Skip to content

fix(web): escape backslashes in analytics ClickHouse literals #1925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
richiemcilroy merged 1 commit into from
Jun 19, 2026
Merged

fix(web): escape backslashes in analytics ClickHouse literals #1925

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion apps/web/actions/videos/get-analytics.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,11 @@ const MIN_RANGE_DAYS = 1;
const MAX_RANGE_DAYS = 90;
const DEFAULT_RANGE_DAYS = MAX_RANGE_DAYS;

const escapeLiteral = (value: string) => value.replace(/'/g, "''");
// Escape backslashes BEFORE quotes: ClickHouse honors C-style `\'` inside

@tembo tembo Bot Jun 19, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nit: the breakout sequence you’re protecting against is \' (single backslash + quote). Writing it as \\' in the inline example reads like two backslashes.

Suggested change
// Escape backslashes BEFORE quotes: ClickHouse honors C-style `\'` inside
// Escape backslashes BEFORE quotes: ClickHouse honors C-style `\'` inside

// single-quoted literals, so doubling quotes alone lets a trailing backslash
// neutralise the doubled quote and break out of the string (SQL injection).
const escapeLiteral = (value: string) =>

@tembo tembo Bot Jun 19, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This helper is now duplicated in apps/web/app/(org)/dashboard/analytics/data.ts too. Might be worth extracting a shared escapeClickhouseLiteral util so the escaping rules don’t drift over time.

value.replace(/\\/g, "\\\\").replace(/'/g, "''");
const formatDate = (date: Date) => date.toISOString().slice(0, 10);
const formatDateTime = (date: Date) =>
date.toISOString().slice(0, 19).replace("T", " ");
Expand Down
6 changes: 5 additions & 1 deletion apps/web/app/(org)/dashboard/analytics/data.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,11 @@ const ROLLING_RANGE_CONFIG: Record<

const LIFETIME_FALLBACK_DAYS = 30;

const escapeLiteral = (value: string) => value.replace(/'/g, "''");
// Escape backslashes BEFORE quotes: ClickHouse honors C-style `\'` inside
// single-quoted literals, so doubling quotes alone lets a trailing backslash
// neutralise the doubled quote and break out of the string (SQL injection).
const escapeLiteral = (value: string) =>
value.replace(/\\/g, "\\\\").replace(/'/g, "''");
Comment on lines +53 to +54

@greptile-apps greptile-apps Bot Jun 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Duplicated escapeLiteral function

escapeLiteral now exists in identical form in both data.ts and get-analytics.ts. This PR correctly fixes both copies, but any future change (or regression) will have to be made in two places. Consider extracting this function into a shared analytics utility module (e.g., lib/clickhouse-escape.ts) so there is a single source of truth.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: apps/web/app/(org)/dashboard/analytics/data.ts
Line: 53-54

Comment:
**Duplicated `escapeLiteral` function**

`escapeLiteral` now exists in identical form in both `data.ts` and `get-analytics.ts`. This PR correctly fixes both copies, but any future change (or regression) will have to be made in two places. Consider extracting this function into a shared analytics utility module (e.g., `lib/clickhouse-escape.ts`) so there is a single source of truth.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

const toDateString = (date: Date) => date.toISOString().slice(0, 10);
const toDateTimeString = (date: Date) =>
date.toISOString().slice(0, 19).replace("T", " ");
Expand Down
Loading