Skip to content

Commit

Permalink
fix(security): sanitize timezone parameter value to prevent code inje…
Browse files Browse the repository at this point in the history
…ction (#2608)

* fix(security): sanitize timezone parameter value to prevent code injection. Discovered by zhaoyudi (Nebulalab)
  • Loading branch information
sidorares authored Apr 21, 2024
1 parent 2efd6ab commit 7d4b098
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 4 deletions.
4 changes: 2 additions & 2 deletions lib/parsers/binary_parser.js
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ function readCodeFor(field, config, options, fieldNum) {
case Types.TIMESTAMP:
case Types.NEWDATE:
if (helpers.typeMatch(field.columnType, dateStrings, Types)) {
return `packet.readDateTimeString(${field.decimals});`;
return `packet.readDateTimeString(${parseInt(field.decimals, 10)});`;
}
return `packet.readDateTime('${timezone}');`;
return `packet.readDateTime(${helpers.srcEscape(timezone)});`;
case Types.TIME:
return 'packet.readTimeString()';
case Types.DECIMAL:
Expand Down
4 changes: 2 additions & 2 deletions lib/parsers/text_parser.js
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,13 @@ function readCodeFor(type, charset, encodingExpr, config, options) {
if (helpers.typeMatch(type, dateStrings, Types)) {
return 'packet.readLengthCodedString("ascii")';
}
return `packet.parseDate('${timezone}')`;
return `packet.parseDate(${helpers.srcEscape(timezone)})`;
case Types.DATETIME:
case Types.TIMESTAMP:
if (helpers.typeMatch(type, dateStrings, Types)) {
return 'packet.readLengthCodedString("ascii")';
}
return `packet.parseDateTime('${timezone}')`;
return `packet.parseDateTime(${helpers.srcEscape(timezone)})`;
case Types.TIME:
return 'packet.readLengthCodedString("ascii")';
case Types.GEOMETRY:
Expand Down
24 changes: 24 additions & 0 deletions test/esm/unit/parsers/timezone-binary-sanitization.test.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
import { describe, test, assert } from 'poku';
import { createConnection, describeOptions } from '../../../common.test.cjs';

const connection = createConnection().promise();

describe('Binary Parser: timezone Sanitization', describeOptions);

Promise.all([
test(async () => {
process.env.TEST_ENV_VALUE = 'secure';
await connection.execute({
sql: 'SELECT NOW()',
timezone: `'); process.env.TEST_ENV_VALUE = "not so much"; //`,
});

assert.strictEqual(
process.env.TEST_ENV_VALUE,
'secure',
'Timezone sanitization failed - code injection possible',
);
}),
]).then(async () => {
await connection.end();
});
24 changes: 24 additions & 0 deletions test/esm/unit/parsers/timezone-text-sanitization.test.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
import { describe, test, assert } from 'poku';
import { createConnection, describeOptions } from '../../../common.test.cjs';

const connection = createConnection().promise();

describe('Text Parser: timezone Sanitization', describeOptions);

Promise.all([
test(async () => {
process.env.TEST_ENV_VALUE = 'secure';
await connection.query({
sql: 'SELECT NOW()',
timezone: `'); process.env.TEST_ENV_VALUE = "not so much"; //`,
});

assert.strictEqual(
process.env.TEST_ENV_VALUE,
'secure',
'Timezone sanitization failed - code injection possible',
);
}),
]).then(async () => {
await connection.end();
});

0 comments on commit 7d4b098

Please # to comment.