pg 8.10.0 → 8.11.0

package/lib/client.js

@@ -2,14 +2,14 @@
 
 var EventEmitter = require('events').EventEmitter
 var utils = require('./utils')
-var sasl = require('./sasl')
-var pgPass = require('pgpass')
+var sasl = require('./crypto/sasl')
 var TypeOverrides = require('./type-overrides')
 
 var ConnectionParameters = require('./connection-parameters')
 var Query = require('./query')
 var defaults = require('./defaults')
 var Connection = require('./connection')
+const crypto = require('./crypto/utils')
 
 class Client extends EventEmitter {
   constructor(config) {
@@ -225,12 +225,17 @@ class Client extends EventEmitter {
     } else if (this.password !== null) {
       cb()
     } else {
-      pgPass(this.connectionParameters, (pass) => {
-        if (undefined !== pass) {
-          this.connectionParameters.password = this.password = pass
-        }
-        cb()
-      })
+      try {
+        const pgPass = require('pgpass')
+        pgPass(this.connectionParameters, (pass) => {
+          if (undefined !== pass) {
+            this.connectionParameters.password = this.password = pass
+          }
+          cb()
+        })
+      } catch (e) {
+        this.emit('error', e)
+      }
     }
   }
 
@@ -241,9 +246,13 @@ class Client extends EventEmitter {
   }
 
   _handleAuthMD5Password(msg) {
-    this._checkPgPass(() => {
-      const hashedPassword = utils.postgresMd5PasswordHash(this.user, this.password, msg.salt)
-      this.connection.password(hashedPassword)
+    this._checkPgPass(async () => {
+      try {
+        const hashedPassword = await crypto.postgresMd5PasswordHash(this.user, this.password, msg.salt)
+        this.connection.password(hashedPassword)
+      } catch (e) {
+        this.emit('error', e)
+      }
     })
   }
 
@@ -258,9 +267,9 @@ class Client extends EventEmitter {
     })
   }
 
-  _handleAuthSASLContinue(msg) {
+  async _handleAuthSASLContinue(msg) {
     try {
-      sasl.continueSession(this.saslSession, this.password, msg.data)
+      await sasl.continueSession(this.saslSession, this.password, msg.data)
       this.connection.sendSCRAMClientFinalMessage(this.saslSession.response)
     } catch (err) {
       this.connection.emit('error', err)
@@ -456,35 +465,15 @@ class Client extends EventEmitter {
     return this._types.getTypeParser(oid, format)
   }
 
-  // Ported from PostgreSQL 9.2.4 source code in src/interfaces/libpq/fe-exec.c
+  // escapeIdentifier and escapeLiteral moved to utility functions & exported
+  // on PG
+  // re-exported here for backwards compatibility
   escapeIdentifier(str) {
-    return '"' + str.replace(/"/g, '""') + '"'
+    return utils.escapeIdentifier(str)
   }
 
-  // Ported from PostgreSQL 9.2.4 source code in src/interfaces/libpq/fe-exec.c
   escapeLiteral(str) {
-    var hasBackslash = false
-    var escaped = "'"
-
-    for (var i = 0; i < str.length; i++) {
-      var c = str[i]
-      if (c === "'") {
-        escaped += c + c
-      } else if (c === '\\') {
-        escaped += c + c
-        hasBackslash = true
-      } else {
-        escaped += c
-      }
-    }
-
-    escaped += "'"
-
-    if (hasBackslash === true) {
-      escaped = ' E' + escaped
-    }
-
-    return escaped
+    return utils.escapeLiteral(str)
   }
 
   _pulseQueryQueue() {

package/lib/connection.js

@@ -4,6 +4,7 @@ var net = require('net')
 var EventEmitter = require('events').EventEmitter
 
 const { parse, serialize } = require('pg-protocol')
+const { getStream, getSecureStream } = require('./stream')
 
 const flushBuffer = serialize.flush()
 const syncBuffer = serialize.sync()
@@ -15,7 +16,7 @@ class Connection extends EventEmitter {
     super()
     config = config || {}
 
-    this.stream = config.stream || new net.Socket()
+    this.stream = config.stream || getStream(config.ssl)
     if (typeof this.stream === 'function') {
       this.stream = this.stream(config)
     }
@@ -79,7 +80,6 @@ class Connection extends EventEmitter {
           self.stream.end()
           return self.emit('error', new Error('There was an error establishing an SSL connection'))
       }
-      var tls = require('tls')
       const options = {
         socket: self.stream,
       }
@@ -92,11 +92,12 @@ class Connection extends EventEmitter {
         }
       }
 
