Fix vulnerability
This commit is contained in:
parent
bc0b03e0b0
commit
9bcf55dda9
@ -7,6 +7,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
var types = require('pg-types');
|
var types = require('pg-types');
|
||||||
|
var escape = require('js-string-escape');
|
||||||
|
|
||||||
//result object returned from query
|
//result object returned from query
|
||||||
//in the 'end' event and also
|
//in the 'end' event and also
|
||||||
@ -75,13 +76,13 @@ Result.prototype.addRow = function(row) {
|
|||||||
|
|
||||||
var inlineParser = function(fieldName, i) {
|
var inlineParser = function(fieldName, i) {
|
||||||
return "\nthis['" +
|
return "\nthis['" +
|
||||||
//fields containing single quotes will break
|
// fields containing single quotes will break
|
||||||
//the evaluated javascript unless they are escaped
|
// the evaluated javascript unless they are escaped
|
||||||
//see https://github.com/brianc/node-postgres/issues/507
|
// see https://github.com/brianc/node-postgres/issues/507
|
||||||
//Addendum: However, we need to make sure to replace all
|
// Addendum: However, we need to make sure to replace all
|
||||||
//occurences of apostrophes, not just the first one.
|
// occurences of apostrophes, not just the first one.
|
||||||
//See https://github.com/brianc/node-postgres/issues/934
|
// See https://github.com/brianc/node-postgres/issues/934
|
||||||
fieldName.replace(/'/g, "\\'") +
|
escape(fieldName) +
|
||||||
"'] = " +
|
"'] = " +
|
||||||
"rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);";
|
"rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);";
|
||||||
};
|
};
|
||||||
|
@ -20,6 +20,7 @@
|
|||||||
"dependencies": {
|
"dependencies": {
|
||||||
"buffer-writer": "1.0.1",
|
"buffer-writer": "1.0.1",
|
||||||
"packet-reader": "0.3.1",
|
"packet-reader": "0.3.1",
|
||||||
|
"js-string-escape": "1.0.1",
|
||||||
"pg-connection-string": "0.1.3",
|
"pg-connection-string": "0.1.3",
|
||||||
"pg-pool": "1.*",
|
"pg-pool": "1.*",
|
||||||
"pg-types": "1.*",
|
"pg-types": "1.*",
|
||||||
|
10
test/integration/client/field-name-escape-tests.js
Normal file
10
test/integration/client/field-name-escape-tests.js
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
var pg = require('./test-helper').pg
|
||||||
|
|
||||||
|
var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
|
||||||
|
|
||||||
|
var client = new pg.Client()
|
||||||
|
client.connect()
|
||||||
|
client.query(sql, function (err, res) {
|
||||||
|
if (err) throw err
|
||||||
|
client.end()
|
||||||
|
})
|
Loading…
Reference in New Issue
Block a user