Fix SQL injection via line comment creation in simple protocol

jackc · Mar 4, 2024 · 826a892 · 826a892
1 parent 7d882f9
commit 826a892
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/internal/sanitize/sanitize.go b/internal/sanitize/sanitize.go
@@ -44,8 +44,18 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) {
 				str = "null"
 			case int64:
 				str = strconv.FormatInt(arg, 10)
+				// Prevent SQL injection via Line Comment Creation
+				// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
+				if arg < 0 {
+					str = "(" + str + ")"
+				}
 			case float64:
+				// Prevent SQL injection via Line Comment Creation
+				// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
 				str = strconv.FormatFloat(arg, 'f', -1, 64)
+				if arg < 0 {
+					str = "(" + str + ")"
+				}
 			case bool:
 				str = strconv.FormatBool(arg)
 			case []byte:

diff --git a/internal/sanitize/sanitize_test.go b/internal/sanitize/sanitize_test.go
@@ -174,6 +174,16 @@ func TestQuerySanitize(t *testing.T) {
 			args:     []interface{}{time.Date(2020, time.March, 1, 23, 59, 59, 999999999, time.UTC)},
 			expected: `insert '2020-03-01 23:59:59.999999Z'`,
 		},
+		{
+			query:    sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
+			args:     []interface{}{int64(-1)},
+			expected: `select 1-(-1)`,
+		},
+		{
+			query:    sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
+			args:     []interface{}{float64(-1)},
+			expected: `select 1-(-1)`,
+		},
 	}
 
 	for i, tt := range successfulTests {