-      if (net.isIP(host) === 0) {
+      var net = require('net')
+      if (net.isIP && net.isIP(host) === 0) {
         options.servername = host
       }
       try {
-        self.stream = tls.connect(options)
+        self.stream = getSecureStream(options)
       } catch (err) {
         return self.emit('error', err)
       }

package/lib/{sasl.js → crypto/sasl.js}

@@ -1,5 +1,5 @@
 'use strict'
-const crypto = require('crypto')
+const crypto = require('./utils')
 
 function startSession(mechanisms) {
   if (mechanisms.indexOf('SCRAM-SHA-256') === -1) {
@@ -16,7 +16,7 @@ function startSession(mechanisms) {
   }
 }
 
-function continueSession(session, password, serverData) {
+async function continueSession(session, password, serverData) {
   if (session.message !== 'SASLInitialResponse') {
     throw new Error('SASL: Last message was not SASLInitialResponse')
   }
@@ -38,29 +38,22 @@ function continueSession(session, password, serverData) {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: server nonce is too short')
   }
 
-  var saltBytes = Buffer.from(sv.salt, 'base64')
-
-  var saltedPassword = crypto.pbkdf2Sync(password, saltBytes, sv.iteration, 32, 'sha256')
-
-  var clientKey = hmacSha256(saltedPassword, 'Client Key')
-  var storedKey = sha256(clientKey)
-
   var clientFirstMessageBare = 'n=*,r=' + session.clientNonce
   var serverFirstMessage = 'r=' + sv.nonce + ',s=' + sv.salt + ',i=' + sv.iteration
-
   var clientFinalMessageWithoutProof = 'c=biws,r=' + sv.nonce
-
   var authMessage = clientFirstMessageBare + ',' + serverFirstMessage + ',' + clientFinalMessageWithoutProof
 
-  var clientSignature = hmacSha256(storedKey, authMessage)
-  var clientProofBytes = xorBuffers(clientKey, clientSignature)
-  var clientProof = clientProofBytes.toString('base64')
-
-  var serverKey = hmacSha256(saltedPassword, 'Server Key')
-  var serverSignatureBytes = hmacSha256(serverKey, authMessage)
+  var saltBytes = Buffer.from(sv.salt, 'base64')
+  var saltedPassword = await crypto.deriveKey(password, saltBytes, sv.iteration)
+  var clientKey = await crypto.hmacSha256(saltedPassword, 'Client Key')
+  var storedKey = await crypto.sha256(clientKey)
+  var clientSignature = await crypto.hmacSha256(storedKey, authMessage)
+  var clientProof = xorBuffers(Buffer.from(clientKey), Buffer.from(clientSignature)).toString('base64')
+  var serverKey = await crypto.hmacSha256(saltedPassword, 'Server Key')
+  var serverSignatureBytes = await crypto.hmacSha256(serverKey, authMessage)
 
   session.message = 'SASLResponse'
-  session.serverSignature = serverSignatureBytes.toString('base64')
+  session.serverSignature = Buffer.from(serverSignatureBytes).toString('base64')
   session.response = clientFinalMessageWithoutProof + ',p=' + clientProof
 }
 
@@ -186,14 +179,6 @@ function xorBuffers(a, b) {
   return Buffer.from(a.map((_, i) => a[i] ^ b[i]))
 }
 
-function sha256(text) {
-  return crypto.createHash('sha256').update(text).digest()
-}
-
-function hmacSha256(key, msg) {
-  return crypto.createHmac('sha256', key).update(msg).digest()
-}
-
 module.exports = {
   startSession,
   continueSession,

package/lib/crypto/utils-legacy.js

@@ -0,0 +1,37 @@
+'use strict'
+// This file contains crypto utility functions for versions of Node.js < 15.0.0,
+// which does not support the WebCrypto.subtle API.
+
+const nodeCrypto = require('crypto')
+
+function md5(string) {
+  return nodeCrypto.createHash('md5').update(string, 'utf-8').digest('hex')
+}
+
+// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
+function postgresMd5PasswordHash(user, password, salt) {
+  var inner = md5(password + user)
+  var outer = md5(Buffer.concat([Buffer.from(inner), salt]))
+  return 'md5' + outer
+}
+
+function sha256(text) {
+  return nodeCrypto.createHash('sha256').update(text).digest()
+}
+
+function hmacSha256(key, msg) {
+  return nodeCrypto.createHmac('sha256', key).update(msg).digest()
+}
+
+async function deriveKey(password, salt, iterations) {
+  return nodeCrypto.pbkdf2Sync(password, salt, iterations, 32, 'sha256')
+}
+
+module.exports = {
+  postgresMd5PasswordHash,
+  randomBytes: nodeCrypto.randomBytes,
+  deriveKey,
+  sha256,
+  hmacSha256,
+  md5,
+}

