/util/sqlite.c++ b/src/workerd/util/sqlite.c++
@@ -399,7 +399,7 @@ kj::Own<sqlite3_stmt> SqliteDatabase::prepareSql(
     SQLITE_REQUIRE(result != nullptr, "SQL code did not contain a statement.", sqlCode);
     auto ownResult = ownSqlite(result);
 
-    while (*tail == ' ' || *tail == '\n') ++tail;
+    while (*tail == ' ' || *tail == '\t' || *tail == '\n' || *tail == '\r' || *tail == '\v' || *tail == '\f') ++tail;
 
     switch (multi) {
       case SINGLE: