bun.sh

mirrors/bun.sh

Fork 0

mirror of https://github.com/oven-sh/bun synced 2026-02-18 06:41:50 +00:00

Commit Graph

Author	SHA1	Message	Date
Claude Bot	742bc513cb	fix(sql): validate array type parameter to prevent SQL injection The `sql.array(values, type)` function interpolated the user-provided type string directly into the SQL query without validation, allowing SQL injection via crafted type names like `INT); DROP TABLE users--`. Add character validation in `getArrayType()` to reject type names containing characters outside [a-zA-Z0-9_ .], which covers all valid PostgreSQL type names (including schema-qualified names like `myschema.INTEGER`) while blocking injection payloads. Uses `$ERR_INVALID_ARG_VALUE` for consistency with the rest of the codebase. Co-Authored-By: Claude <noreply@anthropic.com>	2026-02-12 04:53:43 +00:00

Author

SHA1

Message

Date

Claude Bot

742bc513cb

fix(sql): validate array type parameter to prevent SQL injection

The `sql.array(values, type)` function interpolated the user-provided
type string directly into the SQL query without validation, allowing
SQL injection via crafted type names like `INT); DROP TABLE users--`.

Add character validation in `getArrayType()` to reject type names
containing characters outside [a-zA-Z0-9_ .], which covers all valid
PostgreSQL type names (including schema-qualified names like
`myschema.INTEGER`) while blocking injection payloads. Uses
`$ERR_INVALID_ARG_VALUE` for consistency with the rest of the codebase.

Co-Authored-By: Claude <noreply@anthropic.com>

2026-02-12 04:53:43 +00:00

1 Commits