fix: escaping identifiers & literals

We now use pg-format in most places, which should take care of escaping
' in COMMENTs.

Author: soedirgo

package-lock.json

@@ -38,6 +38,7 @@
     "mocha": "^7.1.2",
     "nodemon": "^1.19.4",
     "npm-run-all": "^4.1.5",
+    "pg-format": "^1.0.4",
     "pkg": "^4.4.8",
     "prettier": "^2.0.5",
     "rimraf": "^3.0.2",

package.json

@@ -1,4 +1,5 @@
 import { Router } from 'express'
+import format from 'pg-format'
 import SQL from 'sql-template-strings'
 import { RunQuery } from '../lib/connectionPool'
 import sql = require('../lib/sql')
@@ -126,17 +127,22 @@ const addColumnSqlize = ({
   const commentSql =
     comment === undefined
       ? ''
-      : `COMMENT ON COLUMN "${schema}"."${table}"."${name}" IS '${comment}';`
+      : format('COMMENT ON COLUMN %I.%I.%I IS %L;', schema, table, name, comment)
 
-  return `
-ALTER TABLE "${schema}"."${table}" ADD COLUMN "${name}" "${type}"
+  return format(
+    `
+ALTER TABLE %I.%I ADD COLUMN %I %I
   ${defaultValueSql}
   ${isIdentitySql}
   ${isNullableSql}
   ${isPrimaryKeySql}
   ${isUniqueSql};
-
-  ${commentSql}`
+${commentSql}`,
+    schema,
+    table,
+    name,
+    type
+  )
 }
 const getColumnSqlize = (tableId: number, name: string) => {
   return SQL``.append(columns).append(SQL` WHERE c.oid = ${tableId} AND column_name = ${name}`)
@@ -168,30 +174,48 @@ const alterColumnSqlize = ({
   comment?: string
 }) => {
   const nameSql =
-    typeof name === 'undefined' || name === oldName
+    name === undefined || name === oldName
       ? ''
-      : `ALTER TABLE "${schema}"."${table}" RENAME COLUMN "${oldName}" TO "${name}";`
+      : format('ALTER TABLE %I.%I RENAME COLUMN %I TO %I;', schema, table, oldName, name)
   // We use USING to allow implicit conversion of incompatible types (e.g. int4 -> text).
   const typeSql =
     type === undefined
       ? ''
-      : `ALTER TABLE "${schema}"."${table}" ALTER COLUMN "${oldName}" SET DATA TYPE "${type}" USING "${oldName}"::"${type}";`
+      : format(
+          'ALTER TABLE %I.%I ALTER COLUMN %I SET DATA TYPE %I USING %I::%I;',
+          schema,
+          table,
+          oldName,
+          type,
+          oldName,
+          type
+        )
   let defaultValueSql = ''
   if (drop_default) {
-    defaultValueSql = `ALTER TABLE "${schema}"."${table}" ALTER COLUMN "${oldName}" DROP DEFAULT;`
+    defaultValueSql = format(
+      'ALTER TABLE %I.%I ALTER COLUMN %I DROP DEFAULT;',
+      schema,
+      table,
+      oldName
+    )
   } else if (default_value !== undefined) {
-    defaultValueSql = `ALTER TABLE "${schema}"."${table}" ALTER COLUMN "${oldName}" SET DEFAULT ${default_value};`
+    defaultValueSql = format(
+      `ALTER TABLE %I.%I ALTER COLUMN %I SET DEFAULT ${default_value};`,
+      schema,
+      table,
+      oldName
+    )
   }
   let isNullableSql = ''
   if (is_nullable !== undefined) {
     isNullableSql = is_nullable
-      ? `ALTER TABLE "${schema}"."${table}" ALTER COLUMN "${oldName}" DROP NOT NULL;`
-      : `ALTER TABLE "${schema}"."${table}" ALTER COLUMN "${oldName}" SET NOT NULL;`
+      ? format('ALTER TABLE %I.%I ALTER COLUMN %I DROP NOT NULL;', schema, table, oldName)
+      : format('ALTER TABLE %I.%I ALTER COLUMN %I SET NOT NULL;', schema, table, oldName)
   }
   const commentSql =
     comment === undefined
       ? ''
-      : `COMMENT ON COLUMN "${schema}"."${table}"."${oldName}" IS '${comment}';`
+      : format('COMMENT ON COLUMN %I.%I.%I IS %L;', schema, table, oldName, comment)
 
