From 7008bd9ccfe6a21d66f44a4f536004ca3f40bd71 Mon Sep 17 00:00:00 2001
From: "Brian M. Carlson" <brian.m.carlson@gmail.com>
Date: Sat, 12 Aug 2017 16:04:29 -0500
Subject: [PATCH] Fix vulnerability

---
 lib/result.js                                      | 12 ++++++++----
 package.json                                       |  1 +
 test/integration/client/field-name-escape-tests.js | 10 ++++++++++
 3 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 test/integration/client/field-name-escape-tests.js

diff --git a/lib/result.js b/lib/result.js
index 8ec3de01..c2d8e3a2 100644
--- a/lib/result.js
+++ b/lib/result.js
@@ -1,4 +1,5 @@
 var types = require(__dirname + '/types/');
+var escape = require('js-string-escape');
 
 //result object returned from query
 //in the 'end' event and also
@@ -66,10 +67,13 @@ Result.prototype.addRow = function(row) {
 
 var inlineParser = function(fieldName, i) {
   return "\nthis['" +
-    //fields containing single quotes will break
-    //the evaluated javascript unless they are escaped
-    //see https://github.com/brianc/node-postgres/issues/507
-    fieldName.replace("'", "\\'") +
+    // fields containing single quotes will break
+    // the evaluated javascript unless they are escaped
+    // see https://github.com/brianc/node-postgres/issues/507
+    // Addendum: However, we need to make sure to replace all
+    // occurences of apostrophes, not just the first one.
+    // See https://github.com/brianc/node-postgres/issues/934
+    escape(fieldName) +
     "'] = " +
     "rowData[" + i + "] == null ? null : parsers[" + i + "](rowData[" + i + "]);";
 };
diff --git a/package.json b/package.json
index eaf78773..d19a70b6 100644
--- a/package.json
+++ b/package.json
@@ -20,6 +20,7 @@
   "dependencies": {
     "generic-pool": "2.0.3",
     "buffer-writer": "1.0.0",
+    "js-string-escape": "1.0.1",
     "pgpass": "0.0.1",
     "nan": "~0.6.0"
   },
diff --git a/test/integration/client/field-name-escape-tests.js b/test/integration/client/field-name-escape-tests.js
new file mode 100644
index 00000000..146ad1b6
--- /dev/null
+++ b/test/integration/client/field-name-escape-tests.js
@@ -0,0 +1,10 @@
+var pg = require('./test-helper').pg
+
+var sql = 'SELECT 1 AS "\\\'/*", 2 AS "\\\'*/\n + process.exit(-1)] = null;\n//"'
+
+var client = new pg.Client()
+client.connect()
+client.query(sql, function (err, res) {
+  if (err) throw err
+  client.end()
+})