Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): improve sanitization for big numbers support #2572

Merged
merged 1 commit into from
Apr 9, 2024

Conversation

wellwelwel
Copy link
Collaborator

This PR continues the #2424 work, ensuring the type of parameters received in the connection and query options for both text and binary parsers.

Copy link

codecov bot commented Apr 9, 2024

Codecov Report

Attention: Patch coverage is 96.87500% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 90.31%. Comparing base (8a818ce) to head (c6f329d).

Files Patch % Lines
lib/parsers/text_parser.js 96.15% 1 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2572   +/-   ##
=======================================
  Coverage   90.31%   90.31%           
=======================================
  Files          71       71           
  Lines       15700    15708    +8     
  Branches     1332     1332           
=======================================
+ Hits        14179    14187    +8     
  Misses       1521     1521           
Flag Coverage Δ
compression-0 90.31% <96.87%> (+<0.01%) ⬆️
compression-1 90.31% <96.87%> (+<0.01%) ⬆️
tls-0 89.83% <96.87%> (+<0.01%) ⬆️
tls-1 90.13% <96.87%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@wellwelwel wellwelwel marked this pull request as ready for review April 9, 2024 01:20
@wellwelwel
Copy link
Collaborator Author

@sidorares, as these changes are simple, I'll merge it to release in #2566 (3.9.4) and follow the same way from #2529 (manually edit the Changelog.md to preserve the commit description).

@wellwelwel wellwelwel merged commit 74abf9e into sidorares:master Apr 9, 2024
64 checks passed
@wellwelwel wellwelwel deleted the sanitization branch April 9, 2024 09:45
Vylpes pushed a commit to Vylpes/Droplet that referenced this pull request May 28, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [mysql2](https://sidorares.github.io/node-mysql2/docs) ([source](https://github.com/sidorares/node-mysql2)) | dependencies | patch | [`3.9.3` -> `3.9.7`](https://renovatebot.com/diffs/npm/mysql2/3.9.3/3.9.7) |

---

### Release Notes

<details>
<summary>sidorares/node-mysql2 (mysql2)</summary>

### [`v3.9.7`](https://github.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#397-2024-04-21)

[Compare Source](sidorares/node-mysql2@v3.9.6...v3.9.7)

##### Bug Fixes

-   **security:** sanitize timezone parameter value to prevent code injection ([#&#8203;2608](sidorares/node-mysql2#2608)) ([7d4b098](sidorares/node-mysql2@7d4b098))

### [`v3.9.6`](https://github.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#396-2024-04-18)

[Compare Source](sidorares/node-mysql2@v3.9.5...v3.9.6)

##### Bug Fixes

-   binary parser sometimes reads out of packet bounds when results contain null and typecast is false ([#&#8203;2601](sidorares/node-mysql2#2601)) ([705835d](sidorares/node-mysql2@705835d))

### [`v3.9.5`](https://github.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#395-2024-04-17)

[Compare Source](sidorares/node-mysql2@v3.9.4...v3.9.5)

##### Bug Fixes

-   revert breaking change in results creation ([#&#8203;2591](sidorares/node-mysql2#2591)) ([f7c60d0](sidorares/node-mysql2@f7c60d0))

### [`v3.9.4`](https://github.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#394-2024-04-09)

[Compare Source](sidorares/node-mysql2@v3.9.3...v3.9.4)

##### Bug Fixes

-   **docs:** improve the contribution guidelines ([#&#8203;2552](sidorares/node-mysql2#2552)) ([8a818ce](sidorares/node-mysql2@8a818ce))
-   **security:** improve results object creation ([#&#8203;2574](sidorares/node-mysql2#2574)) ([4a964a3](sidorares/node-mysql2@4a964a3))
-   **security:** improve supportBigNumbers and bigNumberStrings sanitization ([#&#8203;2572](sidorares/node-mysql2#2572)) ([74abf9e](sidorares/node-mysql2@74abf9e))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjAiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjAiLCJ0YXJnZXRCcmFuY2giOiJkZXZlbG9wIn0=-->

Reviewed-on: https://git.vylpes.xyz/RabbitLabs/Droplet/pulls/304
Co-authored-by: Renovate Bot <renovate@vylpes.com>
Co-committed-by: Renovate Bot <renovate@vylpes.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant