node-connect-pg-simple icon indicating copy to clipboard operation
node-connect-pg-simple copied to clipboard

Published 20 hours ago verified publisher icon voxpelli

Allow customization of the column names

Open Tenpi opened this issue 2 years ago • 4 comments

I want to use my own column names, but this module uses hardcoded column names.

With this modification, you should be able to pass a custom sidColumnName, sessColumnName, or expireColumnName.

No one should be passing in column names from unsanitized input, so I don't think that SQL injections are an issue.

I only modified some of the tests because PostgreSQL seems to be returning the numbers as strings without an explicit type cast.

Code Example:

app.use(session({
  store: new pgSession({
    pool: pgPool,
    sidColumnName: "sessionID",
    sessColumnName: "session",
    expireColumnName: "expires"
  }),
  secret: process.env.COOKIE_SECRET,
  cookie: {maxAge: 1000 * 60 * 60 * 24},
  resave: false,
  saveUninitialized: false
}))

Tenpi avatar Apr 13 '22 13:04 Tenpi

Why do you want your own column names? Making things too configurable will make the module needlessly complex. I'm not sure I'm convinced of the benefit of adding this.

No one should be passing in column names from unsanitized input, so I don't think that SQL injections are an issue.

Well, #151 begs to differ, which caused https://github.com/voxpelli/node-connect-pg-simple/security/advisories/GHSA-xqh8-5j36-4556

voxpelli avatar Jun 15 '22 10:06 voxpelli

Why do you want your own column names?

For naming consistency sake, I don't use abbreviations in my column names which is why I prefer using "sessionID" and "session".

Well, #151 begs to differ, which caused GHSA-xqh8-5j36-4556

You solved this by adding the function escapePgIdentifier() to escape double quotes, which I am also using for the column names.

SQL injection is possible if they pass in unsanitized input for the column name, and this is already possible for the table name too. You should warn people to only pass in a hardcoded string for the column/table names in the readme.

Tenpi avatar Jun 15 '22 17:06 Tenpi

Why do you want your own column names?

For naming consistency sake, I don't use abbreviations in my column names which is why I prefer using "sessionID" and "session".

But this is internally within the dedicated session table? And shouldn't be used by anyone else? So it won't really matter which names they have? Or where are you getting exposed to them?

voxpelli avatar Jun 15 '22 18:06 voxpelli

it won't really matter which names they have?

It’s purely a matter of personal preference, changing the column names doesn’t have a functional difference. I’d just rather use names which aren’t abbreviated.

Tenpi avatar Jun 15 '22 22:06 Tenpi