fix(query): add escape of null character for postgres bind parameters (#10716)

Christian Holm · Sushant
Commit d6daaf1b authored Apr 08, 2019 by Christian Holm Committed by Sushant Apr 08, 2019
Showing with 32 additions and 3 deletions
lib/dialects/postgres/query.js
test/unit/sql/insert.test.js
--- a/lib/dialects/postgres/query.js
+++ b/lib/dialects/postgres/query.js
@@ -20,11 +20,14 @@ class Query extends AbstractQuery {
   * @private
   */
  static formatBindParameters(sql, values, dialect) {
-    let bindParam = [];
+    const stringReplaceFunc = value => typeof value === 'string' ? value.replace(/\0/g, '\\0') : value;
+
+    let bindParam;
    if (Array.isArray(values)) {
-      bindParam = values;
+      bindParam = values.map(stringReplaceFunc);
      sql = AbstractQuery.formatBindParameters(sql, values, dialect, { skipValueReplace: true })[0];
    } else {
+      bindParam = [];
      let i = 0;
      const seen = {};
      const replacementFunc = (match, key, values) => {
@@ -33,7 +36,7 @@ class Query extends AbstractQuery {
        }
        if (values[key] !== undefined) {
          i = i + 1;
-          bindParam.push(values[key]);
+          bindParam.push(stringReplaceFunc(values[key]));
          seen[key] = `$${i}`;
          return `$${i}`;
        }

--- a/test/unit/sql/insert.test.js
+++ b/test/unit/sql/insert.test.js
@@ -98,6 +98,32 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
    });
  });

+  describe('strings', () => {
+    it('formats null characters correctly when inserting', () => {
+      const User = Support.sequelize.define('user', {
+        username: {
+          type: DataTypes.STRING,
+          field: 'user_name'
+        }
+      }, {
+        timestamps: false
+      });
+
+      expectsql(sql.insertQuery(User.tableName, { user_name: 'null\0test' }, User.rawAttributes),
+        {
+          query: {
+            postgres: 'INSERT INTO "users" ("user_name") VALUES ($1);',
+            mssql: 'INSERT INTO [users] ([user_name]) VALUES ($1);',
+            default: 'INSERT INTO `users` (`user_name`) VALUES ($1);'
+          },
+          bind: {
+            postgres: ['null\u0000test'],
+            default: ['null\0test']
+          }
+        });
+    });
+  });
+
  describe('bulkCreate', () => {
    it('bulk create with onDuplicateKeyUpdate', () => {
      const User = Support.sequelize.define('user', {