fix: sanitize NOTIFY channel name to prevent SQL injection #241

New issue

Closed

opened 2026-03-10 17:26:32 +00:00 by ash · 0 comments

ash commented 2026-03-10 17:26:32 +00:00

Owner

Copy link

Problem

pgstore/notifier.go uses fmt.Sprintf("NOTIFY %s", channel) — if channel name contains SQL, it could be injected. Low risk (app-configured) but sloppy.

Solution

Validate channel name is [a-zA-Z0-9_] only. Reject or sanitize on construction.

Pillar: Security

## Problem `pgstore/notifier.go` uses `fmt.Sprintf("NOTIFY %s", channel)` — if channel name contains SQL, it could be injected. Low risk (app-configured) but sloppy. ## Solution Validate channel name is `[a-zA-Z0-9_]` only. Reject or sanitize on construction. ## Pillar: Security

ash referenced this issue from a commit 2026-03-10 18:13:31 +00:00

fix: add stream_type to Delete/Tombstone/Snapshot/AdvisoryLock + sanitize NOTIFY channel — Closes #240, Closes #241

ash closed this issue 2026-03-10 18:13:31 +00:00

ash referenced this issue from a commit 2026-03-10 18:17:24 +00:00

fix: add stream_type to Delete/Tombstone/Snapshot/AdvisoryLock + sanitize NOTIFY channel — Closes #240, Closes #241

ash referenced this issue from a commit 2026-03-10 19:17:37 +00:00

fix: add stream_type to Delete/Tombstone/Snapshot/AdvisoryLock + sanitize NOTIFY channel — Closes #240, Closes #241

ash referenced this issue from a commit 2026-03-10 19:18:06 +00:00

fix: add stream_type to Delete/Tombstone/Snapshot/AdvisoryLock + sanitize NOTIFY channel — Closes #240, Closes #241

ash referenced this issue from a commit 2026-03-10 19:21:01 +00:00

fix: add stream_type to Delete/Tombstone/Snapshot/AdvisoryLock + sanitize NOTIFY channel — Closes #240, Closes #241

ash referenced this issue from a commit 2026-03-10 19:23:54 +00:00

fix: add stream_type to Delete/Tombstone/Snapshot/AdvisoryLock + sanitize NOTIFY channel — Closes #240, Closes #241

ash referenced this issue from a commit 2026-03-10 19:29:19 +00:00

fix: add stream_type to Delete/Tombstone/Snapshot/AdvisoryLock + sanitize NOTIFY channel — Closes #240, Closes #241

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

bug

  

documentation

  

enhancement

  

investigation

  

nice-to-have

  

performance

  

production-ready

  

testing

No labels

bug

documentation

enhancement

investigation

nice-to-have

performance

production-ready

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ash/eskit#241

No description provided.