While testing the lib to scale our messaging service across multiple instance, we found that some messages triggered an error.
Those message all contained the ' character, and after a quick review of the source code we found that the payload is directly used in building the request, which allow SQL injections.
To fix that, I used parameterized queries when sending the NOTIFY command -> https://node-postgres.com/features/queries#parameterized-query
Another possible SQL injection concern the tableName and cleanupInterval variables, but is much harder to exploit as it requires the attacker to have access to the source code and/or configuration of the program using this lib.
While testing the lib to scale our messaging service across multiple instance, we found that some messages triggered an error. Those message all contained the
'
character, and after a quick review of the source code we found that the payload is directly used in building the request, which allow SQL injections. To fix that, I used parameterized queries when sending the NOTIFY command -> https://node-postgres.com/features/queries#parameterized-queryAnother possible SQL injection concern the
tableName
andcleanupInterval
variables, but is much harder to exploit as it requires the attacker to have access to the source code and/or configuration of the program using this lib.