Fix N1QL injection in nested Hash attribute updates#33
Merged
Conversation
In build_update, Hash values were interpolated directly into the query string without sanitization, allowing N1QL injection. Use quote() to properly escape values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Couchbase ORM relation builder to properly quote hash values when constructing update queries. The review feedback highlights a potential N1QL syntax error when a value is nil, as the quoted value would interpolate to an empty string, and suggests adding a fallback to 'NULL'.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
3 tasks
When a nil value is passed in a Hash update (e.g. update(field: { key: nil })),
quote() returns nil which interpolates as an empty string, producing invalid
N1QL syntax. Fall back to 'NULL' literal in that case.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
pimpin
commented
Jun 24, 2026
Cover string values, nil values, and special character quoting in Hash-style update_all to verify the N1QL injection fix. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
JulienBURNET-FAUCHE
approved these changes
Jun 25, 2026
pimpin
added a commit
that referenced
this pull request
Jun 26, 2026
Patch release: fixes N1QL injection in nested Hash attribute updates (#33). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
pimpin
added a commit
that referenced
this pull request
Jun 26, 2026
Resolved conflict in lib/couchbase-orm/relation.rb: kept parameterized bind(v, params) for nested Hash attribute updates (from this branch) over the quote(v) inline approach added in PR #33 — bind is both injection-safe and enables prepared-statement caching. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build_updatewhere nested Hash values (#{key}.#{k} = #{v}) were interpolated directly into the query string without sanitizationquote(v)to properly escape user-supplied valuesContext
In
Relation#build_update, when updating nested Hash attributes (e.g.update_all(address: { city: user_input })), the value was interpolated raw into the N1QL query string. This allowed N1QL injection through crafted values.Test plan
update_allspecs pass (nested attribute updates with_forclauses)/test --fail-fast=false🤖 Generated with Claude Code