New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(postgres): check and enable standard conforming strings when required #10746
Conversation
Codecov Report
@@ Coverage Diff @@
## master #10746 +/- ##
==========================================
+ Coverage 96.31% 96.33% +0.01%
==========================================
Files 93 93
Lines 8980 8993 +13
==========================================
+ Hits 8649 8663 +14
+ Misses 331 330 -1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we test this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This appears to fix the security issue
Thanks @maxdos64 for reporting this issue |
🎉 This PR is included in version 5.3.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
"error":{"message":"unrecognized configuration parameter "standard_conforming_strings"","stack":"error: unrecognized configuration parameter "standard_conforming_strings"\n After this update I'm getting this error when using sequelize with Amazon Redshift. |
Is there a write up of the security issue? |
Will a new v4 release be released that includes this security fix? |
There is a cve connected to the issue: |
@maxdos64 The CVE is light on details (all I see is "Sequelize before 5.3.0 does not properly ensure that standard conforming strings are used."). Is this only an issue if |
will you be patching the v4 with the security fix? |
v4 and v3 are not affected, someone reported that CVE incorrectly. I have asked for an update in CVE, waiting for reply from MITRE |
This issue only affects Postgres with |
@gabegorelick I am unsure if it is ok to publish the PoC in this thread. |
@maxdos64 I see no problem with that as the patch is already out |
Alright :) If you have more questions please don't hesitate to email me at maximilian.tschirschnitz@gmail.com |
@sushantdhiman Seems like the version range in the CVE was fixed: https://nvd.nist.gov/vuln/detail/CVE-2019-11069#VulnChangeHistorySection |
Pull Request check-list
Please make sure to review and check all of these items:
npm run test
ornpm run test-DIALECT
pass with this change (including linting)?Description of change
This enable sequelize to set
standard_conforming_strings = on
whenever they are disabled regardless of postgres version. This fixes a security issue.It saves one extra query for postgres version per connection, which is available with
parameterStatus
asserver_version