Skip to content

public / sequelize

Go to a project

不要怂,就是干,撸起袖子干!

Commit 8931bf6c by Pedro Augusto de Paula Barbosa Committed by GitHub
Options

fix(sqlite): properly catch errors (#11877)

1 parent efd2f406
Inline Side-by-side
Showing with 33 additions and 2 deletions
lib/dialects/sqlite/query.js
......@@ -251,12 +251,20 @@ class Query extends AbstractQuery {
}
}
function wrappedAfterExecute() { // See #11862
try {
return afterExecute.apply(this, arguments);
} catch (error) {
reject(error);
}
}
if (method === 'exec') {
// exec does not support bind parameter
this.database[method](this.sql, afterExecute);
this.database[method](this.sql, wrappedAfterExecute);
} else {
if (!parameters) parameters = [];
this.database[method](this.sql, parameters, afterExecute);
this.database[method](this.sql, parameters, wrappedAfterExecute);
}
}));
return null;
......
test/integration/dialects/sqlite/issue-11862.test.js 0 → 100644
'use strict';
const Support = require(__dirname + '/../../support'),
dialect = Support.getTestDialect(),
DataTypes = require(__dirname + '/../../../../lib/data-types');
if (dialect === 'sqlite') {
describe('[SQLITE Specific] Prevents security issue #11862', () => {
it('Prevents security issue #11862', function() {
const Vulnerability = this.sequelize.define('Vulnerability', {
name: DataTypes.STRING
});
return Vulnerability.sync({ force: true }).then(() => {
// Before #11862 was fixed, the following call would crash the process.
// Here we test that this is no longer the case - the promise should settle properly.
// Ideally it should resolve, of course (not reject!), but from the point of view of the
// security issue, rejecting the promise is by far not as bad as crashing the process.
return Vulnerability.create({ name: 'SELECT tbl_name FROM sqlite_master' }).reflect();
// Note that in Sequelize v5+, the above call behaves correctly (resolves).
});
});
});
}
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!