• 公告

2020-02-25

pg@8.0 发布

¥pg@8.0 release

pg@8.0正在发布,其中包含一些重大更改。

¥pg@8.0 is being released which contains a handful of breaking changes.

我将在此概述每个重大更改,并尝试提供一些历史背景。它们中的大多数都很小而且很微妙,可能不会对你造成影响;但是,你可能会遇到一个更大的重大变化:

¥I will outline each breaking change here and try to give some historical context on them. Most of them are small and subtle and likely wont impact you; however, there is one larger breaking change you will likely run into:


  • 支持在 ssl 选项下将所有 tls.connect options 传递给客户端/池构造函数。

    ¥Support all tls.connect options being passed to the client/pool constructor under the ssl option.

之前我们将传递到这里参数列入白名单,并对其中一些参数进行了轻微的处理。这里的主要重大变化是,现在如果你这样做:

¥Previously we white listed the parameters passed here and did slight massaging of some of them. The main breaking change here is that now if you do this:

const client = new Client({ ssl: true })
⚠️

现在我们将使用默认的 ssl 选项到 tls.connect,其中包括启用的 rejectionUnauthorized。这意味着如果你使用自签名证书,你的连接尝试可能会失败。要使用旧行为,你应该执行以下操作:

¥Now we will use the default ssl options to tls.connect which includes rejectUnauthorized being enabled. This means your connection attempt may fail if you are using a self-signed cert. To use the old behavior you should do this:

const client = new Client({ ssl: { rejectUnauthorized: false } })

这使 pg 更安全 "开箱即用",同时仍允许你选择旧行为。

¥This makes pg a bit more secure "out of the box" while still enabling you to opt in to the old behavior.


其余的变化相对较小,你可能不需要做任何事情,但无论如何,最好还是注意一下!

¥The rest of the changes are relatively minor & you likely wont need to do anything, but good to be aware none the less!

  • 更改默认数据库名称

    ¥change default database name

如果未指定数据库名称,在 PGDATABASE 的环境中不可用,或在 pg.defaults 可用,我们过去使用进程用户的用户名作为数据库的名称。现在我们将使用提供给客户端的 user 属性作为数据库名称(如果存在)。这意味着:

¥If a database name is not specified, available in the environment at PGDATABASE, or available at pg.defaults, we used to use the username of the process user as the name of the database. Now we will use the user property supplied to the client as the database name, if it exists. What this means is this:

new Client({
  user: 'foo',
})

pg@7.x 将默认数据库名称为进程用户。pg@8.x 将使用提供给客户端的 user 属性。如果你没有向客户端提供 user,并且它无法通过其任何现有查找机制(环境变量、pg.defaults)获得,那么它仍将使用进程用户作为数据库名称。

¥pg@7.x will default the database name to the process user. pg@8.x will use the user property supplied to the client. If you have not supplied user to the client, and it isn't available through any of its existing lookup mechanisms (environment variables, pg.defaults) then it will still use the process user for the database name.

  • 放弃对 8.0 以上版本的节点的支持

    ¥drop support for versions of node older than 8.0

Node@6.0 已经脱离 LTS 很长一段时间了,我已经将它从我们的测试矩阵中删除了。pg@8.0 可能仍适用于旧版本的节点,但它不再是项目的目标。Node@8.0 实际上不再在 LTS 支持线中,但 pg 将继续针对 8.0 进行测试和支持,直到有令人信服的理由放弃对它的支持。对于出现的任何安全漏洞问题,我都会将修复程序移植到 pg@7.x 系列并发布,但其他任何修复程序或改进都不会移植回去。

¥Node@6.0 has been out of LTS for quite some time now, and I've removed it from our test matrix. pg@8.0 may still work on older versions of node, but it isn't a goal of the project anymore. Node@8.0 is actually no longer in the LTS support line, but pg will continue to test against and support 8.0 until there is a compelling reason to drop support for it. Any security vulnerability issues which come up I will back-port fixes to the pg@7.x line and do a release, but any other fixes or improvements will not be back ported.

  • 防止密码被意外记录

    ¥prevent password from being logged accidentally

pg@8.0 使池和客户端上的密码字段不可枚举。这意味着当你执行 console.log(client) 时,你不会无意中打印出你的数据库密码。如果你真的想看到它,你仍然可以执行 console.log(client.password)

¥pg@8.0 makes the password field on the pool and client non-enumerable. This means when you do console.log(client) you wont have your database password printed out unintentionally. You can still do console.log(client.password) if you really want to see it!

