add arrow csr dst col name by aheev · Pull Request #19 · LadybugDB/ladybug-nodejs

aheev · 2026-05-28T06:50:04Z

No description provided.

aheev · 2026-05-28T09:38:07Z

failures are related to new changes in c_api

adsharma · 2026-05-28T15:01:58Z

Medium, security/API surface: src_cpp/main.cpp:12 exports createArrowCSRTestData from the production native
addon. That is test fixture code shipped in the runtime binary, returning unmanaged native pointer-like
Externals. Even if it is not in the public .d.ts, it is still part of the native module surface and gives
consumers a native allocation helper that only exists for tests. This should be behind a test-only build flag,
moved into a separate test addon, or avoided.
Medium, DoS/memory-safety risk: src_js/connection.js:428 validates dstColName in CSR mode but does not validate indptrArraysPtr or numIndptrArrays. Native then uses Uint32Value() at src_cpp/node_connection.cpp:293 and src_cpp/node_connection.cpp:295. Values like -1 can wrap to a huge unsigned count, and TakeArrowArrays reserves/reads that many arrays from a pointer. Validate both counts as positive safe integers in JS and add native range/type checks too.

add arrow csr dst col name

a7accd0

aheev mentioned this pull request May 28, 2026

add arrow csr dst col name param LadybugDB/ladybug#534

Merged

fix tests

9e342f4

adsharma merged commit da51dc5 into LadybugDB:main May 28, 2026
4 checks passed

Provide feedback