decocms 2.311.8 → 2.311.10

package/dist/server/node_modules/pg/lib/connection-parameters.js

@@ -0,0 +1,171 @@
+'use strict'
+
+const dns = require('dns')
+
+const defaults = require('./defaults')
+
+const parse = require('pg-connection-string').parse // parses a connection string
+
+const val = function (key, config, envVar) {
+  if (config[key]) {
+    return config[key]
+  }
+
+  if (envVar === undefined) {
+    envVar = process.env['PG' + key.toUpperCase()]
+  } else if (envVar === false) {
+    // do nothing ... use false
+  } else {
+    envVar = process.env[envVar]
+  }
+
+  return envVar || defaults[key]
+}
+
+const readSSLConfigFromEnvironment = function () {
+  switch (process.env.PGSSLMODE) {
+    case 'disable':
+      return false
+    case 'prefer':
+    case 'require':
+    case 'verify-ca':
+    case 'verify-full':
+      return true
+    case 'no-verify':
+      return { rejectUnauthorized: false }
+  }
+  return defaults.ssl
+}
+
+// Convert arg to a string, surround in single quotes, and escape single quotes and backslashes
+const quoteParamValue = function (value) {
+  return "'" + ('' + value).replace(/\\/g, '\\\\').replace(/'/g, "\\'") + "'"
+}
+
+const add = function (params, config, paramName) {
+  const value = config[paramName]
+  if (value !== undefined && value !== null) {
+    params.push(paramName + '=' + quoteParamValue(value))
+  }
+}
+
+class ConnectionParameters {
+  constructor(config) {
+    // if a string is passed, it is a raw connection string so we parse it into a config
+    config = typeof config === 'string' ? parse(config) : config || {}
+
+    // if the config has a connectionString defined, parse IT into the config we use
+    // this will override other default values with what is stored in connectionString
+    if (config.connectionString) {
+      config = Object.assign({}, config, parse(config.connectionString))
+    }
+
+    this.user = val('user', config)
+    this.database = val('database', config)
+
+    if (this.database === undefined) {
+      this.database = this.user
+    }
+
+    this.port = parseInt(val('port', config), 10)
+    this.host = val('host', config)
+
+    // "hiding" the password so it doesn't show up in stack traces
+    // or if the client is console.logged
+    Object.defineProperty(this, 'password', {
+      configurable: true,
+      enumerable: false,
+      writable: true,
+      value: val('password', config),
+    })
+
+    this.binary = val('binary', config)
+    this.options = val('options', config)
+
+    this.ssl = typeof config.ssl === 'undefined' ? readSSLConfigFromEnvironment() : config.ssl
+
+    if (typeof this.ssl === 'string') {
+      if (this.ssl === 'true') {
+        this.ssl = true
+      }
+    }
+    // support passing in ssl=no-verify via connection string
+    if (this.ssl === 'no-verify') {
+      this.ssl = { rejectUnauthorized: false }
+    }
+    if (this.ssl && this.ssl.key) {
+      Object.defineProperty(this.ssl, 'key', {
+        enumerable: false,
+      })
+    }
+
+    this.client_encoding = val('client_encoding', config)
+    this.replication = val('replication', config)
+    // a domain socket begins with '/'
+    this.isDomainSocket = !(this.host || '').indexOf('/')
+
+    this.application_name = val('application_name', config, 'PGAPPNAME')
+    this.fallback_application_name = val('fallback_application_name', config, false)
+    this.statement_timeout = val('statement_timeout', config, false)
+    this.lock_timeout = val('lock_timeout', config, false)
+    this.idle_in_transaction_session_timeout = val('idle_in_transaction_session_timeout', config, false)
+    this.query_timeout = val('query_timeout', config, false)
+
+    if (config.connectionTimeoutMillis === undefined) {
+      this.connect_timeout = process.env.PGCONNECT_TIMEOUT || 0
