fix(query): allow uppercase in column names (#3100)

Author: farnabaz

src/runtime/internal/security.ts

@@ -32,7 +32,7 @@ export function assertSafeQuery(sql: string, collection: string) {
     if (
       columns[0] !== '*'
       && !columns[0].match(SQL_COUNT_REGEX)
-      && !columns[0].match(/^"[a-z_]\w+"$/)
+      && !columns[0].match(/^"[a-z_]\w+"$/i)
     ) {
       throw new Error('Invalid query')
     }
@@ -59,7 +59,7 @@ export function assertSafeQuery(sql: string, collection: string) {
 
   // ORDER BY
   const _order = (orderBy + ' ' + order).split(', ')
-  if (!_order.every(column => column.match(/^("[a-z_]+"|[a-z_]+) (ASC|DESC)$/))) {
+  if (!_order.every(column => column.match(/^("[a-zA-Z_]+"|[a-zA-Z_]+) (ASC|DESC)$/))) {
     throw new Error('Invalid query')
   }
 

test/unit/assertSafeQuery.test.ts

@@ -26,6 +26,8 @@ describe('decompressSQLDump', () => {
     'SELECT * FROM _content_test ORDER BY id DESC': true,
     'SELECT * FROM _content_test ORDER BY id ASC,stem DESC': false,
     'SELECT * FROM _content_test ORDER BY id ASC, stem DESC': true,
+    'SELECT * FROM _content_test ORDER BY id ASC, publishedAt DESC': true,
+    'SELECT "PublishedAt" FROM _content_test ORDER BY id ASC, PublishedAt DESC': true,
     'SELECT * FROM _content_test ORDER BY id DESC -- comment is not allowed': false,
     'SELECT * FROM _content_test ORDER BY id DESC; SELECT * FROM _content_test ORDER BY id DESC': false,
     'SELECT * FROM _content_test ORDER BY id DESC LIMIT 10': true,