-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validates PostgreSQL table name #19602
Conversation
e9bfb40
to
dda4f2a
Compare
dda4f2a
to
dad06f2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit overly dramatic title. Unless something else is wrong this should not be available for anyone but admins to set.
I suggest "Sanitize postgres event table name" or something less "dramatic".
dad06f2
to
a4d2d5f
Compare
You're right. Updated commit message and PR title. |
Good find. Could we imagine any existing table names becoming invalid now (other than the ones containing a quote)? |
If you're using a table name with diacritics, then they may be marked as invalid (where previously they were working fine). I do think that's a rare scenario and it can be easily fixed by using quotes (although that's always tricky on command-line and/or YAML). I did check if I could find an existing function in one of the Go packages that would validate the name, but I couldn't find one. What I could do is first normalize the name using |
@ramondeklein Yeah. It will probably be pretty annoying to upgrade to this, if valid (even if strange) names would be rejected, since they would have to build a new table. |
They could also update the configuration to use the name with diacritics within double quotes, but I pushed a fix that also allows diacritics. |
999e245
to
a5965db
Compare
a5965db
to
dce171c
Compare
@ramondeklein please make branches on your fork, instead of the origin. |
Will do that next time. |
The PostgreSQL store can be for submitting events to a table. This table can be configured, but it is inserted using
Sprintf(...)
to generateINSERT
,UPDATE
,DELETE
statements. Despite it being a configuration value (and not originating from user input) it is still a good idea to validate or sanitize the value.This PR checks the table name and only allows the use of valid PSQL identifiers. Note that PostgreSQL identifier rules also allow diacritics as valid identifier names, but they are only accepted here when used with quotes. Creating a regular expression that accepts diacritics is hard and probably not used often.