From c0a381eab26e3e53711ba15e5a2c47f995beeaf9 Mon Sep 17 00:00:00 2001 From: "Brian M. Carlson" Date: Sat, 12 Aug 2017 16:04:29 -0500 Subject: [PATCH 1/3] Fix vulnerability --- lib/result.js | 15 ++++++++------- package.json | 1 + .../integration/client/field-name-escape-tests.js | 10 ++++++++++ 3 files changed, 19 insertions(+), 7 deletions(-) create mode 100644 test/integration/client/field-name-escape-tests.js diff --git a/lib/result.js b/lib/result.js index 463fbdbe6..2955d921e 100644 --- a/lib/result.js +++ b/lib/result.js @@ -7,6 +7,7 @@ */ var types = require('pg-types'); +var escape = require('js-string-escape'); //result object returned from query //in the 'end' event and also @@ -75,13 +76,13 @@ Result.prototype.addRow = function(row) { var inlineParser = function(fieldName, i) { return "\nthis['" + - //fields containing single quotes will break - //the evaluated javascript unless they are escaped - //see https://github.com/brianc/node-postgres/issues/507 - //Addendum: However, we need to make sure to replace all - //occurences of apostrophes, not just the first one. - //See https://github.com/brianc/node-postgres/issues/934 - fieldName.replace(/'/g, "\\'") + + // fields containing single quotes will break + // the evaluated javascript unless they are escaped + // see https://github.com/brianc/node-postgres/issues/507 + // Addendum: However, we need to make sure to replace all + // occurences of apostrophes, not just the first one. + // See https://github.com/brianc/node-postgres/issues/934 + escape(fieldName) + "'] = " + "rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);"; }; diff --git a/package.json b/package.json index 5d7b20cca..9c09ef536 100644 --- a/package.json +++ b/package.json @@ -19,6 +19,7 @@ "main": "./lib", "dependencies": { "buffer-writer": "1.0.1", + "js-string-escape": "1.0.1", "packet-reader": "0.2.0", "pg-connection-string": "0.1.3", "pg-pool": "1.*", diff --git a/test/integration/client/field-name-escape-tests.js b/test/integration/client/field-name-escape-tests.js new file mode 100644 index 000000000..146ad1b68 --- /dev/null +++ b/test/integration/client/field-name-escape-tests.js @@ -0,0 +1,10 @@ +var pg = require('./test-helper').pg + +var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"' + +var client = new pg.Client() +client.connect() +client.query(sql, function (err, res) { + if (err) throw err + client.end() +}) From b0a2fe45059ba9d2c6279695260dd0a61fee99dc Mon Sep 17 00:00:00 2001 From: "Brian M. Carlson" Date: Sat, 12 Aug 2017 16:26:37 -0500 Subject: [PATCH 2/3] Bump version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9c09ef536..5d9aef043 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pg", - "version": "6.1.5", + "version": "6.1.6", "description": "PostgreSQL client - pure javascript & libpq with the same API", "keywords": [ "postgres", From b66c0b64f38ff2a8a3af218d5a2ddc8335f0fcc9 Mon Sep 17 00:00:00 2001 From: Walt Zimmerman Date: Wed, 20 Jan 2021 07:34:35 -0800 Subject: [PATCH 3/3] Fix for node14 --- lib/connection.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/connection.js b/lib/connection.js index 59247a7c4..b2bbb19c5 100644 --- a/lib/connection.js +++ b/lib/connection.js @@ -61,10 +61,12 @@ var Connection = function(config) { util.inherits(Connection, EventEmitter); Connection.prototype.connect = function(port, host) { - - if(this.stream.readyState === 'closed') { + // Old info regarding readyState https://github.com/nodejs/node-v0.x-archive/issues/1752 + // this previously checked for this.stream.readyState === 'open' + // however when upgrading to node 14 - LTS readyState was always open + // which prevented code that connected from being called + if (port && host) { this.stream.connect(port, host); - } else if(this.stream.readyState == 'open') { this.emit('connect'); }