Allow ESCAPE in LIKE clauses to be valid SQL (#31222)

sgress454 · web-flow · commit 02c502643607 · 2025-07-25T10:13:55.000-05:00
for #30109 # Details This PR fixes an issue in our current SQL parsing library that was causing queries like this to be marked invalid: ``` SELECT * FROM table_name WHERE column_name LIKE '\_%' ESCAPE '\' ``` This is valid in SQLite because the `\` is not considered an escape character by default. From [the SQLite docs](https://www.sqlite.org/lang_expr.html) (see section 3 "Literal Values (Constants)"; emphasis mine): > A string constant is formed by enclosing the string in single quotes ('). A single quote within the string can be encoded by putting two single quotes in a row - as in Pascal. C-style escapes using the backslash character are not supported because they are not standard SQL. # Use of forked code Part of the fix for this was [submitted as a PR to the node-sql-parser library](taozhi8833998/node-sql-parser#2496) we now use, and merged. I then found that another fix was needed, which I submitted as [a separate PR](taozhi8833998/node-sql-parser#2512). As these fixes have yet to be made part of an official release of the library, I made a fork off of the release we were using (5.3.10) and bundled the necessary build artifacts with Fleet. We have an [ADR proposing the use of submodules for this purpose](#31079); I'm happy to implement that instead if we approve that, although for a front-end module with a build step it's a bit more complicated. Hopefully this code will be released in `node-sql-parser` soon and we can revert back to using the dependency. Here is the [full set of changes](taozhi8833998/node-sql-parser@master...sgress454:node-sql-parser:5.3.10-plus). # Checklist for submitter - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Manual QA for all new/changed functionality
diff --git a/.eslintignore b/.eslintignore
@@ -0,0 +1 @@
+frontend/utilities/node-sql-parser
diff --git a/.prettierignore b/.prettierignore
@@ -34,6 +34,7 @@ website/
 # certain frontend files that are not meant to be formatted
 frontend/components/FleetAce/mode.ts
 frontend/components/FleetAce/theme.ts
+frontend/utilities/node-sql-parser
 
 # github workflow yaml, which may contain shell scripts that shouldn't be formatted
 .github/workflows/*
diff --git a/changes/30109-fix-sql-like-clause b/changes/30109-fix-sql-like-clause
@@ -0,0 +1 @@
+- Fixed an issue where using ESCAPE in a LIKE clause caused SQL validation to fail
diff --git a/frontend/components/forms/validators/validate_query/index.js b/frontend/components/forms/validators/validate_query/index.js
@@ -1,4 +1,4 @@
-import { Parser } from "node-sql-parser";
+import { Parser } from "utilities/node-sql-parser/sqlite";
 import { includes, some } from "lodash";
 
 const invalidQueryResponse = (message) => {
diff --git a/frontend/utilities/node-sql-parser/README.md b/frontend/utilities/node-sql-parser/README.md
@@ -0,0 +1,12 @@
+# About
+
+This is compiled from a [fork](https://github.com/taozhi8833998/node-sql-parser/compare/master...sgress454:node-sql-parser:5.3.10-plus) of the 5.3.10 release of [node-sql-parser library](https://github.com/sgress454/node-sql-parser/tree/sgress454/add-escape-to-sqlite-like) created to fix issue [#30109](https://github.com/fleetdm/fleet/issues/30109).
+
+Once a new release of node-sql-parser comes out with this code in it, we can revert back to using `node-sql-parser` as a dependency in Fleet.
+
+# To compile
+
+1. Check out https://github.com/sgress454/node-sql-parser/tree/5.3.10-plus
+2. `npm install`
+3. `npm run build`
+4. `cp output/prod/build/sqlite.* /path/to/fleet/frontend/utilities/node-sql-parser`
diff --git a/frontend/utilities/node-sql-parser/sqlite.d.ts b/frontend/utilities/node-sql-parser/sqlite.d.ts
@@ -0,0 +1 @@
+export * from '../types';
diff --git a/frontend/utilities/node-sql-parser/sqlite.js b/frontend/utilities/node-sql-parser/sqlite.js
diff --git a/frontend/utilities/node-sql-parser/sqlite.js.map b/frontend/utilities/node-sql-parser/sqlite.js.map
diff --git a/frontend/utilities/sql_tools.tests.ts b/frontend/utilities/sql_tools.tests.ts
@@ -2,6 +2,7 @@ import { checkTable } from "./sql_tools";
 
