Tags: prest/prest
Tags
fix(postgres): prevent SQL injection in `tsquery` operator (#940) Added identifier validation and single-quote escaping for tsquery fields and config in WhereByRequest, ensuring user input cannot inject SQL via tsquery operator. This closes a potential SQL injection vector when using the tsquery filter in table queries. Signed-off-by: Avelino <31996+avelino@users.noreply.github.com>
fix(security): unify identifier validation; enforce in templates, gro… …upby, and path params to prevent SQLi (fixes #937, GHSA-p46v-f2x8-qp98) (#938) * fix(security): unify identifier validation; enforce in templates, groupby, and path params to prevent SQLi (fixes #937, GHSA-p46v-f2x8-qp98) Signed-off-by: Avelino <31996+avelino@users.noreply.github.com> * security: centralize strict identifier validation, add IsSafeSegment for path, harden groupby and adapter quoting Signed-off-by: Avelino <31996+avelino@users.noreply.github.com> * security(GHSA-p46v-f2x8-qp98): centralize identifier validation, harden _groupby, and allow safe path segments Signed-off-by: Avelino <31996+avelino@users.noreply.github.com> * feat(postgres): support PREST_QUERIES_LOCATION and harden identifier quoting Signed-off-by: Avelino <31996+avelino@users.noreply.github.com> * add tests for Quote and IsSafeSegment --------- Signed-off-by: Avelino <31996+avelino@users.noreply.github.com> Co-authored-by: Arthur Silva <arxdsilva@gmail.com>
fix(postgres): improve `_returning` param handling for SQL injection … …safety (#935) - Refactored `ReturningByRequest` to properly quote identifiers in the `_returning` query param, preventing SQL injection. - Now supports dot notation _(e.g., `schema.table.column`)_ by quoting each part. - Returns error if invalid identifier is detected. - Adds test coverage for new behavior. Refs [#GHSA-p46v-f2x8-qp98](GHSA-p46v-f2x8-qp98) Signed-off-by: Avelino <31996+avelino@users.noreply.github.com>
refactor: remove deprecated SSL fields and update config parsing for … …PostgreSQL (#919) * refactor: remove deprecated SSL fields and update config parsing for PostgreSQL * refactor: update SSL mode configuration and clean up test data * refactor: modularize configuration parsing into dedicated functions * test: improve HTTP port tests and update PGSSLMode assertion * refactor: enhance test verbosity and remove unused default configuration * remove unwanted change * refactor: move HTTPS configuration parsing to the appropriate function
Bump github.com/lestrrat-go/jwx/v2 from 2.0.20 to 2.0.21 (#877) Bumps [github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from 2.0.20 to 2.0.21. - [Release notes](https://github.com/lestrrat-go/jwx/releases) - [Changelog](https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes) - [Commits](lestrrat-go/jwx@v2.0.20...v2.0.21) --- updated-dependencies: - dependency-name: github.com/lestrrat-go/jwx/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
PreviousNext