+    } else {
+      this.connect_timeout = Math.floor(config.connectionTimeoutMillis / 1000)
+    }
+
+    if (config.keepAlive === false) {
+      this.keepalives = 0
+    } else if (config.keepAlive === true) {
+      this.keepalives = 1
+    }
+
+    if (typeof config.keepAliveInitialDelayMillis === 'number') {
+      this.keepalives_idle = Math.floor(config.keepAliveInitialDelayMillis / 1000)
+    }
+  }
+
+  getLibpqConnectionString(cb) {
+    const params = []
+    add(params, this, 'user')
+    add(params, this, 'password')
+    add(params, this, 'port')
+    add(params, this, 'application_name')
+    add(params, this, 'fallback_application_name')
+    add(params, this, 'connect_timeout')
+    add(params, this, 'options')
+
+    const ssl = typeof this.ssl === 'object' ? this.ssl : this.ssl ? { sslmode: this.ssl } : {}
+    add(params, ssl, 'sslmode')
+    add(params, ssl, 'sslca')
+    add(params, ssl, 'sslkey')
+    add(params, ssl, 'sslcert')
+    add(params, ssl, 'sslrootcert')
+
+    if (this.database) {
+      params.push('dbname=' + quoteParamValue(this.database))
+    }
+    if (this.replication) {
+      params.push('replication=' + quoteParamValue(this.replication))
+    }
+    if (this.host) {
+      params.push('host=' + quoteParamValue(this.host))
+    }
+    if (this.isDomainSocket) {
+      return cb(null, params.join(' '))
+    }
+    if (this.client_encoding) {
+      params.push('client_encoding=' + quoteParamValue(this.client_encoding))
+    }
+    dns.lookup(this.host, function (err, address) {
+      if (err) return cb(err, null)
+      params.push('hostaddr=' + quoteParamValue(address))
+      return cb(null, params.join(' '))
+    })
+  }
+}
+
+module.exports = ConnectionParameters

package/dist/server/node_modules/pg/lib/connection.js

@@ -0,0 +1,221 @@
+'use strict'
+
+const EventEmitter = require('events').EventEmitter
+
+const { parse, serialize } = require('pg-protocol')
+const { getStream, getSecureStream } = require('./stream')
+
+const flushBuffer = serialize.flush()
+const syncBuffer = serialize.sync()
+const endBuffer = serialize.end()
+
+// TODO(bmc) support binary mode at some point
+class Connection extends EventEmitter {
+  constructor(config) {
+    super()
+    config = config || {}
+
+    this.stream = config.stream || getStream(config.ssl)
+    if (typeof this.stream === 'function') {
+      this.stream = this.stream(config)
+    }
+
+    this._keepAlive = config.keepAlive
+    this._keepAliveInitialDelayMillis = config.keepAliveInitialDelayMillis
+    this.parsedStatements = {}
+    this.ssl = config.ssl || false
+    this._ending = false
+    this._emitMessage = false
+    const self = this
+    this.on('newListener', function (eventName) {
+      if (eventName === 'message') {
+        self._emitMessage = true
+      }
+    })
+  }
+
+  connect(port, host) {
+    const self = this
+
+    this._connecting = true
+    this.stream.setNoDelay(true)
+    this.stream.connect(port, host)
+
+    this.stream.once('connect', function () {
+      if (self._keepAlive) {
+        self.stream.setKeepAlive(true, self._keepAliveInitialDelayMillis)
+      }
+      self.emit('connect')
+    })
+
+    const reportStreamError = function (error) {
+      // errors about disconnections should be ignored during disconnect
+      if (self._ending && (error.code === 'ECONNRESET' || error.code === 'EPIPE')) {
+        return
+      }
+      self.emit('error', error)
+    }
+    this.stream.on('error', reportStreamError)
+
+    this.stream.on('close', function () {
+      self.emit('end')
+    })
+
+    if (!this.ssl) {
+      return this.attachListeners(this.stream)
+    }
+
+    this.stream.once('data', function (buffer) {
+      const responseCode = buffer.toString('utf8')
+      switch (responseCode) {
