search

socketio / socket.io-postgres-adapter

The Socket.IO Postgres adapter, allowing to broadcast events between several Socket.IO servers
https://socket.io
MIT License
24 stars 8 forks source link

Fix possible SQL injection in payload #1

Closed kevin68 closed 3 years ago

kevin68 commented 3 years ago

While testing the lib to scale our messaging service across multiple instance, we found that some messages triggered an error. Those message all contained the ' character, and after a quick review of the source code we found that the payload is directly used in building the request, which allow SQL injections. To fix that, I used parameterized queries when sending the NOTIFY command -> https://node-postgres.com/features/queries#parameterized-query

Another possible SQL injection concern the tableName and cleanupInterval variables, but is much harder to exploit as it requires the attacker to have access to the source code and/or configuration of the program using this lib.

darrachequesne commented 3 years ago

@kevin68 good catch, thanks a lot :+1:

darrachequesne commented 3 years ago

Released in 0.1.1.