  • 使 pg.native 不可枚举

    ¥make pg.native non-enumerable

你可以使用 pg.native.Client 访问原生客户端。第一次访问 pg.native getter 时,它会导入原生绑定……必须安装。在某些情况下(例如为 lambda 部署对 pg 代码进行 webpack),.native 属性将被遍历并触发原生绑定的导入作为副作用。使此属性不可枚举将解决此问题。这是一个简单的修复,但在人们出于任何原因依赖此副作用的情况下,它在技术上是一个重大变化。

¥You can use pg.native.Client to access the native client. The first time you access the pg.native getter it imports the native bindings...which must be installed. In some cases (such as webpacking the pg code for lambda deployment) the .native property would be traversed and trigger an import of the native bindings as a side-effect. Making this property non-enumerable will fix this issue. An easy fix, but its technically a breaking change in cases where people are relying on this side effect for any reason.

  • 使 pg.Pool 成为 es6 类

    ¥make pg.Pool an es6 class

这使得扩展 pg.Pool 成为可能。之前它不是 "proper" es6 类,class MyPool extends pg.Pool 不起作用。

¥This makes extending pg.Pool possible. Previously it was not a "proper" es6 class and class MyPool extends pg.Pool wouldn't work.

  • 使 Notice 消息不是 JavaScript 错误的实例

    ¥make Notice messages not an instance of a JavaScript error

从 postgres 后端解析 noticeerror 消息的代码路径是相同的。之前为这两种消息类型创建了一个 JavaScript Error 实例。现在,只有来自 postgres 后端的实际 errors 才是 Error 的实例。除此之外,这两条消息的形状和属性没有改变。

¥The code path for parsing notice and error messages from the postgres backend is the same. Previously created a JavaScript Error instance for both of these message types. Now, only actual errors from the postgres backend will be an instance of an Error. The shape and properties of the two messages did not change outside of this.

  • monorepo

虽然从技术上讲,这对模块本身来说不是一个重大变化,但我已经开始将 consolidating separate repos 转换为主 repo,并将其转换为由 lerna 管理的 monorepo。这将帮助我更好地掌握问题(很难在 3-4 个单独的存储库之间切换)并协调依赖模块之间的错误修复和更改。

¥While not technically a breaking change for the module itself, I have begun the process of consolidating separate repos into the main repo and converted it into a monorepo managed by lerna. This will help me stay on top of issues better (it was hard to bounce between 3-4 separate repos) and coordinate bug fixes and changes between dependant modules.

谢谢阅读!pg 试图非常严谨地避免破坏非 semver 主要版本中的向后兼容性......即使是看似很小的事情。如果你注意到 semver 次要/补丁版本中的重大更改,请停止 repo 并打开问题!

¥Thanks for reading that! pg tries to be super pedantic about not breaking backwards-compatibility in non semver major releases....even for seemingly small things. If you ever notice a breaking change on a semver minor/patch release please stop by the repo and open an issue!

如果你发现 pg 对你或你的企业有价值,请考虑 supporting,它将继续开发!巨大的性能改进、typescript、更好的文档、查询流水线等都在进行中!

¥If you find pg valuable to you or your business please consider supporting it's continued development! Big performance improvements, typescript, better docs, query pipelining and more are all in the works!

2019-07-18

新文档

¥New documentation

在我的待办事项列表中待了很长时间后,我将文档从运行在 route53 + elb + ec2 + dokku 上的旧手动 web 应用(我知道,我做得过火了!)移植到托管在 netlify 上的 gatsby,这样管理起来要容易得多。我已经在 https://github.com/brianc/node-postgres-docs 发布了代码,并邀请你做出贡献!让我们一起改进这个文档。任何时候将更改合并到文档存储库上的 master 都会自动部署。

¥After a very long time on my todo list I've ported the docs from my old hand-rolled webapp running on route53 + elb + ec2 + dokku (I know, I went overboard!) to gatsby hosted on netlify which is so much easier to manage. I've released the code at https://github.com/brianc/node-postgres-docs and invite your contributions! Let's make this documentation better together. Any time changes are merged to master on the documentation repo it will automatically deploy.

