fix: whiteList should be exact match

taozhi8833998 · taozhi8833998 · commit 269c4df104e1 · 2025-02-19T09:25:49.000+08:00
diff --git a/src/parser.js b/src/parser.js
@@ -46,7 +46,7 @@ class Parser {
     for (const authority of authorityList) {
       let hasCorrespondingAuthority = false
       for (const whiteAuthority of whiteList) {
-        const regex = new RegExp(whiteAuthority, 'i')
+        const regex = new RegExp(`^${whiteAuthority}$`, 'i')
         if (regex.test(authority)) {
           hasCorrespondingAuthority = true
           break
diff --git a/test/select.spec.js b/test/select.spec.js
@@ -1244,6 +1244,12 @@ describe('select', () => {
         const fun = parser.whiteListCheck.bind(parser, sql, whiteList, mode)
         expect(fun).to.throw(`authority = 'select::b::name' is required in ${mode.type} whiteList to execute SQL = '${sql}'`)
       })
+      it('should fail for prefix check', () => {
+        const sql = 'SELECT u.usernameXXX FROM user u;'
+        const whiteList = ['select::user::username']
+        const fun = parser.whiteListCheck.bind(parser, sql, whiteList, { ...mode, database: 'postgresql' })
+        expect(fun).to.throw(`authority = 'select::user::usernameXXX' is required in ${mode.type} whiteList to execute SQL = '${sql}'`)
+      })
       it('should fail the complex sql and regex check', () => {
         const sql = 'UPDATE a SET id = 1 WHERE name IN (SELECT name FROM b)'
         const whiteList = ['select::(.*)::(id|name)']
