connect-pg-simple - npm Package Compare versions

Comparing version 6.0.0 to 6.0.1

CHANGELOG.md

 # Changelog
 
-## 6.0.0 (YYYY-MM-DD)
+## 6.0.1 (2019-08-21)
 
+* Very minor security fix: `schemaName` and `tableName` wasn't escaped. If any of the two contained a string with a double quote in it, then that would enable an SQL injection. This was previously a feature of `tableName`, before the introduction of a separate `schemaName`, as that allowed a schema to be defined as part of `tableName`. Defining schema name through `tableName` is still supported after this fix, but is now *deprecated*.
+* Fix: Errors wasn't propagated properly. Fixed in #150. Thanks @bobnil!
+
+## 6.0.0 (2019-07-28)
+
 * Breaking change: Now requires at least Node.js 10.x, this as Node.js 8.x [only have a short time left in its LTS](https://github.com/nodejs/Release)
 * Breaking change: This project now uses [`INSERT ... ON CONFLICT`](https://www.postgresql.org/docs/current/sql-insert.html#SQL-ON-CONFLICT), more popularly known as `UPSERT`. This is only supported on PostgreSQL version 9.5 and above.
+* Listen on pool errors. Fixes #29
 
@@ -8,0 +14,0 @@ ## 5.0.0 (2018-06-06)

index.js

@@ -10,2 +10,8 @@ 'use strict';
 
+/**
+ * See
+ * @see https://www.postgresql.org/docs/9.5/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
+ */
+const escapePgIdentifier = (value) => value.replace(/"/g, '""');
+
 module.exports = function (session) {
@@ -18,5 +24,10 @@ const Store = session.Store || session.session.Store;
 
-    this.schemaName = options.schemaName || null;
-    this.tableName = options.tableName || 'session';
+    this.schemaName = options.schemaName ? escapePgIdentifier(options.schemaName) : null;
+    this.tableName = options.tableName ? escapePgIdentifier(options.tableName) : 'session';
 
+    if (!this.schemaName && this.tableName.includes('"."')) {
+      console.warn('DEPRECATION WARNING: Schema should be provided through its dedicated "schemaName" option rather than through "tableName"');
+      this.tableName = this.tableName.replace(/^([^"]+)""\.""([^"]+)$/, '$1"."$2');
+    }
+
     this.ttl = options.ttl;
@@ -58,5 +69,3 @@
       this.pruneSessionInterval = (options.pruneSessionInterval || 60) * 1000;
-      setImmediate(function () {
-        this.pruneSessions();
-      }.bind(this));
+      setImmediate(() => { this.pruneSessions(); });
     }
@@ -100,3 +109,3 @@ };
   PGStore.prototype.pruneSessions = function (fn) {
-    this.query('DELETE FROM ' + this.quotedTable() + ' WHERE expire < to_timestamp($1)', [currentTimestamp()], function (err) {
+    this.query('DELETE FROM ' + this.quotedTable() + ' WHERE expire < to_timestamp($1)', [currentTimestamp()], err => {
       if (fn && typeof fn === 'function') {
@@ -114,6 +123,6 @@ return fn(err);
         }
-        this.pruneTimer = setTimeout(this.pruneSessions.bind(this, true), this.pruneSessionInterval);
+        this.pruneTimer = setTimeout(() => { this.pruneSessions(); }, this.pruneSessionInterval);
         this.pruneTimer.unref();
       }
-    }.bind(this));
+    });
   };
@@ -190,3 +199,3 @@
   PGStore.prototype.get = function (sid, fn) {
-    this.query('SELECT sess FROM ' + this.quotedTable() + ' WHERE sid = $1 AND expire >= to_timestamp($2)', [sid, currentTimestamp()], function (err, data) {
+    this.query('SELECT sess FROM ' + this.quotedTable() + ' WHERE sid = $1 AND expire >= to_timestamp($2)', [sid, currentTimestamp()], (err, data) => {
       if (err) { return fn(err); }
@@ -199,3 +208,3 @@ if (!data) { return fn(); }
       }
-    }.bind(this));
+    });
   };
@@ -217,3 +226,3 @@
     this.query(query, [sess, expireTime, sid], function (err) {
-      if (fn) { fn.apply(this, err); }
+      if (fn) { fn.call(this, err); }
     });
@@ -220,0 +229,0 @@ };

