Thread: Incorrect matching of sql/json PASSING variable names

Incorrect matching of sql/json PASSING variable names

From
Amit Langote
Date:
Hi,

Alvaro reported off-list that the following should really fail,
because the jsonpath expression refers to a PASSING variable that
doesn't exist:

select json_query('"1"', jsonpath '$xy' passing 2 AS xyz);
 json_query
------------
 2
(1 row)

This works because of a bug in GetJsonPathVar() whereby it allows a
jsonpath expression to reference any prefix of the PASSING variable
names.

Attached is a patch to fix that.

Thanks Alvaro for the report.

-- 
Thanks, Amit Langote

Attachment

Re: Incorrect matching of sql/json PASSING variable names

From
Amit Langote
Date:
On Thu, Jun 6, 2024 at 6:20 PM Amit Langote <amitlangote09@gmail.com> wrote:
>
> Hi,
>
> Alvaro reported off-list that the following should really fail,
> because the jsonpath expression refers to a PASSING variable that
> doesn't exist:
>
> select json_query('"1"', jsonpath '$xy' passing 2 AS xyz);
>  json_query
> ------------
>  2
> (1 row)
>
> This works because of a bug in GetJsonPathVar() whereby it allows a
> jsonpath expression to reference any prefix of the PASSING variable
> names.
>
> Attached is a patch to fix that.

Here's an updated version that I'll push tomorrow.

--
Thanks, Amit Langote

Attachment

Re: Incorrect matching of sql/json PASSING variable names

From
Amit Langote
Date:
On Thu, Jun 13, 2024 at 5:04 PM Amit Langote <amitlangote09@gmail.com> wrote:
> On Thu, Jun 6, 2024 at 6:20 PM Amit Langote <amitlangote09@gmail.com> wrote:
> >
> > Hi,
> >
> > Alvaro reported off-list that the following should really fail,
> > because the jsonpath expression refers to a PASSING variable that
> > doesn't exist:
> >
> > select json_query('"1"', jsonpath '$xy' passing 2 AS xyz);
> >  json_query
> > ------------
> >  2
> > (1 row)
> >
> > This works because of a bug in GetJsonPathVar() whereby it allows a
> > jsonpath expression to reference any prefix of the PASSING variable
> > names.
> >
> > Attached is a patch to fix that.
>
> Here's an updated version that I'll push tomorrow.

Pushed.

(Seems like pgsql-committers notification has stalled.)

--
Thanks, Amit Langote