+        case 'S': // Server supports SSL connections, continue with a secure connection
+          break
+        case 'N': // Server does not support SSL connections
+          self.stream.end()
+          return self.emit('error', new Error('The server does not support SSL connections'))
+        default:
+          // Any other response byte, including 'E' (ErrorResponse) indicating a server error
+          self.stream.end()
+          return self.emit('error', new Error('There was an error establishing an SSL connection'))
+      }
+      const options = {
+        socket: self.stream,
+      }
+
+      if (self.ssl !== true) {
+        Object.assign(options, self.ssl)
+
+        if ('key' in self.ssl) {
+          options.key = self.ssl.key
+        }
+      }
+
+      const net = require('net')
+      if (net.isIP && net.isIP(host) === 0) {
+        options.servername = host
+      }
+      try {
+        self.stream = getSecureStream(options)
+      } catch (err) {
+        return self.emit('error', err)
+      }
+      self.attachListeners(self.stream)
+      self.stream.on('error', reportStreamError)
+
+      self.emit('sslconnect')
+    })
+  }
+
+  attachListeners(stream) {
+    parse(stream, (msg) => {
+      const eventName = msg.name === 'error' ? 'errorMessage' : msg.name
+      if (this._emitMessage) {
+        this.emit('message', msg)
+      }
+      this.emit(eventName, msg)
+    })
+  }
+
+  requestSsl() {
+    this.stream.write(serialize.requestSsl())
+  }
+
+  startup(config) {
+    this.stream.write(serialize.startup(config))
+  }
+
+  cancel(processID, secretKey) {
+    this._send(serialize.cancel(processID, secretKey))
+  }
+
+  password(password) {
+    this._send(serialize.password(password))
+  }
+
+  sendSASLInitialResponseMessage(mechanism, initialResponse) {
+    this._send(serialize.sendSASLInitialResponseMessage(mechanism, initialResponse))
+  }
+
+  sendSCRAMClientFinalMessage(additionalData) {
+    this._send(serialize.sendSCRAMClientFinalMessage(additionalData))
+  }
+
+  _send(buffer) {
+    if (!this.stream.writable) {
+      return false
+    }
+    return this.stream.write(buffer)
+  }
+
+  query(text) {
+    this._send(serialize.query(text))
+  }
+
+  // send parse message
+  parse(query) {
+    this._send(serialize.parse(query))
+  }
+
+  // send bind message
+  bind(config) {
+    this._send(serialize.bind(config))
+  }
+
+  // send execute message
+  execute(config) {
+    this._send(serialize.execute(config))
+  }
+
+  flush() {
+    if (this.stream.writable) {
+      this.stream.write(flushBuffer)
+    }
+  }
+
+  sync() {
+    this._ending = true
+    this._send(syncBuffer)
+  }
+
+  ref() {
+    this.stream.ref()
+  }
+
+  unref() {
+    this.stream.unref()
+  }
+
+  end() {
+    // 0x58 = 'X'
+    this._ending = true
+    if (!this._connecting || !this.stream.writable) {
+      this.stream.end()
+      return
+    }
+    return this.stream.write(endBuffer, () => {
+      this.stream.end()
+    })
+  }
+
+  close(msg) {
+    this._send(serialize.close(msg))
+  }
+
+  describe(msg) {
+    this._send(serialize.describe(msg))
+  }
+
+  sendCopyFromChunk(chunk) {
+    this._send(serialize.copyData(chunk))
+  }
+
+  endCopyFrom() {
+    this._send(serialize.copyDone())
+  }
+
+  sendCopyFail(msg) {
+    this._send(serialize.copyFail(msg))
+  }
+}
+
+module.exports = Connection

package/dist/server/node_modules/pg/lib/crypto/cert-signatures.js

@@ -0,0 +1,122 @@
+function x509Error(msg, cert) {
+  return new Error('SASL channel binding: ' + msg + ' when parsing public certificate ' + cert.toString('base64'))
+}
+
+function readASN1Length(data, index) {
+  let length = data[index++]
+  if (length < 0x80) return { length, index }
+
+  const lengthBytes = length & 0x7f
+  if (lengthBytes > 4) throw x509Error('bad length', data)
+
+  length = 0
