Generate queries with comments

### What should be done?

When [`find` command](https://www.mongodb.com/docs/manual/reference/command/find/) is invoked with a `comment` argument, we pass its value to `Collection.Query`. It is not used after that.

We should use it in the generated SQL query. Instead of sending `SELECT _json …` to the database, we should send `SELECT /* <comment> */ _jsonb …`. We should also properly escape it: https://github.com/FerretDB/FerretDB/blob/1ea4ff41a8fe6a4f9fbbe6f898c41f336ab25254/internal/handlers/pg/pgdb/query.go#L177-L183

We already have tests for that. Let's check if they fail if we don't escape the comment: https://github.com/FerretDB/FerretDB/blob/1ea4ff41a8fe6a4f9fbbe6f898c41f336ab25254/integration/basic_test.go#L104-L116

### Where?

See references to this issue.

### Definition of Done

- both PostgreSQL and SQLite backends updated;
- handler updated;
- spot refactorings done.


	if c := p.comment; c != "" {
	// prevent SQL injections
	c = strings.ReplaceAll(c, "/", "/ ")
	c = strings.ReplaceAll(c, "/", " /")

	query += `/* ` + c + ` */ `
	}

	func TestFindCommentMethod(t *testing.T) {
	ctx, collection := setup.Setup(t, shareddata.Scalars)
	name := collection.Database().Name()
	databaseNames, err := collection.Database().Client().ListDatabaseNames(ctx, bson.D{})
	require.NoError(t, err)
	comment := "*/ 1; DROP SCHEMA " + name + " CASCADE -- "

	var doc bson.D
	opts := options.FindOne().SetComment(comment)
	err = collection.FindOne(ctx, bson.D{{"_id", "string"}}, opts).Decode(&doc)
	require.NoError(t, err)
	assert.Contains(t, databaseNames, name)
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Generate queries with comments #3573

What should be done?

Where?

Definition of Done

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development