Conversation
…used with work manager, update to prisma 7, add in SFDC / BA calls
…ng Sequlize and are reusing it.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| private escapeSoqlLiteral(value: string): string { | ||
| return String(value).replace(/'/g, "\\'"); |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, when implementing a custom escaping function for string literals, you must escape backslashes themselves in addition to other meta-characters (like quotes) and ensure all occurrences are handled globally. A common safe pattern is to first escape all backslashes by replacing \ with \\, and then escape single quotes by replacing ' with \' (or whatever the literal syntax requires). Using regular expressions with the g flag guarantees that every instance is processed.
For this specific code, the best minimal fix is to update escapeSoqlLiteral to escape backslashes before escaping single quotes. This can be achieved by chaining two .replace calls: first value.replace(/\\/g, '\\\\') to double every backslash, then .replace(/'/g, "\\'") to prefix single quotes with a backslash. This keeps the function behavior the same for strings without backslashes while correctly handling inputs that contain them, and doesn’t require any changes elsewhere in the codebase. No new imports or helper methods are needed; the change is local to escapeSoqlLiteral in src/shared/services/billingAccount.service.ts around line 352–354.
| @@ -350,7 +350,9 @@ | ||
| } | ||
|
|
||
| private escapeSoqlLiteral(value: string): string { | ||
| return String(value).replace(/'/g, "\\'"); | ||
| return String(value) | ||
| .replace(/\\/g, '\\\\') | ||
| .replace(/'/g, "\\'"); | ||
| } | ||
|
|
||
| private normalizePrivateKey(rawKey: string): string { |
2 participants
No description provided.