Skip to content

fix: SQL injection vulnerability in Neon cache provider table names #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mfeltscher merged 5 commits into from
Feb 16, 2026
Merged

fix: SQL injection vulnerability in Neon cache provider table names #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2fe77b5
Initial plan
Copilot Feb 15, 2026
14ee286
Fix SQL injection vulnerability in Neon provider table name
Copilot Feb 15, 2026
8540848
Improve identifier validation and escape double quotes
Copilot Feb 15, 2026
0a628ea
Improve error message to clarify schema-qualified names
Copilot Feb 15, 2026
08aad48
schoener
mfeltscher Feb 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 26 additions & 1 deletion src/cache-tags/provider/neon.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ export class NeonCacheTagsProvider implements CacheTagsProvider {

constructor({ connectionUrl, table }: NeonCacheTagsProviderConfig) {
this.sql = neon(connectionUrl, { fullResults: true });
this.table = table;
this.table = NeonCacheTagsProvider.quoteIdentifier(table);
}

public async storeQueryCacheTags(queryId: string, cacheTags: CacheTag[]) {
Expand Down Expand Up @@ -77,4 +77,29 @@ export class NeonCacheTagsProvider implements CacheTagsProvider {
public async truncateCacheTags() {
return (await this.sql.query(`DELETE FROM ${this.table}`)).rowCount ?? 0;
}

/**
* Validates and quotes a PostgreSQL identifier (table name, column name, etc.) to prevent SQL injection.
* @param identifier The identifier to validate and quote
* @returns The properly quoted identifier
* @throws Error if the identifier is invalid
*/
private static quoteIdentifier(identifier: string): string {
// Validate that the identifier contains only valid characters
// PostgreSQL identifiers can contain letters, digits, underscores, and dollar signs
// They can also contain dots for schema-qualified names
if (!/^[a-zA-Z_$][a-zA-Z0-9_$]*(\.[a-zA-Z_$][a-zA-Z0-9_$]*)?$/.test(identifier)) {
throw new Error(
`Invalid table name: ${identifier}. Table names must start with a letter, underscore, or dollar sign and contain only letters, digits, underscores, and dollar signs. Schema-qualified names (e.g., "schema.table") are supported.`,
);
}

// Quote the identifier using double quotes to prevent SQL injection
// Handle schema-qualified names (e.g., "schema.table")
// Escape any double quotes within the identifier by doubling them
return identifier
.split('.')
.map((part) => `"${part.replace(/"/g, '""')}"`)
.join('.');
}
}