cartodb/node-postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vulnerability

Browse Source
This commit is contained in:
Brian M. Carlson 2017-08-12 16:04:29 -05:00
parent 3de22ba991
commit c0a381eab2
3 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/result.js
View File

@ -7,6 +7,7 @@
*/ */
var types = require('pg-types'); var types = require('pg-types');
var escape = require('js-string-escape');
//result object returned from query //result object returned from query
//in the 'end' event and also //in the 'end' event and also
@ -81,7 +82,7 @@ var inlineParser = function(fieldName, i) {
// Addendum: However, we need to make sure to replace all // Addendum: However, we need to make sure to replace all
// occurences of apostrophes, not just the first one. // occurences of apostrophes, not just the first one.
// See https://github.com/brianc/node-postgres/issues/934 // See https://github.com/brianc/node-postgres/issues/934
fieldName.replace(/'/g, "\\'") + escape(fieldName) +
"'] = " + "'] = " +
"rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);"; "rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);";
}; };

1
package.json
View File

@ -19,6 +19,7 @@
"main": "./lib", "main": "./lib",
"dependencies": { "dependencies": {
"buffer-writer": "1.0.1", "buffer-writer": "1.0.1",
"js-string-escape": "1.0.1",
"packet-reader": "0.2.0", "packet-reader": "0.2.0",
"pg-connection-string": "0.1.3", "pg-connection-string": "0.1.3",
"pg-pool": "1.*", "pg-pool": "1.*",

10
test/integration/client/field-name-escape-tests.js Normal file
View File

@ -0,0 +1,10 @@
var pg = require('./test-helper').pg
var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
var client = new pg.Client()
client.connect()
client.query(sql, function (err, res) {
if (err) throw err
client.end()
})