package/lib/crypto/utils.js

@@ -0,0 +1,92 @@
+'use strict'
+
+const useLegacyCrypto = parseInt(process.versions && process.versions.node && process.versions.node.split('.')[0]) < 15
+if (useLegacyCrypto) {
+  // We are on an old version of Node.js that requires legacy crypto utilities.
+  module.exports = require('./utils-legacy')
+  return
+}
+
+const nodeCrypto = require('crypto')
+
+module.exports = {
+  postgresMd5PasswordHash,
+  randomBytes,
+  deriveKey,
+  sha256,
+  hmacSha256,
+  md5,
+}
+
+/**
+ * The Web Crypto API - grabbed from the Node.js library or the global
+ * @type Crypto
+ */
+const webCrypto = nodeCrypto.webcrypto || globalThis.crypto
+/**
+ * The SubtleCrypto API for low level crypto operations.
+ * @type SubtleCrypto
+ */
+const subtleCrypto = webCrypto.subtle
+const textEncoder = new TextEncoder()
+
+/**
+ *
+ * @param {*} length
+ * @returns
+ */
+function randomBytes(length) {
+  return webCrypto.getRandomValues(Buffer.alloc(length))
+}
+
+async function md5(string) {
+  try {
+    return nodeCrypto.createHash('md5').update(string, 'utf-8').digest('hex')
+  } catch (e) {
+    // `createHash()` failed so we are probably not in Node.js, use the WebCrypto API instead.
+    // Note that the MD5 algorithm on WebCrypto is not available in Node.js.
+    // This is why we cannot just use WebCrypto in all environments.
+    const data = typeof string === 'string' ? textEncoder.encode(string) : string
+    const hash = await subtleCrypto.digest('MD5', data)
+    return Array.from(new Uint8Array(hash))
+      .map((b) => b.toString(16).padStart(2, '0'))
+      .join('')
+  }
+}
+
+// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
+async function postgresMd5PasswordHash(user, password, salt) {
+  var inner = await md5(password + user)
+  var outer = await md5(Buffer.concat([Buffer.from(inner), salt]))
+  return 'md5' + outer
+}
+
+/**
+ * Create a SHA-256 digest of the given data
+ * @param {Buffer} data
+ */
+async function sha256(text) {
+  return await subtleCrypto.digest('SHA-256', text)
+}
+
+/**
+ * Sign the message with the given key
+ * @param {ArrayBuffer} keyBuffer
+ * @param {string} msg
+ */
+async function hmacSha256(keyBuffer, msg) {
+  const key = await subtleCrypto.importKey('raw', keyBuffer, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'])
+  return await subtleCrypto.sign('HMAC', key, textEncoder.encode(msg))
+}
+
+/**
+ * Derive a key from the password and salt
+ * @param {string} password
+ * @param {Uint8Array} salt
+ * @param {number} iterations
+ */
+async function deriveKey(password, salt, iterations) {
+  const key = await subtleCrypto.importKey('raw', textEncoder.encode(password), 'PBKDF2', false, ['deriveBits'])
+  const params = { name: 'PBKDF2', hash: 'SHA-256', salt: salt, iterations: iterations }
+  return await subtleCrypto.deriveBits(params, key, 32 * 8, ['deriveBits'])
+}

package/lib/index.js

@@ -5,6 +5,7 @@ var defaults = require('./defaults')
 var Connection = require('./connection')
 var Pool = require('pg-pool')
 const { DatabaseError } = require('pg-protocol')
+const { escapeIdentifier, escapeLiteral } = require('./utils')
 
 const poolFactory = (Client) => {
   return class BoundPool extends Pool {
@@ -23,6 +24,8 @@ var PG = function (clientConstructor) {
   this.Connection = Connection
   this.types = require('pg-types')
   this.DatabaseError = DatabaseError
+  this.escapeIdentifier = escapeIdentifier
+  this.escapeLiteral = escapeLiteral
 }
 
 if (typeof process.env.NODE_PG_FORCE_NATIVE !== 'undefined') {

package/lib/native/client.js

@@ -1,7 +1,13 @@
 'use strict'
 
