Fix vulnerability

This commit is contained in:
Brian M. Carlson 2017-08-12 16:04:29 -05:00
parent bc0b03e0b0
commit 9bcf55dda9
3 changed files with 19 additions and 7 deletions

View File

@ -7,6 +7,7 @@
*/ */
var types = require('pg-types'); var types = require('pg-types');
var escape = require('js-string-escape');
//result object returned from query //result object returned from query
//in the 'end' event and also //in the 'end' event and also
@ -75,13 +76,13 @@ Result.prototype.addRow = function(row) {
var inlineParser = function(fieldName, i) { var inlineParser = function(fieldName, i) {
return "\nthis['" + return "\nthis['" +
//fields containing single quotes will break // fields containing single quotes will break
//the evaluated javascript unless they are escaped // the evaluated javascript unless they are escaped
//see https://github.com/brianc/node-postgres/issues/507 // see https://github.com/brianc/node-postgres/issues/507
//Addendum: However, we need to make sure to replace all // Addendum: However, we need to make sure to replace all
//occurences of apostrophes, not just the first one. // occurences of apostrophes, not just the first one.
//See https://github.com/brianc/node-postgres/issues/934 // See https://github.com/brianc/node-postgres/issues/934
fieldName.replace(/'/g, "\\'") + escape(fieldName) +
"'] = " + "'] = " +
"rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);"; "rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);";
}; };

View File

@ -20,6 +20,7 @@
"dependencies": { "dependencies": {
"buffer-writer": "1.0.1", "buffer-writer": "1.0.1",
"packet-reader": "0.3.1", "packet-reader": "0.3.1",
"js-string-escape": "1.0.1",
"pg-connection-string": "0.1.3", "pg-connection-string": "0.1.3",
"pg-pool": "1.*", "pg-pool": "1.*",
"pg-types": "1.*", "pg-types": "1.*",

View File

@ -0,0 +1,10 @@
var pg = require('./test-helper').pg
var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
var client = new pg.Client()
client.connect()
client.query(sql, function (err, res) {
if (err) throw err
client.end()
})