mirror of
https://github.com/oven-sh/bun
synced 2026-02-18 14:51:52 +00:00
44541eb574
## Summary - Reject null bytes in `username`, `password`, `database`, and `path` connection parameters for both PostgreSQL and MySQL to prevent wire protocol parameter injection - Both the Postgres and MySQL wire protocols use null-terminated strings in their startup/handshake messages, so embedded null bytes in these fields act as field terminators, allowing injection of arbitrary protocol parameters (e.g. `search_path` for schema hijacking) - The fix validates these fields immediately after UTF-8 conversion and throws `InvalidArguments` error with a clear message if null bytes are found ## Test plan - [x] New test `test/regression/issue/postgres-null-byte-injection.test.ts` verifies: - Null bytes in username are rejected with an error before any data is sent - Null bytes in database are rejected with an error before any data is sent - Null bytes in password are rejected with an error before any data is sent - Normal connections without null bytes still work correctly - [x] Test verified to fail with `USE_SYSTEM_BUN=1` (unfixed bun) and pass with `bun bd test` (fixed build) - [x] Existing SQL tests pass (`adapter-env-var-precedence.test.ts`, `postgres-stringbuilder-assertion-aggressive.test.ts`) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com>