pg 8.4.1 → 8.6.0

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2010 - 2020 Brian Carlson
+Copyright (c) 2010 - 2021 Brian Carlson
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -53,6 +53,11 @@ node-postgres's continued development has been made possible in part by generous
 <a href="https://crate.io" target="_blank">
   <img height="80" src="https://node-postgres.com/crate-io.png" />
 </a>
+
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAQAAAB0m0auAAAADElEQVR42mNkIBIAAABSAAI2VLqiAAAAAElFTkSuQmCC" />
+<a href="https://www.eaze.com" target="_blank">
+  <img height="80" src="https://node-postgres.com/eaze.png" />
+</a>
 </div>
 
 If you or your company are benefiting from node-postgres and would like to help keep the project financially sustainable [please consider supporting](https://github.com/sponsors/brianc) its development.

package/lib/client.js

@@ -57,6 +57,15 @@ class Client extends EventEmitter {
     this.processID = null
     this.secretKey = null
     this.ssl = this.connectionParameters.ssl || false
+    // As with Password, make SSL->Key (the private key) non-enumerable.
+    // It won't show up in stack traces
+    // or if the client is console.logged
+    if (this.ssl && this.ssl.key) {
+      Object.defineProperty(this.ssl, 'key', {
+        enumerable: false,
+      })
+    }
+
     this._connectionTimeoutMillis = c.connectionTimeoutMillis || 0
   }
 

package/lib/connection-parameters.js

@@ -80,10 +80,20 @@ class ConnectionParameters {
 
     this.ssl = typeof config.ssl === 'undefined' ? readSSLConfigFromEnvironment() : config.ssl
 
+    if (typeof this.ssl === 'string') {
+      if (this.ssl === 'true') {
+        this.ssl = true
+      }
+    }
     // support passing in ssl=no-verify via connection string
     if (this.ssl === 'no-verify') {
       this.ssl = { rejectUnauthorized: false }
     }
+    if (this.ssl && this.ssl.key) {
+      Object.defineProperty(this.ssl, 'key', {
+        enumerable: false,
+      })
+    }
 
     this.client_encoding = val('client_encoding', config)
     this.replication = val('replication', config)

package/lib/connection.js

@@ -2,7 +2,6 @@
 
 var net = require('net')
 var EventEmitter = require('events').EventEmitter
-var util = require('util')
 
 const { parse, serialize } = require('pg-protocol')
 
@@ -76,12 +75,18 @@ class Connection extends EventEmitter {
           return self.emit('error', new Error('There was an error establishing an SSL connection'))
       }
       var tls = require('tls')
-      const options = Object.assign(
-        {
-          socket: self.stream,
-        },
-        self.ssl
-      )
+      const options = {
+        socket: self.stream,
+      }
+
+      if (self.ssl !== true) {
+        Object.assign(options, self.ssl)
+
+        if ('key' in self.ssl) {
+          options.key = self.ssl.key
+        }
+      }
+
       if (net.isIP(host) === 0) {
         options.servername = host
       }

package/lib/index.js

@@ -4,6 +4,7 @@ var Client = require('./client')
 var defaults = require('./defaults')
 var Connection = require('./connection')
 var Pool = require('pg-pool')
+const { DatabaseError } = require('pg-protocol')
 
 const poolFactory = (Client) => {
   return class BoundPool extends Pool {
@@ -21,6 +22,7 @@ var PG = function (clientConstructor) {
   this._pools = []
   this.Connection = Connection
   this.types = require('pg-types')
+  this.DatabaseError = DatabaseError
 }
 
 if (typeof process.env.NODE_PG_FORCE_NATIVE !== 'undefined') {
@@ -40,9 +42,6 @@ if (typeof process.env.NODE_PG_FORCE_NATIVE !== 'undefined') {
         if (err.code !== 'MODULE_NOT_FOUND') {
           throw err
         }
-        /* eslint-disable no-console */
-        console.error(err.message)
-        /* eslint-enable no-console */
       }
 
       // overwrite module.exports.native so that getter is never called again

package/lib/query.js

@@ -197,22 +197,22 @@ class Query extends EventEmitter {
       })
     }
 
-    if (this.values) {
-      try {
-        this.values = this.values.map(utils.prepareValue)
-      } catch (err) {
-        this.handleError(err, connection)
-        return
-      }
+    // because we're mapping user supplied values to
+    // postgres wire protocol compatible values it could
+    // throw an exception, so try/catch this section
+    try {
+      connection.bind({
+        portal: this.portal,
+        statement: this.name,
+        values: this.values,
+        binary: this.binary,
+        valueMapper: utils.prepareValue,
+      })
+    } catch (err) {
+      this.handleError(err, connection)
+      return
     }
 
-    connection.bind({
-      portal: this.portal,
-      statement: this.name,
-      values: this.values,
-      binary: this.binary,
-    })
-
     connection.describe({
       type: 'P',
       name: this.portal || '',

package/lib/sasl.js

@@ -20,19 +20,27 @@ function continueSession(session, password, serverData) {
   if (session.message !== 'SASLInitialResponse') {
     throw new Error('SASL: Last message was not SASLInitialResponse')
   }
+  if (typeof password !== 'string') {
+    throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: client password must be a string')
+  }
+  if (typeof serverData !== 'string') {
+    throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: serverData must be a string')
+  }
 
