Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@brianc @utkarsh-pro
71 lines (45 sloc) 3.52 KB

2019-07-18

New documentation

After a very long time on my todo list I've ported the docs from my old hand-rolled webapp running on route53 + elb + ec2 + dokku (I know, I went overboard!) to gatsby hosted on netlify which is so much easier to manage. I've released the code at https://github.com/brianc/node-postgres-docs and invite your contributions! Let's make this documentation better together. Any time changes are merged to master on the documentation repo it will automatically deploy.

If you see an error in the docs, big or small, use the "edit on github" button to edit the page & submit a pull request right there. I'll get a new version out ASAP with your changes! If you want to add new pages of documentation open an issue if you need guidance, and I'll help you get started.

I want to extend a special thank you to all the supporters and contributors to the project that have helped keep me going through times of burnout or life "getting in the way." ❤️

It's been quite a journey, and I look forward continuing it for as long as I can provide value to all y'all. 🤠

2017-08-12

code execution vulnerability

Today @sehrope found and reported a code execution vulnerability in node-postgres. This affects all versions from pg@2.x through pg@7.1.0.

I have published a fix on the tip of each major version branch of all affected versions as well as a fix on each minor version branch of pg@6.x and pg@7.x:

Fixes

The following versions have been published to npm & contain a patch to fix the vulnerability:

pg@2.11.2
pg@3.6.4
pg@4.5.7
pg@5.2.1
pg@6.0.5
pg@6.1.6
pg@6.2.5
pg@6.3.3
pg@6.4.2
pg@7.0.3
pg@7.1.2

Example

To demonstrate the issue & see if you are vunerable execute the following in node:

const { Client } = require('pg')
const client = new Client()
client.connect()

const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`

client.query(sql, (err, res) => {
  client.end()
})

You will see your environment variables printed to your console. An attacker can use this exploit to execute any arbitrary node code within your process.

Impact

This vulnerability likely does not impact you if you are connecting to a database you control and not executing user-supplied sql. Still, you should absolutely upgrade to the most recent patch version as soon as possible to be safe.

Two attack vectors we quickly thought of:

  • 1 - executing unsafe, user-supplied sql which contains a malicious column name like the one above.
  • 2 - connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

Support

I have created an issue you can use to discuss the vulnerability with me or ask questions, and I have reported this issue on twitter and directly to Heroku and nodesecurity.io.

I take security very seriously. If you or your company benefit from node-postgres please sponsor my work: this type of issue is one of the many things I am responsible for, and I want to be able to continue to tirelessly provide a world-class PostgreSQL experience in node for years to come.

You can’t perform that action at this time.