package.json

 {
   "name": "connect-pg-simple",
-  "version": "6.0.0",
+  "version": "6.0.1",
   "description": "A simple, minimal PostgreSQL session store for Connect/Express",
@@ -25,3 +25,3 @@ "url": "http://github.com/voxpelli/node-connect-pg-simple",
     "check:dependency-check": "dependency-check *.js 'test/**/*.js' --no-dev",
-    "check:installed-check": "installed-check -e -i eslint",
+    "check:installed-check": "installed-check -i eslint",
     "check:lint": "eslint .",
@@ -40,30 +40,29 @@ "check": "run-p check:*",
   "devDependencies": {
-    "chai": "4.2.0",
-    "chai-as-promised": "7.1.1",
-    "cookie-signature": "1.1.0",
-    "cookiejar": "2.1.2",
-    "coveralls": "3.0.5",
-    "denodeify": "1.2.1",
-    "dependency-check": "4.0.1",
-    "dotenv": "8.0.0",
-    "eslint": "6.1.0",
-    "eslint-config-semistandard": "14.0.0",
-    "eslint-config-standard": "13.0.1",
-    "eslint-plugin-import": "2.18.2",
-    "eslint-plugin-node": "9.1.0",
-    "eslint-plugin-promise": "4.2.1",
-    "eslint-plugin-standard": "4.0.0",
-    "express": "4.17.1",
-    "express-session": "1.16.2",
-    "husky": "3.0.1",
-    "installed-check": "2.2.0",
-    "mocha": "6.2.0",
-    "npm-run-all": "4.1.5",
-    "nyc": "14.1.1",
-    "pg-promise": "9.0.0",
-    "proxyquire": "2.1.1",
-    "sinon": "7.3.2",
-    "sinon-chai": "3.3.0",
-    "supertest": "4.0.2"
+    "chai": "^4.2.0",
+    "chai-as-promised": "^7.1.1",
+    "cookie-signature": "^1.1.0",
+    "cookiejar": "^2.1.2",
+    "coveralls": "^3.0.6",
+    "dependency-check": "^4.1.0",
+    "dotenv": "^8.0.0",
+    "eslint": "^6.1.0",
+    "eslint-config-semistandard": "^14.0.0",
+    "eslint-config-standard": "^13.0.1",
+    "eslint-plugin-import": "^2.18.2",
+    "eslint-plugin-node": "^9.1.0",
+    "eslint-plugin-promise": "^4.2.1",
+    "eslint-plugin-standard": "^4.0.0",
+    "express": "^4.17.1",
+    "express-session": "^1.16.2",
+    "husky": "^3.0.3",
+    "installed-check": "^3.0.0",
+    "mocha": "^6.2.0",
+    "npm-run-all": "^4.1.5",
+    "nyc": "^14.1.1",
+    "pg-promise": "^9.0.0",
+    "proxyquire": "^2.1.2",
+    "sinon": "^7.4.1",
+    "sinon-chai": "^3.3.0",
+    "supertest": "^4.0.2"
   }
 }

README.md

@@ -6,3 +6,3 @@ # Connect PG Simple
 [![js-semistandard-style](https://img.shields.io/badge/code%20style-semistandard-brightgreen.svg?style=flat)](https://github.com/Flet/semistandard)
-[![Build Status](https://travis-ci.org/voxpelli/node-connect-pg-simple.svg?branch=master)](https://travis-ci.org/voxpelli/node-connect-pg-simple)
+[![Build Status](https://travis-ci.com/voxpelli/node-connect-pg-simple.svg?branch=master)](https://travis-ci.com/voxpelli/node-connect-pg-simple)
 [![Coverage Status](https://coveralls.io/repos/voxpelli/node-connect-pg-simple/badge.svg)](https://coveralls.io/r/voxpelli/node-connect-pg-simple)
@@ -12,4 +12,4 @@ [![dependencies Status](https://david-dm.org/voxpelli/node-connect-pg-simple/status.svg)](https://david-dm.org/voxpelli/node-connect-pg-simple)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvoxpelli%2Fnode-connect-pg-simple.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoxpelli%2Fnode-connect-pg-simple?ref=badge_shield)
-[![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/voxpelli/node-connect-pg-simple.svg)](http://isitmaintained.com/project/voxpelli/node-connect-pg-simple "Average time to resolve an issue")
-[![Percentage of issues still open](http://isitmaintained.com/badge/open/voxpelli/node-connect-pg-simple.svg)](http://isitmaintained.com/project/voxpelli/node-connect-pg-simple "Percentage of issues still open")
+[![Average time to resolve an issue](https://isitmaintained.com/badge/resolution/voxpelli/node-connect-pg-simple.svg)](https://isitmaintained.com/project/voxpelli/node-connect-pg-simple "Average time to resolve an issue")
+[![Percentage of issues still open](https://isitmaintained.com/badge/open/voxpelli/node-connect-pg-simple.svg)](https://isitmaintained.com/project/voxpelli/node-connect-pg-simple "Percentage of issues still open")
 [![Language grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/voxpelli/node-connect-pg-simple.svg?style=flat)](https://lgtm.com/projects/g/voxpelli/node-connect-pg-simple/context:javascript)
@@ -16,0 +16,0 @@

test/db-utils.js

@@ -13,3 +13,3 @@ 'use strict';
 
-const denodeify = require('denodeify');
+const { promisify } = require('util');
 const pg = require('pg');
@@ -19,3 +19,3 @@
 
-const readFile = denodeify(require('fs').readFile);
+const readFile = promisify(require('fs').readFile);
 
@@ -22,0 +22,0 @@ const tables = ['session'];

test/main.spec.js

@@ -153,2 +153,12 @@ 'use strict';
     });
+
+    it('should escape table name', function () {
+      options.tableName = 'foo"ba"r';
+      (new PGStore(options)).quotedTable().should.be.a('string').that.equals('"foo""ba""r"');
+    });
+
+    it('should escape schema name', function () {
+      options.schemaName = 'b""ar"foo';
+      (new PGStore(options)).quotedTable().should.be.a('string').that.equals('"b""""ar""foo"."session"');
+    });
   });
@@ -155,0 +165,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

41412

increased by5.45%

Dev dependency count

26

decreased by-3.7%

Number of package files

17

increased by6.25%

Lines of code

677

increased by2.27%

No dependency changes