-  const sv = extractVariablesFromFirstServerMessage(serverData)
+  const sv = parseServerFirstMessage(serverData)
 
   if (!sv.nonce.startsWith(session.clientNonce)) {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: server nonce does not start with client nonce')
+  } else if (sv.nonce.length === session.clientNonce.length) {
+    throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: server nonce is too short')
   }
 
   var saltBytes = Buffer.from(sv.salt, 'base64')
 
   var saltedPassword = Hi(password, saltBytes, sv.iteration)
 
-  var clientKey = createHMAC(saltedPassword, 'Client Key')
-  var storedKey = crypto.createHash('sha256').update(clientKey).digest()
+  var clientKey = hmacSha256(saltedPassword, 'Client Key')
+  var storedKey = sha256(clientKey)
 
   var clientFirstMessageBare = 'n=*,r=' + session.clientNonce
   var serverFirstMessage = 'r=' + sv.nonce + ',s=' + sv.salt + ',i=' + sv.iteration
@@ -41,12 +49,12 @@ function continueSession(session, password, serverData) {
 
   var authMessage = clientFirstMessageBare + ',' + serverFirstMessage + ',' + clientFinalMessageWithoutProof
 
-  var clientSignature = createHMAC(storedKey, authMessage)
+  var clientSignature = hmacSha256(storedKey, authMessage)
   var clientProofBytes = xorBuffers(clientKey, clientSignature)
   var clientProof = clientProofBytes.toString('base64')
 
-  var serverKey = createHMAC(saltedPassword, 'Server Key')
-  var serverSignatureBytes = createHMAC(serverKey, authMessage)
+  var serverKey = hmacSha256(saltedPassword, 'Server Key')
+  var serverSignatureBytes = hmacSha256(serverKey, authMessage)
 
   session.message = 'SASLResponse'
   session.serverSignature = serverSignatureBytes.toString('base64')
@@ -57,54 +65,87 @@ function finalizeSession(session, serverData) {
   if (session.message !== 'SASLResponse') {
     throw new Error('SASL: Last message was not SASLResponse')
   }
+  if (typeof serverData !== 'string') {
+    throw new Error('SASL: SCRAM-SERVER-FINAL-MESSAGE: serverData must be a string')
+  }
 
-  var serverSignature
-
-  String(serverData)
-    .split(',')
-    .forEach(function (part) {
-      switch (part[0]) {
-        case 'v':
-          serverSignature = part.substr(2)
-          break
-      }
-    })
+  const { serverSignature } = parseServerFinalMessage(serverData)
 
   if (serverSignature !== session.serverSignature) {
     throw new Error('SASL: SCRAM-SERVER-FINAL-MESSAGE: server signature does not match')
   }
 }
 
-function extractVariablesFromFirstServerMessage(data) {
-  var nonce, salt, iteration
-
-  String(data)
-    .split(',')
-    .forEach(function (part) {
-      switch (part[0]) {
-        case 'r':
-          nonce = part.substr(2)
-          break
-        case 's':
-          salt = part.substr(2)
-          break
-        case 'i':
-          iteration = parseInt(part.substr(2), 10)
-          break
+/**
+ * printable       = %x21-2B / %x2D-7E
+ *                   ;; Printable ASCII except ",".
+ *                   ;; Note that any "printable" is also
+ *                   ;; a valid "value".
+ */
+function isPrintableChars(text) {
+  if (typeof text !== 'string') {
+    throw new TypeError('SASL: text must be a string')
+  }
+  return text
+    .split('')
+    .map((_, i) => text.charCodeAt(i))
+    .every((c) => (c >= 0x21 && c <= 0x2b) || (c >= 0x2d && c <= 0x7e))
+}
+
+/**
+ * base64-char     = ALPHA / DIGIT / "/" / "+"
+ *
+ * base64-4        = 4base64-char
+ *
+ * base64-3        = 3base64-char "="
+ *
+ * base64-2        = 2base64-char "=="
+ *
+ * base64          = *base64-4 [base64-3 / base64-2]
+ */
+function isBase64(text) {
+  return /^(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=)?$/.test(text)
+}
+
+function parseAttributePairs(text) {
+  if (typeof text !== 'string') {
+    throw new TypeError('SASL: attribute pairs text must be a string')
+  }
+
+  return new Map(
+    text.split(',').map((attrValue) => {
+      if (!/^.=/.test(attrValue)) {
+        throw new Error('SASL: Invalid attribute pair entry')
       }
+      const name = attrValue[0]
+      const value = attrValue.substring(2)
+      return [name, value]
     })
+  )
+}
 