如果你在文档中看到错误,无论大小,请使用 "在 GitHub 上编辑" 按钮编辑页面并立即提交拉取请求。我会尽快发布一个包含你更改的新版本!如果你想添加新的文档页面,请在需要指导时打开问题,我会帮助你入门。

¥If you see an error in the docs, big or small, use the "edit on GitHub" button to edit the page & submit a pull request right there. I'll get a new version out ASAP with your changes! If you want to add new pages of documentation open an issue if you need guidance, and I'll help you get started.

我要特别感谢所有参与该项目的 supporterscontributors,他们帮助我度过了倦怠或生活 "妨碍。" 的时光 ❤️

¥I want to extend a special thank you to all the supporters and contributors to the project that have helped keep me going through times of burnout or life "getting in the way." ❤️

这是一个相当漫长的旅程,我期待着继续下去,只要我能为大家提供价值。🤠

¥It's been quite a journey, and I look forward continuing it for as long as I can provide value to all y'all. 🤠

2017-08-12

代码执行漏洞

¥code execution vulnerability

今天,@sehrope 发现并报告了 node-postgres 中的代码执行漏洞。这会影响从 pg@2.xpg@7.1.0 的所有版本。

¥Today @sehrope found and reported a code execution vulnerability in node-postgres. This affects all versions from pg@2.x through pg@7.1.0.

我已经在所有受影响版本的每个主要版本分支的提示上发布了修复,并在 pg@6.xpg@7.x 的每个次要版本分支上发布了修复:

¥I have published a fix on the tip of each major version branch of all affected versions as well as a fix on each minor version branch of pg@6.x and pg@7.x:

修复

¥Fixes

以下版本已发布到 npm 并包含修复漏洞的补丁:

¥The following versions have been published to npm & contain a patch to fix the vulnerability:

pg@2.11.2
pg@3.6.4
pg@4.5.7
pg@5.2.1
pg@6.0.5
pg@6.1.6
pg@6.2.5
pg@6.3.3
pg@6.4.2
pg@7.0.3
pg@7.1.2

示例

¥Example

要演示问题并查看你是否易受攻击,请在节点中执行以下操作:

¥To demonstrate the issue & see if you are vulnerable execute the following in node:

import pg from 'pg'
const { Client } = pg
const client = new Client()
client.connect()
 
const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`
 
client.query(sql, (err, res) => {
  client.end()
})

你将看到你的环境变量打印到控制台。攻击者可以利用此漏洞在你的进程中执行任何任意节点代码。

¥You will see your environment variables printed to your console. An attacker can use this exploit to execute any arbitrary node code within your process.

影响

¥Impact

如果你连接到你控制的数据库并且不执行用户提供的 sql,则此漏洞可能不会对你造成影响。不过,为了安全起见,你绝对应该尽快升级到最新的补丁版本。

¥This vulnerability likely does not impact you if you are connecting to a database you control and not executing user-supplied sql. Still, you should absolutely upgrade to the most recent patch version as soon as possible to be safe.

我们很快想到了两种攻击媒介:

¥Two attack vectors we quickly thought of:

  • 1 - 执行不安全的用户提供的 sql,其中包含像上面那样的恶意列名。

    ¥1 - executing unsafe, user-supplied sql which contains a malicious column name like the one above.

  • 2 - 连接到不受信任的数据库并执行查询,该查询返回任何列名都是恶意的结果。

    ¥2 - connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

支持

¥Support

我已经创建了 问题,你可以使用它与我讨论漏洞或提出问题,并且我已将此问题报告给 在 Twitter 上 并直接报告给 Heroku 和 nodesecurity.io

¥I have created an issue you can use to discuss the vulnerability with me or ask questions, and I have reported this issue on twitter and directly to Heroku and nodesecurity.io.

我非常重视安全性。如果你或你的公司从 node-postgres 请赞助我的工作 中受益:这种类型的问题是我负责的众多事情之一,我希望能够在未来几年继续不知疲倦地在节点中提供世界一流的 PostgreSQL 体验。

¥I take security very seriously. If you or your company benefit from node-postgres please sponsor my work: this type of issue is one of the many things I am responsible for, and I want to be able to continue to tirelessly provide a world-class PostgreSQL experience in node for years to come.

Last updated on August 24, 2024