Fix vulnerability
This commit is contained in:
parent
3de22ba991
commit
c0a381eab2
@ -7,6 +7,7 @@
|
||||
*/
|
||||
|
||||
var types = require('pg-types');
|
||||
var escape = require('js-string-escape');
|
||||
|
||||
//result object returned from query
|
||||
//in the 'end' event and also
|
||||
@ -81,7 +82,7 @@ var inlineParser = function(fieldName, i) {
|
||||
// Addendum: However, we need to make sure to replace all
|
||||
// occurences of apostrophes, not just the first one.
|
||||
// See https://github.com/brianc/node-postgres/issues/934
|
||||
fieldName.replace(/'/g, "\\'") +
|
||||
escape(fieldName) +
|
||||
"'] = " +
|
||||
"rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);";
|
||||
};
|
||||
|
@ -19,6 +19,7 @@
|
||||
"main": "./lib",
|
||||
"dependencies": {
|
||||
"buffer-writer": "1.0.1",
|
||||
"js-string-escape": "1.0.1",
|
||||
"packet-reader": "0.2.0",
|
||||
"pg-connection-string": "0.1.3",
|
||||
"pg-pool": "1.*",
|
||||
|
10
test/integration/client/field-name-escape-tests.js
Normal file
10
test/integration/client/field-name-escape-tests.js
Normal file
@ -0,0 +1,10 @@
|
||||
var pg = require('./test-helper').pg
|
||||
|
||||
var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
|
||||
|
||||
var client = new pg.Client()
|
||||
client.connect()
|
||||
client.query(sql, function (err, res) {
|
||||
if (err) throw err
|
||||
client.end()
|
||||
})
|
Loading…
Reference in New Issue
Block a user