Support wrapWhere() method in QueryBuilder for joined scopes

Author: roxblnfk

src/Select/QueryBuilder.php

@@ -204,6 +204,9 @@ private function targetFunc(string $call): callable
                 case 'andwhere':
                     $call = 'and' . \ucfirst($this->forward);
                     break;
+                case 'wrapwhere':
+                    $call = 'wrap' . \ucfirst($this->forward);
+                    break;
             }
         }
 

src/Select/ScopeInterface.php

@@ -15,8 +15,9 @@
  *
  * The {@see apply()} method receives a {@see QueryBuilder} that proxies the
  * underlying query. For scopes attached to joined loaders the builder forwards
- * `where*` calls to the JOIN ON tokens (`onWhere`) rather than the top-level
- * WHERE — handle accordingly.
+ * `where*` and `wrapWhere()` calls to JOIN ON tokens (`onWhere`/`wrapOnWhere`)
+ * rather than the top-level WHERE — the recommended pattern below applies
+ * uniformly in both cases.
  *
  * ## Registering a scope
  *

tests/ORM/Fixtures/WrappedQueryScope.php

@@ -0,0 +1,29 @@
+<?php
+
+// phpcs:ignoreFile
+declare(strict_types=1);
+
+namespace Cycle\ORM\Tests\Fixtures;
+
+use Cycle\ORM\Select\QueryBuilder;
+use Cycle\ORM\Select\ScopeInterface;
+
+/**
+ * Like {@see \Cycle\ORM\Select\QueryScope}, but calls wrapWhere() before adding its
+ * conditions — protects the scope's WHERE/ON tokens from being bypassed by a later
+ * `orWhere`/`orOnWhere`. For joined-loader scopes, wrapWhere() is forwarded to
+ * wrapOnWhere() by {@see QueryBuilder::targetFunc()}.
+ */
+final class WrappedQueryScope implements ScopeInterface
+{
+    public function __construct(
+        private array $where,
+        private array $orderBy = [],
+    ) {}
+
+    public function apply(QueryBuilder $query): void
+    {
+        $query->wrapWhere();
+        $query->where($this->where)->orderBy($this->orderBy);
+    }
+}

tests/ORM/Functional/Driver/Common/Relation/HasMany/HasManyScopeTest.php

@@ -15,6 +15,7 @@
 use Cycle\ORM\Tests\Fixtures\Comment;
 use Cycle\ORM\Tests\Fixtures\SortByIDScope;
 use Cycle\ORM\Tests\Fixtures\User;
+use Cycle\ORM\Tests\Fixtures\WrappedQueryScope;
 use Cycle\ORM\Tests\Traits\TableTrait;
 use Cycle\Database\Exception\StatementException;
 
@@ -442,6 +443,109 @@ public function testInloadWithScopeOrderedAndWhere(): void
         $this->assertSame('msg 2.3', $res[0]->comments[0]->message);
     }
 
