feat(sql): ✨ Enhance SQL clause handling with parentheses

* Add EnsureOuterParentheses function to wrap clauses in parentheses.
* Implement logic to preserve outer parentheses for OR conditions.
* Update SanitizeWhereClause to utilize new function for better query safety.
* Introduce tests for EnsureOuterParentheses and containsTopLevelOR functions.
* Refactor filter application in handler to group OR filters correctly.

Author: Hein

pkg/common/sql_helpers.go

@@ -130,6 +130,9 @@ func validateWhereClauseSecurity(where string) error {
 // Note: This function will NOT add prefixes to unprefixed columns. It will only fix
 // incorrect prefixes (e.g., wrong_table.column -> correct_table.column), unless the
 // prefix matches a preloaded relation name, in which case it's left unchanged.
+//
+// IMPORTANT: Outer parentheses are preserved if the clause contains top-level OR operators
+// to prevent OR logic from escaping and affecting the entire query incorrectly.
 func SanitizeWhereClause(where string, tableName string, options ...*RequestOptions) string {
 	if where == "" {
 		return ""
@@ -143,8 +146,19 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
 		return ""
 	}
 
-	// Strip outer parentheses and re-trim
-	where = stripOuterParentheses(where)
+	// Check if the original clause has outer parentheses and contains OR operators
+	// If so, we need to preserve the outer parentheses to prevent OR logic from escaping
+	hasOuterParens := false
+	if len(where) > 0 && where[0] == '(' && where[len(where)-1] == ')' {
+		_, hasOuterParens = stripOneMatchingOuterParen(where)
+	}
+
+	// Strip outer parentheses and re-trim for processing
+	whereWithoutParens := stripOuterParentheses(where)
+	shouldPreserveParens := hasOuterParens && containsTopLevelOR(whereWithoutParens)
+
+	// Use the stripped version for processing
+	where = whereWithoutParens
 
 	// Get valid columns from the model if tableName is provided
 	var validColumns map[string]bool
@@ -229,7 +243,14 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
 
 	result := strings.Join(validConditions, " AND ")
 
-	if result != where {
+	// If the original clause had outer parentheses and contains OR operators,
+	// restore the outer parentheses to prevent OR logic from escaping
+	if shouldPreserveParens {
+		result = "(" + result + ")"
+		logger.Debug("Preserved outer parentheses for OR conditions: '%s'", result)
+	}
+
+	if result != where && !shouldPreserveParens {
 		logger.Debug("Sanitized WHERE clause: '%s' -> '%s'", where, result)
 	}
 
@@ -290,6 +311,93 @@ func stripOneMatchingOuterParen(s string) (string, bool) {
 	return strings.TrimSpace(s[1 : len(s)-1]), true
 }
 
+// EnsureOuterParentheses ensures that a SQL clause is wrapped in parentheses
+// to prevent OR logic from escaping. It checks if the clause already has
+// matching outer parentheses and only adds them if they don't exist.
+//
+// This is particularly important for OR conditions and complex filters where
+// the absence of parentheses could cause the logic to escape and affect
+// the entire query incorrectly.
+//
+// Parameters:
+//   - clause: The SQL clause to check and potentially wrap
+//
+// Returns:
+//   - The clause with guaranteed outer parentheses, or empty string if input is empty
+func EnsureOuterParentheses(clause string) string {
+	if clause == "" {
+		return ""
+	}
+
+	clause = strings.TrimSpace(clause)
+	if clause == "" {
+		return ""
+	}
+
+	// Check if the clause already has matching outer parentheses
+	_, hasOuterParens := stripOneMatchingOuterParen(clause)
+
+	// If it already has matching outer parentheses, return as-is
+	if hasOuterParens {
+		return clause
+	}
+
+	// Otherwise, wrap it in parentheses
+	return "(" + clause + ")"
+}
+
+// containsTopLevelOR checks if a SQL clause contains OR operators at the top level
+// (i.e., not inside parentheses or subqueries). This is used to determine if
+// outer parentheses should be preserved to prevent OR logic from escaping.
+func containsTopLevelOR(clause string) bool {
+	if clause == "" {
+		return false
+	}
+
+	depth := 0
+	inSingleQuote := false
+	inDoubleQuote := false
+	lowerClause := strings.ToLower(clause)
+
+	for i := 0; i < len(clause); i++ {
+		ch := clause[i]
+
+		// Track quote state
+		if ch == '\'' && !inDoubleQuote {
+			inSingleQuote = !inSingleQuote
+			continue
+		}
+		if ch == '"' && !inSingleQuote {
+			inDoubleQuote = !inDoubleQuote
+			continue
+		}
+
+		// Skip if inside quotes
+		if inSingleQuote || inDoubleQuote {
+			continue
+		}
+
+		// Track parenthesis depth
+		switch ch {
+		case '(':
+			depth++
+		case ')':
+			depth--
+		}
+
+		// Only check for OR at depth 0 (not inside parentheses)
+		if depth == 0 && i+4 <= len(clause) {
+			// Check for " OR " (case-insensitive)
+			substring := lowerClause[i : i+4]
+			if substring == " or " {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // splitByAND splits a WHERE clause by AND operators (case-insensitive)
 // This is parenthesis-aware and won't split on AND operators inside subqueries
 func splitByAND(where string) []string {

pkg/common/sql_helpers_test.go

@@ -659,6 +659,179 @@ func TestSanitizeWhereClauseWithModel(t *testing.T) {
 	}
 }
 
