PostgresMetaTables.update() builds the REPLICA IDENTITY USING INDEX statement by interpolating replica_identity_index directly:
|
replicaSql = `${alter} REPLICA IDENTITY USING INDEX ${replica_identity_index};` |
replicaSql = `${alter} REPLICA IDENTITY USING INDEX ${replica_identity_index};`Every other identifier in the same function goes through ident() (schema, table name, primary keys), and the request schema for this field is Type.Optional(Type.String()) with no further constraint, so the value reaches the database unescaped. An index name that needs quoting produces invalid SQL, and the value can break out of the statement.
The equivalent code in packages/pg-meta already wraps it with ident():
replicaSql = safeSql`${alter} REPLICA IDENTITY USING INDEX ${ident(replica_identity_index)};`I'll send a PR that wraps it with ident() to match the surrounding code, plus a test.
PostgresMetaTables.update()builds theREPLICA IDENTITY USING INDEXstatement by interpolatingreplica_identity_indexdirectly:postgres-meta/src/lib/PostgresMetaTables.ts
Line 174 in f21a4da
Every other identifier in the same function goes through
ident()(schema, table name, primary keys), and the request schema for this field isType.Optional(Type.String())with no further constraint, so the value reaches the database unescaped. An index name that needs quoting produces invalid SQL, and the value can break out of the statement.The equivalent code in
packages/pg-metaalready wraps it withident():I'll send a PR that wraps it with
ident()to match the surrounding code, plus a test.