From dedcff04481f3d2cec5606ff2702e894f1dcd30a Mon Sep 17 00:00:00 2001
From: Sasha <enjoythepain1337@gmail.com>
Date: Mon, 23 Sep 2024 18:35:07 +0300
Subject: [PATCH] fix(drizzle): sanitize query value uuid / number id NaN
 (#8369)

Fixes https://github.com/payloadcms/payload/issues/8347 (additionally
for UUID search as well)
---
 packages/drizzle/src/queries/parseParams.ts      |  2 ++
 .../drizzle/src/queries/sanitizeQueryValue.ts    | 12 ++++++++++++
 test/collections-rest/int.spec.ts                | 16 ++++++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/packages/drizzle/src/queries/parseParams.ts b/packages/drizzle/src/queries/parseParams.ts
index 4b1742cd1..e6e417abf 100644
--- a/packages/drizzle/src/queries/parseParams.ts
+++ b/packages/drizzle/src/queries/parseParams.ts
@@ -2,6 +2,7 @@ import type { SQL } from 'drizzle-orm'
 import type { Field, Operator, Where } from 'payload'
 
 import { and, isNotNull, isNull, ne, notInArray, or, sql } from 'drizzle-orm'
+import { PgUUID } from 'drizzle-orm/pg-core'
 import { QueryError } from 'payload'
 import { validOperators } from 'payload/shared'
 
@@ -194,6 +195,7 @@ export function parseParams({
                   adapter,
                   columns,
                   field,
+                  isUUID: table?.[columnName] instanceof PgUUID,
                   operator,
                   relationOrPath,
                   val,
diff --git a/packages/drizzle/src/queries/sanitizeQueryValue.ts b/packages/drizzle/src/queries/sanitizeQueryValue.ts
index e45703ffd..0baaec011 100644
--- a/packages/drizzle/src/queries/sanitizeQueryValue.ts
+++ b/packages/drizzle/src/queries/sanitizeQueryValue.ts
@@ -16,6 +16,7 @@ type SanitizeQueryValueArgs = {
     rawColumn: SQL<unknown>
   }[]
   field: Field | TabAsField
+  isUUID: boolean
   operator: string
   relationOrPath: string
   val: any
@@ -30,6 +31,7 @@ export const sanitizeQueryValue = ({
   adapter,
   columns,
   field,
+  isUUID,
   operator: operatorArg,
   relationOrPath,
   val,
@@ -90,6 +92,16 @@ export const sanitizeQueryValue = ({
 
   if (field.type === 'number' && typeof formattedValue === 'string') {
     formattedValue = Number(val)
+
+    if (Number.isNaN(formattedValue)) {
+      formattedValue = null
+    }
+  }
+
+  if (isUUID && typeof formattedValue === 'string') {
+    if (!uuidValidate(val)) {
+      formattedValue = null
+    }
   }
 
   if (field.type === 'date' && operator !== 'exists') {
diff --git a/test/collections-rest/int.spec.ts b/test/collections-rest/int.spec.ts
index 14409de72..5c03053d2 100644
--- a/test/collections-rest/int.spec.ts
+++ b/test/collections-rest/int.spec.ts
@@ -934,6 +934,22 @@ describe('collections-rest', () => {
         expect(result.totalDocs).toEqual(1)
       })
 
+      it('like - id should not crash', async () => {
+        const post = await createPost({ title: 'post' })
+
+        const response = await restClient.GET(`/${slug}`, {
+          query: {
+            where: {
+              id: {
+                like: 'words partial',
+              },
+            },
+          },
+        })
+
+        expect(response.status).toEqual(200)
+      })
+
       it('exists - true', async () => {
         const postWithDesc = await createPost({ description: 'exists' })
         await createPost({ description: undefined })