+func TestEnsureOuterParentheses(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "no parentheses",
+			input:    "status = 'active'",
+			expected: "(status = 'active')",
+		},
+		{
+			name:     "already has outer parentheses",
+			input:    "(status = 'active')",
+			expected: "(status = 'active')",
+		},
+		{
+			name:     "OR condition without parentheses",
+			input:    "status = 'active' OR status = 'pending'",
+			expected: "(status = 'active' OR status = 'pending')",
+		},
+		{
+			name:     "OR condition with parentheses",
+			input:    "(status = 'active' OR status = 'pending')",
+			expected: "(status = 'active' OR status = 'pending')",
+		},
+		{
+			name:     "complex condition with nested parentheses",
+			input:    "(status = 'active' OR status = 'pending') AND (age > 18)",
+			expected: "((status = 'active' OR status = 'pending') AND (age > 18))",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "whitespace only",
+			input:    "   ",
+			expected: "",
+		},
+		{
+			name:     "mismatched parentheses - adds outer ones",
+			input:    "(status = 'active' OR status = 'pending'",
+			expected: "((status = 'active' OR status = 'pending')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := EnsureOuterParentheses(tt.input)
+			if result != tt.expected {
+				t.Errorf("EnsureOuterParentheses(%q) = %q; want %q", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestContainsTopLevelOR(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{
+			name:     "no OR operator",
+			input:    "status = 'active' AND age > 18",
+			expected: false,
+		},
+		{
+			name:     "top-level OR",
+			input:    "status = 'active' OR status = 'pending'",
+			expected: true,
+		},
+		{
+			name:     "OR inside parentheses",
+			input:    "age > 18 AND (status = 'active' OR status = 'pending')",
+			expected: false,
+		},
+		{
+			name:     "OR in subquery",
+			input:    "id IN (SELECT id FROM users WHERE status = 'active' OR status = 'pending')",
+			expected: false,
+		},
+		{
+			name:     "OR inside quotes",
+			input:    "comment = 'this OR that'",
+			expected: false,
+		},
+		{
+			name:     "mixed - top-level OR and nested OR",
+			input:    "name = 'test' OR (status = 'active' OR status = 'pending')",
+			expected: true,
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: false,
+		},
+		{
+			name:     "lowercase or",
+			input:    "status = 'active' or status = 'pending'",
+			expected: true,
+		},
+		{
+			name:     "uppercase OR",
+			input:    "status = 'active' OR status = 'pending'",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := containsTopLevelOR(tt.input)
+			if result != tt.expected {
+				t.Errorf("containsTopLevelOR(%q) = %v; want %v", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestSanitizeWhereClause_PreservesParenthesesWithOR(t *testing.T) {
+	tests := []struct {
+		name      string
+		where     string
+		tableName string
+		expected  string
+	}{
+		{
+			name:      "OR condition with outer parentheses - preserved",
+			where:     "(status = 'active' OR status = 'pending')",
+			tableName: "users",
+			expected:  "(users.status = 'active' OR users.status = 'pending')",
+		},
+		{
+			name:      "AND condition with outer parentheses - stripped (no OR)",
+			where:     "(status = 'active' AND age > 18)",
+			tableName: "users",
+			expected:  "users.status = 'active' AND users.age > 18",
+		},
+		{
+			name:      "complex OR with nested conditions",
+			where:     "((status = 'active' OR status = 'pending') AND age > 18)",
+			tableName: "users",
+			// Outer parens are stripped, but inner parens with OR are preserved
+			expected: "(users.status = 'active' OR users.status = 'pending') AND users.age > 18",
+		},
+		{
+			name:      "OR without outer parentheses - no parentheses added by SanitizeWhereClause",
+			where:     "status = 'active' OR status = 'pending'",
+			tableName: "users",
+			expected:  "users.status = 'active' OR users.status = 'pending'",
+		},
+		{
+			name:      "simple OR with parentheses - preserved",
+			where:     "(users.status = 'active' OR users.status = 'pending')",
+			tableName: "users",
+			// Already has correct prefixes, parentheses preserved
+			expected: "(users.status = 'active' OR users.status = 'pending')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			prefixedWhere := AddTablePrefixToColumns(tt.where, tt.tableName)
+			result := SanitizeWhereClause(prefixedWhere, tt.tableName)
+			if result != tt.expected {
+				t.Errorf("SanitizeWhereClause(%q, %q) = %q; want %q", tt.where, tt.tableName, result, tt.expected)
+			}
+		})
+	}
+}
+
 func TestAddTablePrefixToColumns_ComplexConditions(t *testing.T) {
 tests := []struct {
 name      string

pkg/resolvespec/handler.go

@@ -318,6 +318,8 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 		if cursorFilter != "" {
 			logger.Debug("Applying cursor filter: %s", cursorFilter)
 			sanitizedCursor := common.SanitizeWhereClause(cursorFilter, reflection.ExtractTableNameOnly(tableName), &options)
+			// Ensure outer parentheses to prevent OR logic from escaping
+			sanitizedCursor = common.EnsureOuterParentheses(sanitizedCursor)
 			if sanitizedCursor != "" {
 				query = query.Where(sanitizedCursor)
 			}
@@ -1656,6 +1658,8 @@ func (h *Handler) applyPreloads(model interface{}, query common.SelectQuery, pre
 				// Build RequestOptions with all preloads to allow references to sibling relations
 				preloadOpts := &common.RequestOptions{Preload: preloads}
 				sanitizedWhere := common.SanitizeWhereClause(preload.Where, reflection.ExtractTableNameOnly(preload.Relation), preloadOpts)
+				// Ensure outer parentheses to prevent OR logic from escaping
+				sanitizedWhere = common.EnsureOuterParentheses(sanitizedWhere)
 				if len(sanitizedWhere) > 0 {
 					sq = sq.Where(sanitizedWhere)
 				}