Bad string generating by Expression

[zeruk]

Expected Behavior

Trying to escape some random input to break expression

exp = new Influx.Expression();
exp.tag('symbol').equals.value(`GAZP()\'`).toString() // **`"symbol" = 'GAZP()\\\''`**

And it should escape characters correctly

Actual Behavior

But it doesn't escape them

exp = new Influx.Expression();
exp.tag('symbol').equals.value(`GAZP()\'`).toString() // **`"symbol" = 'GAZP()\\''`**

Steps/Code to Reproduce the Problem

const influx = require('influx')
const exp = new influx.Expression();
exp.tag('symbol').equals.value(`GAZP()\'`).toString()
// ...

Specifications

• Version: 5.5.1
• Platform: Darwin

[zeruk]

More than that, it also allows SQL-injections:

exp.tag('symbol').equals.value(`GAZP()\' or 1=1 --`).toString()

Query with such "Where" clause will return all rows from measurement

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[bencevans]

Hi @connor4312. Hope you're well! Did you get a chance to look into this? Cheers, Ben

[connor4312]

Not yet. Though I plan to use Influx again (for the first time in ages) for some home automation stuff, so I will probably be spending some time on this library again

[robertsLando]

@bencevans any news on this? it's introducing some high security risk