+    /**
+     * Documents the historical bug: when a joined-loader scope adds a plain top-level
+     * condition (no wrapWhere), an adversarial `orWhere` injected via the 'load' option
+     * bypasses the scope due to AND-over-OR precedence inside the JOIN's ON clause.
+     */
+    public function testInloadJoinedScopeWithoutWrapWhereIsBypassedByAdversarialOrLoad(): void
+    {
+        $this->orm = $this->withCommentsSchema([
+            // Plain QueryScope — adds `level >= 2` as a flat AND token, no wrap.
+            Schema::SCOPE => new Select\QueryScope(['@.level' => ['>=' => 2]]),
+        ]);
+
+        $res = (new Select($this->orm, User::class))
+            ->load('comments', [
+                'method' => JoinableLoader::INLOAD,
+                'load' => static function (Select\QueryBuilder $q): void {
+                    // top-level ON-condition WHERE + OR — the scope's AND lands at the
+                    // tail of the same flat token list:
+                    //   ON join_key AND level = 1 OR message = 'msg 4' AND level >= 2
+                    //   ≡ (join_key AND level = 1) OR (message = 'msg 4' AND level >= 2)
+                    // The first OR-arm ignores `level >= 2` — scope bypassed.
+                    $q->where('@.level', 1)
+                      ->orWhere('@.message', 'msg 4');
+                },
+            ])
+            ->orderBy('user.id')
+            ->fetchAll();
+
+        [$userA, $userB] = $res;
+
+        // User A: msg 1 (level=1) sneaks through the first OR-arm; msg 4 matches the
+        // second arm legitimately.
+        $this->assertCount(2, $userA->comments);
+        $aMessages = $this->extractMessages($userA->comments);
+        $this->assertSame(['msg 1', 'msg 4'], $aMessages);
+
+        // User B: msg 2.1 (level=1) sneaks through the first arm — scope leaks again.
+        $this->assertCount(1, $userB->comments);
+        $this->assertSame('msg 2.1', $userB->comments[0]->message);
+    }
+
+    /**
+     * Companion to the test above: with {@see WrappedQueryScope} (calls wrapWhere() first),
+     * QueryBuilder::targetFunc() forwards the wrap to `wrapOnWhere` on the JOIN's ON tokens,
+     * enclosing the user's OR group. The scope's `level >= 2` condition stays effective.
+     */
+    public function testInloadJoinedScopeWithWrapWhereProtectsAgainstAdversarialOrLoad(): void
+    {
+        $this->orm = $this->withCommentsSchema([
+            Schema::SCOPE => new WrappedQueryScope(['@.level' => ['>=' => 2]]),
+        ]);
+
+        $res = (new Select($this->orm, User::class))
+            ->load('comments', [
+                'method' => JoinableLoader::INLOAD,
+                'load' => static function (Select\QueryBuilder $q): void {
+                    $q->where('@.level', 1)
+                      ->orWhere('@.message', 'msg 4');
+                },
+            ])
+            ->orderBy('user.id')
+            ->fetchAll();
+
+        [$userA, $userB] = $res;
+
+        // ON ((join_key AND level = 1) OR message = 'msg 4') AND level >= 2
+        // User A: only msg 4 (level = 4) matches the OR group AND scope.
+        $this->assertCount(1, $userA->comments);
+        $this->assertSame('msg 4', $userA->comments[0]->message);
+
+        // User B: no comment satisfies both the OR group and `level >= 2`.
+        $this->assertCount(0, $userB->comments);
+    }
+
+    /**
+     * Sanity check: a wrap-aware scope works correctly in plain INLOAD joining without
+     * any adversarial conditions — wrapWhere() on empty ON tokens is a no-op and the
+     * scope adds its condition at the top level of the JOIN's ON clause.
+     */
+    public function testInloadJoinedScopeWithWrapWhereWithoutAdversarialLoad(): void
+    {
+        $this->orm = $this->withCommentsSchema([
+            Schema::SCOPE => new WrappedQueryScope(['@.level' => ['>=' => 3]]),
+        ]);
+
+        $res = (new Select($this->orm, User::class))
+            ->load('comments', [
+                'method' => JoinableLoader::INLOAD,
+            ])
+            ->orderBy('user.id')
+            ->fetchAll();
+
+        [$userA, $userB] = $res;
+
+        // Only level >= 3 comments survive: msg 3, msg 4, msg 2.3
+        $this->assertCount(2, $userA->comments);
+        $aMessages = $this->extractMessages($userA->comments);
+        $this->assertSame(['msg 3', 'msg 4'], $aMessages);
+
+        $this->assertCount(1, $userB->comments);
+        $this->assertSame('msg 2.3', $userB->comments[0]->message);
+    }
+
     public function testInvalidOrderBy(): void
     {
         $this->expectException(StatementException::class);
@@ -457,6 +561,20 @@ public function testInvalidOrderBy(): void
         ])->orderBy('user.id', 'DESC')->fetchAll();
     }
 