+function parseServerFirstMessage(data) {
+  const attrPairs = parseAttributePairs(data)
+
+  const nonce = attrPairs.get('r')
   if (!nonce) {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: nonce missing')
+  } else if (!isPrintableChars(nonce)) {
+    throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: nonce must only contain printable characters')
   }
-
+  const salt = attrPairs.get('s')
   if (!salt) {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: salt missing')
+  } else if (!isBase64(salt)) {
+    throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: salt must be base64')
   }
-
-  if (!iteration) {
+  const iterationText = attrPairs.get('i')
+  if (!iterationText) {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: iteration missing')
+  } else if (!/^[1-9][0-9]*$/.test(iterationText)) {
+    throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: invalid iteration count')
   }
+  const iteration = parseInt(iterationText, 10)
 
   return {
     nonce,
@@ -113,31 +154,48 @@ function extractVariablesFromFirstServerMessage(data) {
   }
 }
 
+function parseServerFinalMessage(serverData) {
+  const attrPairs = parseAttributePairs(serverData)
+  const serverSignature = attrPairs.get('v')
+  if (!serverSignature) {
+    throw new Error('SASL: SCRAM-SERVER-FINAL-MESSAGE: server signature is missing')
+  } else if (!isBase64(serverSignature)) {
+    throw new Error('SASL: SCRAM-SERVER-FINAL-MESSAGE: server signature must be base64')
+  }
+  return {
+    serverSignature,
+  }
+}
+
 function xorBuffers(a, b) {
-  if (!Buffer.isBuffer(a)) a = Buffer.from(a)
-  if (!Buffer.isBuffer(b)) b = Buffer.from(b)
-  var res = []
-  if (a.length > b.length) {
-    for (var i = 0; i < b.length; i++) {
-      res.push(a[i] ^ b[i])
-    }
-  } else {
-    for (var j = 0; j < a.length; j++) {
-      res.push(a[j] ^ b[j])
-    }
-  }
-  return Buffer.from(res)
+  if (!Buffer.isBuffer(a)) {
+    throw new TypeError('first argument must be a Buffer')
+  }
+  if (!Buffer.isBuffer(b)) {
+    throw new TypeError('second argument must be a Buffer')
+  }
+  if (a.length !== b.length) {
+    throw new Error('Buffer lengths must match')
+  }
+  if (a.length === 0) {
+    throw new Error('Buffers cannot be empty')
+  }
+  return Buffer.from(a.map((_, i) => a[i] ^ b[i]))
+}
+
+function sha256(text) {
+  return crypto.createHash('sha256').update(text).digest()
 }
 
-function createHMAC(key, msg) {
+function hmacSha256(key, msg) {
   return crypto.createHmac('sha256', key).update(msg).digest()
 }
 
 function Hi(password, saltBytes, iterations) {
-  var ui1 = createHMAC(password, Buffer.concat([saltBytes, Buffer.from([0, 0, 0, 1])]))
+  var ui1 = hmacSha256(password, Buffer.concat([saltBytes, Buffer.from([0, 0, 0, 1])]))
   var ui = ui1
   for (var i = 0; i < iterations - 1; i++) {
-    ui1 = createHMAC(password, ui1)
+    ui1 = hmacSha256(password, ui1)
     ui = xorBuffers(ui, ui1)
   }
 

package/lib/utils.js

@@ -38,6 +38,10 @@ function arrayString(val) {
 // note: you can override this function to provide your own conversion mechanism
 // for complex types, etc...
 var prepareValue = function (val, seen) {
+  // null and undefined are both null for postgres
+  if (val == null) {
+    return null
+  }
   if (val instanceof Buffer) {
     return val
   }
@@ -58,9 +62,6 @@ var prepareValue = function (val, seen) {
   if (Array.isArray(val)) {
     return arrayString(val)
   }
-  if (val === null || typeof val === 'undefined') {
-    return null
-  }
   if (typeof val === 'object') {
     return prepareObject(val, seen)
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pg",
-  "version": "8.4.1",
+  "version": "8.6.0",
   "description": "PostgreSQL client - pure javascript & libpq with the same API",
   "keywords": [
     "database",
@@ -14,16 +14,17 @@
   "homepage": "https://github.com/brianc/node-postgres",
   "repository": {
     "type": "git",
-    "url": "git://github.com/brianc/node-postgres.git"
+    "url": "git://github.com/brianc/node-postgres.git",
+    "directory": "packages/pg"
   },
   "author": "Brian Carlson <brian.m.carlson@gmail.com>",
   "main": "./lib",
   "dependencies": {
     "buffer-writer": "2.0.0",
     "packet-reader": "1.0.0",
-    "pg-connection-string": "^2.4.0",
-    "pg-pool": "^3.2.1",
-    "pg-protocol": "^1.3.0",
+    "pg-connection-string": "^2.5.0",
+    "pg-pool": "^3.3.0",
+    "pg-protocol": "^1.5.0",
     "pg-types": "^2.1.0",
     "pgpass": "1.x"
   },
@@ -52,5 +53,5 @@
   "engines": {
     "node": ">= 8.0.0"
   },
-  "gitHead": "36342c9a84b68123f666879a9f34ac319a44727a"
+  "gitHead": "d45947938263bec30a1e3252452f04177b785f66"
 }