fix: prevent SQL injection in timezone handling

Apply timezone validation before executing SET TIME ZONE command
to prevent potential SQL injection vulnerabilities.

Changes:
- Import and use isValidTimeZone() validation
- Throw error for invalid timezone strings
- Maintain support for all legitimate timezone formats

The validation ensures that only safe timezone strings are used
in raw SQL execution while preserving functionality.

Author: mgcrea

src/PrismaQueue.ts

@@ -11,6 +11,7 @@ import {
   escape,
   getCurrentTimeZone,
   getTableName,
+  isValidTimeZone,
   serializeError,
   uncapitalize,
   waitFor,
@@ -320,6 +321,10 @@ export class PrismaQueue<
             await client.$queryRawUnsafe<[{ TimeZone: string }]>("SHOW TIME ZONE");
           const localTimeZone = getCurrentTimeZone();
           if (dbTimeZone !== localTimeZone) {
+            // Validate timezone to prevent SQL injection
+            if (!isValidTimeZone(localTimeZone)) {
+              throw new Error(`Invalid timezone: ${localTimeZone}`);
+            }
             debug(`aligning database timezone from ${dbTimeZone} to ${localTimeZone}!`);
             await client.$executeRawUnsafe(`SET LOCAL TIME ZONE '${localTimeZone}';`);
           }