From d6daaf1bdcfc44c51ccae83b3f533a7906889048 Mon Sep 17 00:00:00 2001
From: Christian Holm <cho@cubitech.dk>
Date: Mon, 8 Apr 2019 18:32:36 +0200
Subject: [PATCH] fix(query): add escape of null character for postgres bind
 parameters (#10716)

---
 lib/dialects/postgres/query.js |  9 ++++++---
 test/unit/sql/insert.test.js   | 26 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/lib/dialects/postgres/query.js b/lib/dialects/postgres/query.js
index 1b33c031c2db..f5c4d290199c 100644
--- a/lib/dialects/postgres/query.js
+++ b/lib/dialects/postgres/query.js
@@ -20,11 +20,14 @@ class Query extends AbstractQuery {
    * @private
    */
   static formatBindParameters(sql, values, dialect) {
-    let bindParam = [];
+    const stringReplaceFunc = value => typeof value === 'string' ? value.replace(/\0/g, '\\0') : value;
+
+    let bindParam;
     if (Array.isArray(values)) {
-      bindParam = values;
+      bindParam = values.map(stringReplaceFunc);
       sql = AbstractQuery.formatBindParameters(sql, values, dialect, { skipValueReplace: true })[0];
     } else {
+      bindParam = [];
       let i = 0;
       const seen = {};
       const replacementFunc = (match, key, values) => {
@@ -33,7 +36,7 @@ class Query extends AbstractQuery {
         }
         if (values[key] !== undefined) {
           i = i + 1;
-          bindParam.push(values[key]);
+          bindParam.push(stringReplaceFunc(values[key]));
           seen[key] = `$${i}`;
           return `$${i}`;
         }
diff --git a/test/unit/sql/insert.test.js b/test/unit/sql/insert.test.js
index 7e05640a5a34..3dadc05dfff9 100644
--- a/test/unit/sql/insert.test.js
+++ b/test/unit/sql/insert.test.js
@@ -98,6 +98,32 @@ describe(Support.getTestDialectTeaser('SQL'), () => {
     });
   });
 
+  describe('strings', () => {
+    it('formats null characters correctly when inserting', () => {
+      const User = Support.sequelize.define('user', {
+        username: {
+          type: DataTypes.STRING,
+          field: 'user_name'
+        }
+      }, {
+        timestamps: false
+      });
+
+      expectsql(sql.insertQuery(User.tableName, { user_name: 'null\0test' }, User.rawAttributes),
+        {
+          query: {
+            postgres: 'INSERT INTO "users" ("user_name") VALUES ($1);',
+            mssql: 'INSERT INTO [users] ([user_name]) VALUES ($1);',
+            default: 'INSERT INTO `users` (`user_name`) VALUES ($1);'
+          },
+          bind: {
+            postgres: ['null\u0000test'],
+            default: ['null\0test']
+          }
+        });
+    });
+  });
+
   describe('bulkCreate', () => {
     it('bulk create with onDuplicateKeyUpdate', () => {
       const User = Support.sequelize.define('user', {