knex icon indicating copy to clipboard operation
knex copied to clipboard
verified publisher icon knex

Prevent unexpected combinations of statements and clauses groups from executing

Open myndzi opened this issue 1 month ago • 3 comments

Fixes #4070, #6074

Clauses such as "HAVING" and "WHERE" have no effect on "DELETE" or "TRUNCATE" statements. Due to the architecture of knex, dialects override various base methods for building specific statements. The methods implementing these statements don't explicitly check for the presence of clauses that a user might expect to have an effect, but there isn't a good place to ensure that such queries fail systematically.

This commit introduces a "_preValidate" method on the root QueryCompiler class and a set of disallowed verb/clause combinations that will throw an error before doing any SQL-building work. This should make it consistent to prevent anything like knex.having(...).del() from unintentionally deleting all rows.

The current configuration disallows "HAVING" from "DELETE" statements, and both "WHERE" and "HAVING" from "TRUNCATE" statements.

Update: Now also rejects "LIMIT" from "DELETE" and "TRUNCATE"

myndzi avatar Nov 15 '25 18:11 myndzi

r? @mercmobily

myndzi avatar Nov 15 '25 18:11 myndzi

Coverage Status

coverage: 93.095% (+0.02%) from 93.076% when pulling 1f51849d2a3519d302300dec9624e6d63dcaa31b on myndzi:myndzi/issue-4070/fail-delete-having into c92bbb3d30676b564bb5b6b09488dda1d6b11475 on knex:master.

coveralls avatar Nov 15 '25 18:11 coveralls

(This needs a re-run of the one CI task - it failed on a network error updating coveralls)

myndzi avatar Nov 19 '25 07:11 myndzi

(rebased onto master)

myndzi avatar Dec 12 '25 19:12 myndzi