 // eslint-disable-next-line
-var Native = require('pg-native')
+var Native
+try {
+  // Wrap this `require()` in a try-catch to avoid upstream bundlers from complaining that this might not be available since it is an optional import
+  Native = require('pg-native')
+} catch (e) {
+  throw e
+}
 var TypeOverrides = require('../type-overrides')
 var EventEmitter = require('events').EventEmitter
 var util = require('util')

package/lib/stream.js

@@ -0,0 +1,28 @@
+/**
+ * Get a socket stream compatible with the current runtime environment.
+ * @returns {Duplex}
+ */
+module.exports.getStream = function getStream(ssl) {
+  const net = require('net')
+  if (typeof net.Socket === 'function') {
+    return new net.Socket()
+  } else {
+    const { CloudflareSocket } = require('pg-cloudflare')
+    return new CloudflareSocket(ssl)
+  }
+}
+
+/**
+ * Get a TLS secured socket, compatible with the current environment,
+ * using the socket and other settings given in `options`.
+ * @returns {Duplex}
+ */
+module.exports.getSecureStream = function getSecureStream(options) {
+  var tls = require('tls')
+  if (tls.connect) {
+    return tls.connect(options)
+  } else {
+    options.socket.startTls(options)
+    return options.socket
+  }
+}

package/lib/utils.js

@@ -1,7 +1,5 @@
 'use strict'
 
-const crypto = require('crypto')
-
 const defaults = require('./defaults')
 
 function escapeElement(elementRepresentation) {
@@ -164,15 +162,34 @@ function normalizeQueryConfig(config, values, callback) {
   return config
 }
 
-const md5 = function (string) {
-  return crypto.createHash('md5').update(string, 'utf-8').digest('hex')
+// Ported from PostgreSQL 9.2.4 source code in src/interfaces/libpq/fe-exec.c
+const escapeIdentifier = function (str) {
+  return '"' + str.replace(/"/g, '""') + '"'
 }
 
-// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
-const postgresMd5PasswordHash = function (user, password, salt) {
-  var inner = md5(password + user)
-  var outer = md5(Buffer.concat([Buffer.from(inner), salt]))
-  return 'md5' + outer
+const escapeLiteral = function (str) {
+  var hasBackslash = false
+  var escaped = "'"
+
+  for (var i = 0; i < str.length; i++) {
+    var c = str[i]
+    if (c === "'") {
+      escaped += c + c
+    } else if (c === '\\') {
+      escaped += c + c
+      hasBackslash = true
+    } else {
+      escaped += c
+    }
+  }
+
+  escaped += "'"
+
+  if (hasBackslash === true) {
+    escaped = ' E' + escaped
+  }
+
+  return escaped
 }
 
 module.exports = {
@@ -182,6 +199,6 @@ module.exports = {
     return prepareValue(value)
   },
   normalizeQueryConfig,
-  postgresMd5PasswordHash,
-  md5,
+  escapeIdentifier,
+  escapeLiteral,
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pg",
-  "version": "8.10.0",
+  "version": "8.11.0",
   "description": "PostgreSQL client - pure javascript & libpq with the same API",
   "keywords": [
     "database",
@@ -22,17 +22,24 @@
   "dependencies": {
     "buffer-writer": "2.0.0",
     "packet-reader": "1.0.0",
-    "pg-connection-string": "^2.5.0",
+    "pg-connection-string": "^2.6.0",
     "pg-pool": "^3.6.0",
     "pg-protocol": "^1.6.0",
     "pg-types": "^2.1.0",
     "pgpass": "1.x"
   },
   "devDependencies": {
+    "@cloudflare/workers-types": "^4.20230404.0",
     "async": "2.6.4",
     "bluebird": "3.5.2",
     "co": "4.6.0",
-    "pg-copy-streams": "0.3.0"
+    "pg-copy-streams": "0.3.0",
+    "typescript": "^4.0.3",
+    "workerd": "^1.20230419.0",
+    "wrangler": "^2.16.0"
+  },
+  "optionalDependencies": {
+    "pg-cloudflare": "^1.1.0"
   },
   "peerDependencies": {
     "pg-native": ">=3.0.1"
@@ -53,5 +60,5 @@
   "engines": {
     "node": ">= 8.0.0"
   },
-  "gitHead": "ee302cbcf10437e34fd05d70fc003c357b14c654"
+  "gitHead": "14b840e96e57fc0617b5c4758f6318f774148ee4"
 }