 describe("checkTable", () => {
   // from https://github.com/fleetdm/fleet/issues/26366
+  // and  https://github.com/fleetdm/fleet/issues/30109
   const SQL = `
 WITH extension_safety_hub_menu_notifications AS (
 	SELECT 
@@ -42,7 +43,7 @@ SELECT path,
 	timestamp,
 	triggering_extension
 FROM problematic_extensions
-WHERE triggering_extension IS NOT NULL;
+WHERE triggering_extension IS NOT NULL AND username NOT LIKE '\\_%' ESCAPE '\\';
 `;
   it("should return only real tables by default", () => {
     const { tables, error } = checkTable(SQL);
diff --git a/frontend/utilities/sql_tools.ts b/frontend/utilities/sql_tools.ts
@@ -1,5 +1,5 @@
 // @ts-ignore
-import { Parser } from "node-sql-parser";
+import { Parser } from "utilities/node-sql-parser/sqlite";
 import { intersection, isPlainObject, uniq } from "lodash";
 import { osqueryTablesAvailable } from "utilities/osquery_tables";
 import {
diff --git a/package.json b/package.json
@@ -33,7 +33,6 @@
     "js-yaml": "3.14.1",
     "lodash": "4.17.21",
     "memoize-one": "5.2.1",
-    "node-sql-parser": "5.3.8",
     "normalizr": "3.6.2",
     "prop-types": "15.8.1",
     "proxy-middleware": "0.15.0",
diff --git a/yarn.lock b/yarn.lock
@@ -3677,11 +3677,6 @@
   resolved "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz"
   integrity sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==
 
-"@types/pegjs@^0.10.0":
-  version "0.10.6"
-  resolved "https://registry.yarnpkg.com/@types/pegjs/-/pegjs-0.10.6.tgz#bc20fc4809fed4cddab8d0dbee0e568803741a82"
-  integrity sha512-eLYXDbZWXh2uxf+w8sXS8d6KSoXTswfps6fvCUuVAGN8eRpfe7h9eSRydxiSJvo9Bf+GzifsDOr9TMQlmJdmkw==
-
 "@types/prettier@^2.1.5":
   version "2.7.1"
   resolved "https://registry.yarnpkg.com/@types/prettier/-/prettier-2.7.1.tgz#dfd20e2dc35f027cdd6c1908e80a5ddc7499670e"
@@ -4884,11 +4879,6 @@ big-integer@^1.6.16:
   resolved "https://registry.npmjs.org/big-integer/-/big-integer-1.6.51.tgz"
   integrity sha512-GPEid2Y9QU1Exl1rpO9B2IPJGHPSupF5GnVIP0blYvNOMer2bTvSWs1jGOUg04hTmu67nmLsQ9TBo1puaotBHg==
 
-big-integer@^1.6.48:
-  version "1.6.52"
-  resolved "https://registry.yarnpkg.com/big-integer/-/big-integer-1.6.52.tgz#60a887f3047614a8e1bffe5d7173490a97dc8c85"
-  integrity sha512-QxD8cf2eVqJOOz63z6JIN9BzvVs/dlySa5HGSBH5xtR8dPteIRQnBxxKqkNTiT6jbDTF6jAfrd4oMcND9RGbQg==
-
 big.js@^5.2.2:
   version "5.2.2"
   resolved "https://registry.yarnpkg.com/big.js/-/big.js-5.2.2.tgz#65f0af382f578bcdc742bd9c281e9cb2d7768328"
@@ -10858,14 +10848,6 @@ node-sass-magic-importer@^5.3.3:
     postcss-scss "^3.0.2"
     resolve "^1.17.0"
 
-node-sql-parser@5.3.8:
-  version "5.3.8"
-  resolved "https://registry.yarnpkg.com/node-sql-parser/-/node-sql-parser-5.3.8.tgz#b71db4cb80dc5302fc77d7b6ca3bcb269b2124bf"
-  integrity sha512-aqGTzK8kPJAwQ6tqdS0l+vX358LXMmZDw902ePfiPn3PSDsg2HeR2tHFioXNHJW00YHoic6VVYY80waFb/zdxw==
-  dependencies:
-    "@types/pegjs" "^0.10.0"
-    big-integer "^1.6.48"
-
 normalize-path@^3.0.0, normalize-path@~3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/normalize-path/-/normalize-path-3.0.0.tgz#0dcd69ff23a1c9b11fd0978316644a0388216a65"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+- Fixed an issue where using ESCAPE in a LIKE clause caused SQL validation to fail`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { Parser } from "node-sql-parser";`
	`1`	`+import { Parser } from "utilities/node-sql-parser/sqlite";`
`2`	`2`	`import { includes, some } from "lodash";`
`3`	`3`
`4`	`4`	`const invalidQueryResponse = (message) => {`