   // nameSql must be last.
   return `
@@ -204,7 +228,7 @@ BEGIN;
 COMMIT;`
 }
 const dropColumnSqlize = (schema: string, table: string, name: string) => {
-  return `ALTER TABLE "${schema}"."${table}" DROP COLUMN "${name}"`
+  return format('ALTER TABLE %I.%I DROP COLUMN %I', schema, table, name)
 }
 const removeSystemSchemas = (data: Tables.Column[]) => {
   return data.filter((x) => !DEFAULT_SYSTEM_SCHEMAS.includes(x.schema))

src/api/columns.ts

@@ -1,4 +1,5 @@
 import { Router } from 'express'
+import format from 'pg-format'
 import SQL from 'sql-template-strings'
 import sqlTemplates = require('../lib/sql')
 const { extensions } = sqlTemplates
@@ -83,9 +84,9 @@ const createExtensionSqlize = ({
   cascade?: boolean
 }) => {
   return `
-CREATE EXTENSION "${name}"
-  ${schema === undefined ? '' : `SCHEMA ${schema}`}
-  ${version === undefined ? '' : `VERSION '${version}'`}
+CREATE EXTENSION ${format.ident(name)}
+  ${schema === undefined ? '' : `SCHEMA ${format.ident(schema)}`}
+  ${version === undefined ? '' : `VERSION ${format.literal(version)}`}
   ${cascade ? 'CASCADE' : ''}`
 }
 const singleExtensionSqlize = (extensions: string, name: string) => {
@@ -104,9 +105,12 @@ const alterExtensionSqlize = ({
 }) => {
   let updateSql = ''
   if (update) {
-    updateSql = `ALTER EXTENSION "${name}" UPDATE ${version === undefined ? '' : version};`
+    updateSql = `ALTER EXTENSION ${format.ident(name)} UPDATE ${
+      version === undefined ? '' : `TO ${format.literal(version)}`
+    };`
   }
-  const schemaSql = schema === undefined ? '' : `ALTER EXTENSION "${name}" SET SCHEMA "${schema}";`
+  const schemaSql =
+    schema === undefined ? '' : format('ALTER EXTENSION %I SET SCHEMA %I;', name, schema)
 
   return `
 BEGIN;
@@ -116,7 +120,7 @@ COMMIT;`
 }
 const dropExtensionSqlize = (name: string, cascade: boolean) => {
   return `
-DROP EXTENSION ${name}
+DROP EXTENSION ${format.ident(name)}
   ${cascade ? 'CASCADE' : 'RESTRICT'}`
 }
 

src/api/extensions.ts

@@ -1,4 +1,5 @@
 import { Router } from 'express'
+import format from 'pg-format'
 import { coalesceRowsToArray, toTransaction } from '../lib/helpers'
 import { RunQuery } from '../lib/connectionPool'
 import { DEFAULT_SYSTEM_SCHEMAS } from '../lib/constants'
@@ -118,20 +119,25 @@ const getPolicyById = async (connection: string, id: number) => {
   let sql = `
     with policies as (${policies}) 
     select * from policies
-    where policies.id = '${id}'
+    where policies.id = ${id}
     limit 1
   `.trim()
   const { data } = await RunQuery(connection, sql)
   return data[0]
 }
 const getPolicyByName = async (connection: string, name: string, schema: string, table: string) => {
   const { policies } = sqlTemplates
-  let sql = `
-    with policies as (${policies}) 
+  let sql = format(
+    `
+    with policies as (${policies})
     select * from policies
-    where policies.name = '${name}' and policies.schema = '${schema}' and policies.table = '${table}'
+    where policies.name = %L and policies.schema = %L and policies.table = %L
     limit 1
-  `.trim()
+  `,
+    name,
+    schema,
+    table
+  )
   const { data } = await RunQuery(connection, sql)
   return data[0]
 }
@@ -154,17 +160,22 @@ const createSql = ({
   command?: string
   roles?: string[]
 }) => {
-  let sql = ` CREATE POLICY "${name}" ON "${schema}"."${table}"
+  let sql = format(
+    `CREATE POLICY %I ON %I.%I
     AS ${action}
     FOR ${command}
-    TO ${roles.join(',')} `.trim()
+    TO ${roles.join(',')} `,
+    name,
+    schema,
+    table
+  )
   if (definition) sql += ` USING (${definition}) `
   if (check) sql += ` WITH CHECK (${check}) `
   sql += ';'
   return sql
 }
 const alterPolicyNameSql = (oldName: string, newName: string, schema: string, table: string) => {
-  return `ALTER POLICY "${oldName}" ON "${schema}"."${table}" RENAME TO "${newName}";`.trim()
+  return format(`ALTER POLICY %I ON %I.%I RENAME TO %I;`, oldName, schema, table, newName)
 }
 const alterSql = ({
   name,
@@ -181,7 +192,7 @@ const alterSql = ({
   check?: string
   roles?: string[]
 }) => {
-  let alter = `ALTER POLICY "${name}" ON "${schema}"."${table}"`
+  let alter = format(`ALTER POLICY %I ON %I.%I`, name, schema, table)
   let newDefinition = definition !== undefined ? `${alter} USING (${definition});` : ''
   let newCheck = check !== undefined ? `${alter} WITH CHECK (${check});` : ''
   let newRoles = roles !== undefined ? `${alter} TO (${roles.join(',')});` : ''
@@ -192,7 +203,7 @@ const alterSql = ({
     ${newRoles}`.trim()
 }
 const dropSql = (name: string, schema: string, table: string) => {
-  return `DROP POLICY "${name}" ON "${schema}"."${table}";`.trim()
+  return format(`DROP POLICY %I ON %I.%I;`, name, schema, table)
 }
 const removeSystemSchemas = (data: Tables.Policy[]) => {
   return data.filter((x) => !DEFAULT_SYSTEM_SCHEMAS.includes(x.schema))

src/api/policies.ts

@@ -1,5 +1,6 @@
 import { Router } from 'express'
 
