Security: Escape schemaName + tableName

Fixes #151

index.js

@@ -7,15 +7,26 @@ const currentTimestamp = function () {
   return Math.ceil(Date.now() / 1000);
 };
 
+/**
+ * See
+ * @see https://www.postgresql.org/docs/9.5/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
+ */
+const escapePgIdentifier = (value) => value.replace(/"/g, '""');
+
 module.exports = function (session) {
   const Store = session.Store || session.session.Store;
 
   const PGStore = function (options) {
     options = options || {};
     Store.call(this, options);
 
-    this.schemaName = options.schemaName || null;
-    this.tableName = options.tableName || 'session';
+    this.schemaName = options.schemaName ? escapePgIdentifier(options.schemaName) : null;
+    this.tableName = options.tableName ? escapePgIdentifier(options.tableName) : 'session';
+
+    if (!this.schemaName && this.tableName.includes('"."')) {
+      console.warn('DEPRECATION WARNING: Schema should be provided through its dedicated "schemaName" option rather than through "tableName"');
+      this.tableName = this.tableName.replace(/^([^"]+)""\.""([^"]+)$/, '$1"."$2');
+    }
 
     this.ttl = options.ttl;
 

test/main.spec.js

@@ -150,6 +150,16 @@ describe('PGStore', function () {
       options.tableName = 'barfoo.foobar';
       (new PGStore(options)).quotedTable().should.be.a('string').that.equals('"barfoo.foobar"');
     });
+
+    it('should escape table name', function () {
+      options.tableName = 'foo"ba"r';
+      (new PGStore(options)).quotedTable().should.be.a('string').that.equals('"foo""ba""r"');
+    });
+
+    it('should escape schema name', function () {
+      options.schemaName = 'b""ar"foo';
+      (new PGStore(options)).quotedTable().should.be.a('string').that.equals('"b""""ar""foo"."session"');
+    });
   });
 
   describe('configSetup', function () {