+    /**
+     * @return list<string>
+     */
+    private function extractMessages(iterable $comments): array
+    {
+        $messages = [];
+        foreach ($comments as $comment) {
+            $messages[] = $comment->message;
+        }
+        \sort($messages);
+
+        return $messages;
+    }
+
     public function setUp(): void
     {
         parent::setUp();

tests/ORM/Unit/Select/QueryBuilderTest.php

@@ -45,6 +45,80 @@ public function testWhereCallDoesNotThrowTypeError(): void
         $this->assertNotEmpty($builder->getQuery()->getTokens()['where']);
     }
 
+    public function testWrapWhereForwardsToWrapOnWhereInJoinedMode(): void
+    {
+        // A scope attached to a joined loader gets a QueryBuilder with forward='onWhere'.
+        // wrapWhere() must follow the same routing as where/orWhere/andWhere — otherwise
+        // the scope would wrap the parent's WHERE instead of its own JOIN's ON tokens.
+        $query = new SelectQuery(['users']);
+        $query
+            ->leftJoin('posts')
+            ->on('posts.user_id', 'users.id')
+            ->onWhere('posts.published', true)
+            ->orOnWhere('posts.featured', true);
+
+        // Pretend we also have a user-level WHERE so we can verify wrapWhere
+        // does NOT touch it under the forwarded routing.
+        $query->where('users.active', true);
+
+        $loader = $this->createMock(AbstractLoader::class);
+        $loader->method('fieldAlias')->willReturn(null);
+        $loader->method('getAlias')->willReturn('users');
+        $loader->method('getTarget')->willReturn('user');
+        $loader->method('getParentLoader')->willReturn(null);
+
+        $builder = (new QueryBuilder($query, $loader))->withForward('onWhere');
+
+        $builder->wrapWhere();
+
+        $tokens = $query->getTokens();
+
+        // JOIN's ON tokens are now a single wrapped group.
+        $onTokens = $tokens['join'][1]['on'];
+        $this->assertSame(['AND', '('], $onTokens[0]);
+        $this->assertSame(['', ')'], $onTokens[\count($onTokens) - 1]);
+
+        // Top-level WHERE is untouched — no extra parenthesizing on the user's clause.
+        $whereTokens = $tokens['where'];
+        $this->assertCount(1, $whereTokens);
+        $this->assertSame('AND', $whereTokens[0][0]);
+        $this->assertSame('users.active', $whereTokens[0][1][0]);
+    }
+
+    public function testWrapWhereWithoutForwardTargetsRootWhere(): void
+    {
+        // Counter-case: without forwarding (root scope), wrapWhere wraps the
+        // top-level WHERE tokens, not any JOIN's ON tokens.
+        $query = new SelectQuery(['users']);
+        $query
+            ->where('users.id', 1)
+            ->orWhere('users.id', 2)
+            ->leftJoin('posts')->on('posts.user_id', 'users.id')->onWhere('posts.published', true);
+
+        $loader = $this->createMock(AbstractLoader::class);
+        $loader->method('fieldAlias')->willReturn(null);
+        $loader->method('getAlias')->willReturn('users');
+        $loader->method('getTarget')->willReturn('user');
+        $loader->method('getParentLoader')->willReturn(null);
+
+        $builder = new QueryBuilder($query, $loader); // no forward
+
+        $builder->wrapWhere();
+
+        $tokens = $query->getTokens();
+
+        // WHERE tokens are wrapped.
+        $whereTokens = $tokens['where'];
+        $this->assertSame(['AND', '('], $whereTokens[0]);
+        $this->assertSame(['', ')'], $whereTokens[\count($whereTokens) - 1]);
+
+        // JOIN ON tokens are NOT wrapped — they still start with the plain join key.
+        $onTokens = $tokens['join'][1]['on'];
+        $this->assertSame('AND', $onTokens[0][0]);
+        // First token's payload is the [column, operator, value] triplet, not the opening paren.
+        $this->assertIsArray($onTokens[0][1]);
+    }
+
     private function makeBuilder(): QueryBuilder
     {
         $query = new SelectQuery(['users']);