+import format from 'pg-format'
 import SQL from 'sql-template-strings'
 import sqlTemplates = require('../lib/sql')
 const { grants, roles } = sqlTemplates
@@ -137,14 +138,15 @@ const createRoleSqlize = ({
   const isReplicationRoleSql = is_replication_role ? 'REPLICATION' : 'NOREPLICATION'
   const canBypassRlsSql = can_bypass_rls ? 'BYPASSRLS' : 'NOBYPASSRLS'
   const connectionLimitSql = `CONNECTION LIMIT ${connection_limit}`
-  const passwordSql = password === undefined ? '' : `PASSWORD '${password}'`
-  const validUntilSql = valid_until === undefined ? '' : `VALID UNTIL '${valid_until}'`
+  const passwordSql = password === undefined ? '' : `PASSWORD ${format.literal(password)}`
+  const validUntilSql =
+    valid_until === undefined ? '' : `VALID UNTIL ${format.literal(valid_until)}`
   const memberOfSql = member_of === undefined ? '' : `IN ROLE ${member_of.join(',')}`
   const membersSql = members === undefined ? '' : `ROLE ${members.join(',')}`
   const adminsSql = admins === undefined ? '' : `ADMIN ${admins.join(',')}`
 
   return `
-CREATE ROLE "${name}"
+CREATE ROLE ${format.ident(name)}
 WITH
   ${isSuperuserSql}
   ${canCreateDbSql}
@@ -193,7 +195,7 @@ const alterRoleSqlize = ({
   password?: string
   valid_until?: string
 }) => {
-  const nameSql = name === undefined ? '' : `ALTER ROLE "${oldName}" RENAME TO "${name}";`
+  const nameSql = name === undefined ? '' : format('ALTER ROLE %I RENAME TO %I;', oldName, name)
   let isSuperuserSql = ''
   if (is_superuser !== undefined) {
     isSuperuserSql = is_superuser ? 'SUPERUSER' : 'NOSUPERUSER'
@@ -224,12 +226,12 @@ const alterRoleSqlize = ({
   }
   const connectionLimitSql =
     connection_limit === undefined ? '' : `CONNECTION LIMIT ${connection_limit}`
-  let passwordSql = password === undefined ? '' : `PASSWORD '${password}'`
-  let validUntilSql = valid_until === undefined ? '' : `VALID UNTIL '${valid_until}'`
+  let passwordSql = password === undefined ? '' : `PASSWORD ${format.literal(password)}`
+  let validUntilSql = valid_until === undefined ? '' : `VALID UNTIL ${format.literal(valid_until)}`
 
   return `
 BEGIN;
-  ALTER ROLE "${oldName}"
+  ALTER ROLE ${format.ident(oldName)}
     ${isSuperuserSql}
     ${canCreateDbSql}
     ${canCreateRoleSql}
@@ -244,7 +246,7 @@ BEGIN;
 COMMIT;`
 }
 const dropRoleSqlize = (name: string) => {
-  return `DROP ROLE "${name}"`
+  return `DROP ROLE ${format.ident(name)}`
 }
 const removeSystemSchemas = (data: Roles.Role[]) => {
   return data.map((role) => {

src/api/roles.ts

@@ -1,4 +1,5 @@
 import { Router } from 'express'
+import format from 'pg-format'
 import SQL from 'sql-template-strings'
 import sqlTemplates = require('../lib/sql')
 import { RunQuery } from '../lib/connectionPool'
@@ -110,7 +111,7 @@ const selectSingleByName = (name: string) => {
   return query
 }
 const createSchema = (name: string, owner: string = 'postgres') => {
-  const query = SQL``.append(`CREATE SCHEMA IF NOT EXISTS "${name}" AUTHORIZATION ${owner}`)
+  const query = SQL``.append(`CREATE SCHEMA IF NOT EXISTS ${name} AUTHORIZATION ${owner}`)
   return query
 }
 const alterSchemaName = (previousName: string, newName: string) => {
@@ -122,7 +123,7 @@ const alterSchemaOwner = (schemaName: string, newOwner: string) => {
   return query
 }
 const dropSchemaSqlize = (name: string, cascade: boolean) => {
-  const query = `DROP SCHEMA "${name}" ${cascade ? 'CASCADE' : 'RESTRICT'}`
+  const query = `DROP SCHEMA ${format.ident(name)} ${cascade ? 'CASCADE' : 'RESTRICT'}`
   return query
 }
 const removeSystemSchemas = (data: Schemas.Schema[]) => {