+  for (let i = 0; i < lengthBytes; i++) {
+    length = (length << 8) | data[index++]
+  }
+
+  return { length, index }
+}
+
+function readASN1OID(data, index) {
+  if (data[index++] !== 0x6) throw x509Error('non-OID data', data) // 6 = OID
+
+  const { length: OIDLength, index: indexAfterOIDLength } = readASN1Length(data, index)
+  index = indexAfterOIDLength
+  const lastIndex = index + OIDLength
+
+  const byte1 = data[index++]
+  let oid = ((byte1 / 40) >> 0) + '.' + (byte1 % 40)
+
+  while (index < lastIndex) {
+    // loop over numbers in OID
+    let value = 0
+    while (index < lastIndex) {
+      // loop over bytes in number
+      const nextByte = data[index++]
+      value = (value << 7) | (nextByte & 0x7f)
+      if (nextByte < 0x80) break
+    }
+    oid += '.' + value
+  }
+
+  return { oid, index }
+}
+
+function expectASN1Seq(data, index) {
+  if (data[index++] !== 0x30) throw x509Error('non-sequence data', data) // 30 = Sequence
+  return readASN1Length(data, index)
+}
+
+function signatureAlgorithmHashFromCertificate(data, index) {
+  // read this thread: https://www.postgresql.org/message-id/17760-b6c61e752ec07060%40postgresql.org
+  if (index === undefined) index = 0
+  index = expectASN1Seq(data, index).index
+  const { length: certInfoLength, index: indexAfterCertInfoLength } = expectASN1Seq(data, index)
+  index = indexAfterCertInfoLength + certInfoLength // skip over certificate info
+  index = expectASN1Seq(data, index).index // skip over signature length field
+  const { oid, index: indexAfterOID } = readASN1OID(data, index)
+  switch (oid) {
+    // RSA
+    case '1.2.840.113549.1.1.4':
+      return 'MD5'
+    case '1.2.840.113549.1.1.5':
+      return 'SHA-1'
+    case '1.2.840.113549.1.1.11':
+      return 'SHA-256'
+    case '1.2.840.113549.1.1.12':
+      return 'SHA-384'
+    case '1.2.840.113549.1.1.13':
+      return 'SHA-512'
+    case '1.2.840.113549.1.1.14':
+      return 'SHA-224'
+    case '1.2.840.113549.1.1.15':
+      return 'SHA512-224'
+    case '1.2.840.113549.1.1.16':
+      return 'SHA512-256'
+    // ECDSA
+    case '1.2.840.10045.4.1':
+      return 'SHA-1'
+    case '1.2.840.10045.4.3.1':
+      return 'SHA-224'
+    case '1.2.840.10045.4.3.2':
+      return 'SHA-256'
+    case '1.2.840.10045.4.3.3':
+      return 'SHA-384'
+    case '1.2.840.10045.4.3.4':
+      return 'SHA-512'
+    // RSASSA-PSS: hash is indicated separately
+    case '1.2.840.113549.1.1.10': {
+      index = indexAfterOID
+      index = expectASN1Seq(data, index).index
+      if (data[index++] !== 0xa0) throw x509Error('non-tag data', data) // a0 = constructed tag 0
+      index = readASN1Length(data, index).index // skip over tag length field
+      index = expectASN1Seq(data, index).index // skip over sequence length field
+      const { oid: hashOID } = readASN1OID(data, index)
+      switch (hashOID) {
+        // standalone hash OIDs
+        case '1.2.840.113549.2.5':
+          return 'MD5'
+        case '1.3.14.3.2.26':
+          return 'SHA-1'
+        case '2.16.840.1.101.3.4.2.1':
+          return 'SHA-256'
+        case '2.16.840.1.101.3.4.2.2':
+          return 'SHA-384'
+        case '2.16.840.1.101.3.4.2.3':
+          return 'SHA-512'
+      }
+      throw x509Error('unknown hash OID ' + hashOID, data)
+    }
+    // Ed25519 -- see https: return//github.com/openssl/openssl/issues/15477
+    case '1.3.101.110':
+    case '1.3.101.112': // ph
+      return 'SHA-512'
+    // Ed448 -- still not in pg 17.2 (if supported, digest would be SHAKE256 x 64 bytes)
+    case '1.3.101.111':
+    case '1.3.101.113': // ph
+      throw x509Error('Ed448 certificate channel binding is not currently supported by Postgres')
+  }
+  throw x509Error('unknown OID ' + oid, data)
+}
+
+module.exports = { signatureAlgorithmHashFromCertificate }