cartodb/node-postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vulnerability

Browse Source
This commit is contained in:
Brian M. Carlson 2017-08-12 16:04:29 -05:00
parent bc0b03e0b0
commit 9bcf55dda9
3 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/result.js
View File

@ -7,6 +7,7 @@
*/
var types = require('pg-types');
var escape = require('js-string-escape');
//result object returned from query
//in the 'end' event and also
@ -81,7 +82,7 @@ var inlineParser = function(fieldName, i) {
// Addendum: However, we need to make sure to replace all
// occurences of apostrophes, not just the first one.
// See https://github.com/brianc/node-postgres/issues/934
fieldName.replace(/'/g, "\\'") +
escape(fieldName) +
"'] = " +
"rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);";
};

1
package.json
View File

@ -20,6 +20,7 @@
"dependencies": {
"buffer-writer": "1.0.1",
"packet-reader": "0.3.1",
"js-string-escape": "1.0.1",
"pg-connection-string": "0.1.3",
"pg-pool": "1.*",
"pg-types": "1.*",

10
test/integration/client/field-name-escape-tests.js Normal file
View File

@ -0,0 +1,10 @@
var pg = require('./test-helper').pg
var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
var client = new pg.Client()
client.connect()
client.query(sql, function (err, res) {
if (err) throw err
client.end()
})