Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates SQL queries to quote user and database names to avoid identifier issues.
- Adds double quotes around user names in CREATE, ALTER, and DROP user queries.
- Adds double quotes around database names in CREATE, ALTER, and DROP database queries.
Comments suppressed due to low confidence (1)
handler/main.ts:403
- For consistency with the other queries, the username should be enclosed in double quotes in the ALTER DATABASE statement. For example:
... OWNER TO "${userCredentials.username}";.
await adminClient.query(`ALTER DATABASE "${event.ResourceProperties.databaseName}" OWNER TO ${userCredentials.username};`);
plumdog
force-pushed
the
quote-user-and-database-names
branch
from
95a9200 to
6b9f70d
Compare
plumdog
force-pushed
the
quote-user-and-database-names
branch
from
6b9f70d to
8736003
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR updates SQL statements in handler/main.ts to quote user and database identifiers, ensuring names with special characters are handled correctly.
- Wraps usernames in double quotes for CREATE, ALTER, and DROP USER queries
- Wraps database names in double quotes for CREATE, ALTER, DROP, and OWNER queries
Comments suppressed due to low confidence (2)
handler/main.ts:264
- There are no tests verifying that quoting handles usernames with special characters correctly. Add unit tests for edge cases such as names containing double quotes, hyphens, or uppercase letters to ensure queries are formed as expected.
const createUserQuery = `CREATE USER "${userCredentials.username}" WITH PASSWORD '${userCredentials.password}' CREATEDB LOGIN;`;
handler/main.ts:285
- Similarly, add tests for database names with special characters (e.g., spaces, quotes) to verify that quoting is applied correctly and avoids failures at runtime.
const createDatabaseQuery = `CREATE DATABASE "${event.ResourceProperties.databaseName}";`;
| }); | ||
|
|
||
| const createUserQuery = `CREATE USER ${userCredentials.username} WITH PASSWORD '${userCredentials.password}' CREATEDB LOGIN;`; | ||
| const createUserQuery = `CREATE USER "${userCredentials.username}" WITH PASSWORD '${userCredentials.password}' CREATEDB LOGIN;`; |
There was a problem hiding this comment.
Interpolating userCredentials.username directly into the SQL string can lead to SQL injection if the username contains double quotes or other special characters. Consider using a parameterized identifier escape library (e.g., pg-format) or the client’s identifier-quoting API.
| throw e; | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Embedding databaseName via string interpolation may allow injection if the name contains quotes or unsafe characters. Use parameterized queries or a safe identifier-escaping function to avoid SQL injection.
| validateDatabaseName(event.ResourceProperties.databaseName); |
1 participant
No description provided.