From 85e160fb8bf501eeee45877f07744899c44886f4 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 14 Jun 2021 08:17:22 +0200 Subject: [PATCH 1/6] docs: add link to related packages --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 7baa49e..f907896 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,14 @@ Supported features: - [`fetchSockets`](https://socket.io/docs/v4/server-instance/#fetchSockets) - [`serverSideEmit`](https://socket.io/docs/v4/server-instance/#serverSideEmit) +Related packages: + +- Postgres emitter: https://github.com/socketio/socket.io-postgres-emitter/ +- Redis adapter: https://github.com/socketio/socket.io-redis-adapter/ +- Redis emitter: https://github.com/socketio/socket.io-redis-emitter/ +- MongoDB adapter: https://github.com/socketio/socket.io-mongo-adapter/ +- MongoDB emitter: https://github.com/socketio/socket.io-mongo-emitter/ + **Table of contents** - [Installation](#installation) From e2c8fe800898e16b7c3aa74b4dae6abaef1acb26 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 14 Jun 2021 08:18:04 +0200 Subject: [PATCH 2/6] chore: add npm keywords --- package.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index a83385c..aa95e8f 100644 --- a/package.json +++ b/package.json @@ -40,5 +40,11 @@ }, "engines": { "node": ">=10.0.0" - } + }, + "keywords": [ + "socket.io", + "postgres", + "postgresql", + "adapter" + ] } From 580cec262f37305f5ae92aca62e2bf1d2f9e1741 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Baumeyer=20K=C3=A9vin?= Date: Mon, 28 Jun 2021 08:04:51 +0200 Subject: [PATCH 3/6] fix: prevent SQL injection in the NOTIFY payload (#1) --- lib/index.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/index.ts b/lib/index.ts index 4f1bf3e..f322f13 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -422,7 +422,10 @@ export class PostgresAdapter extends Adapter { document.type, this.channel ); - await this.pool.query(`NOTIFY "${this.channel}", '${payload}'`); + await this.pool.query(`SELECT pg_notify($1, $2)`, [ + this.channel, + payload, + ]); this.scheduleHeartbeat(); } catch (err) { @@ -448,7 +451,7 @@ export class PostgresAdapter extends Adapter { type: document.type, attachmentId, }); - this.pool.query(`NOTIFY "${this.channel}", '${headerPayload}'`); + this.pool.query(`SELECT pg_notify($1, $2)`, [this.channel, headerPayload]); } /** From db7537b9ff5da30aa0ada506e15839cc5389b2f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Jun 2021 08:05:19 +0200 Subject: [PATCH 4/6] chore(deps): bump ws from 7.4.5 to 7.4.6 (#2) Bumps [ws](https://github.com/websockets/ws) from 7.4.5 to 7.4.6. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](https://github.com/websockets/ws/compare/7.4.5...7.4.6) --- updated-dependencies: - dependency-name: ws dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index b5ff6f1..5885984 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2231,9 +2231,9 @@ } }, "ws": { - "version": "7.4.5", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.5.tgz", - "integrity": "sha512-xzyu3hFvomRfXKH8vOFMU3OguG6oOvhXMo3xsGy3xWExqaM2dxBbVxuD99O7m3ZUFMvvscsZDqxfgMaRr/Nr1g==", + "version": "7.4.6", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.6.tgz", + "integrity": "sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A==", "dev": true }, "xtend": { From 01f8434f6a1469a5e856f7ebb853bafaed298dfa Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 28 Jun 2021 08:08:21 +0200 Subject: [PATCH 5/6] docs: fix the code example The default value of the "tableName" option is "socket_io_attachments" and not "events". --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f907896..b900045 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ const pool = new Pool({ }); pool.query(` - CREATE TABLE IF NOT EXISTS events ( + CREATE TABLE IF NOT EXISTS socket_io_attachments ( id bigserial UNIQUE, created_at timestamptz DEFAULT NOW(), payload bytea From 19ca286799282ba42de14849e4867d8ab4e1058d Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 28 Jun 2021 08:25:01 +0200 Subject: [PATCH 6/6] chore(release): 0.1.1 Diff: https://github.com/socketio/socket.io-postgres-adapter/compare/0.1.0...0.1.1 --- CHANGELOG.md | 8 ++++++++ package-lock.json | 2 +- package.json | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d8ed551..1cc02d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## [0.1.1](https://github.com/socketio/socket.io-postgres-adapter/compare/0.1.0...0.1.1) (2021-06-28) + + +### Bug Fixes + +* prevent SQL injection in the NOTIFY payload ([#1](https://github.com/socketio/socket.io-postgres-adapter/issues/1)) ([580cec2](https://github.com/socketio/socket.io-postgres-adapter/commit/580cec262f37305f5ae92aca62e2bf1d2f9e1741)) + + # 0.1.0 (2021-06-14) Initial commit diff --git a/package-lock.json b/package-lock.json index 5885984..7b59a20 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "@socket.io/postgres-adapter", - "version": "0.1.0", + "version": "0.1.1", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index aa95e8f..352cdb7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@socket.io/postgres-adapter", - "version": "0.1.0", + "version": "0.1.1", "description": "The Socket.IO Postgres adapter, allowing to broadcast events between several Socket.IO servers", "license": "MIT", "repository": {