mirror of
https://github.com/oven-sh/bun
synced 2026-02-17 22:32:06 +00:00
742bc513cb
The `sql.array(values, type)` function interpolated the user-provided type string directly into the SQL query without validation, allowing SQL injection via crafted type names like `INT); DROP TABLE users--`. Add character validation in `getArrayType()` to reject type names containing characters outside [a-zA-Z0-9_ .], which covers all valid PostgreSQL type names (including schema-qualified names like `myschema.INTEGER`) while blocking injection payloads. Uses `$ERR_INVALID_ARG_VALUE` for consistency with the rest of the codebase. Co-Authored-By: Claude <noreply@anthropic.com>
3.7 KiB
3.7 KiB