Skip to content

fix(gel-core): patch escapeName per GHSA-gpj5-g38j-94v9 (incomplete fix in 0.45.2)#5865

Draft
sravan27 wants to merge 1 commit into
drizzle-team:mainfrom
sravan27:fix-gel-core-escapeName-cve-incomplete
Draft

fix(gel-core): patch escapeName per GHSA-gpj5-g38j-94v9 (incomplete fix in 0.45.2)#5865
sravan27 wants to merge 1 commit into
drizzle-team:mainfrom
sravan27:fix-gel-core-escapeName-cve-incomplete

Conversation

@sravan27

@sravan27 sravan27 commented Jun 9, 2026

Copy link
Copy Markdown

Summary

The 0.45.2 security release (GHSA-gpj5-g38j-94v9) advertised SQL-identifier-escape fixes for the PostgreSQL, MySQL, SQLite, SingleStore, and Gel dialects. The actual patch commit (273c780) only touched the first four. The Gel dialect escapeName is still

escapeName(name: string): string {
  return `"${name}"`;
}

which is the pre-CVE shape that allows the same identifier-delimiter SQL injection the parent advisory documents. This PR brings the Gel dialect in line with the other four — one line, the same replace(/"/g, ) pattern.

Repro

Confirmed against drizzle-orm@0.45.2 published tarball (package/gel-core/dialect.cjs still ships the unpatched version):

function gelEscapeName(name) { return `"${name}"`; }
function pgEscapeName(name)  { return `"${name.replace(/"/g, "''")}"`; }

const attackerInput = `id"; DROP TABLE users; --`;
gelEscapeName(attackerInput); // → "id"; DROP TABLE users; --"
pgEscapeName(attackerInput);  // → "id""; DROP TABLE users; --"

Same shape as the advisory: any application that pipes an attacker-controlled value through sql.identifier() or .as() (dynamic sort fields, dynamic alias names, CTE naming from request params) can break out of the quoted identifier on the Gel dialect even after upgrading to 0.45.2.

Disclosure note

Reported privately to security@drizzle.team first; happy to coordinate timing on the public merge / release. Filing as a draft-style PR with the one-line fix to make it easy to land alongside whatever Gel-specific test you would prefer. If a security-track release is the preferred path I can close this PR and move it to the Security Advisories flow.

Patch

- escapeName(name: string): string {
-   return `"${name}"`;
- }
+ escapeName(name: string): string {
+   return `"${name.replace(/"/g, )}"`;
+ }

Suggested regression test

If the existing escape test for pg-core covers the basic shape, the same fixture against the GelDialect would catch a future regression. Happy to add it in a follow-up commit.

@sravan27
fix(gel-core): patch escapeName per GHSA-gpj5-g38j-94v9 (incomplete f…
2f9f27b 
…ix in 0.45.2)

The 0.45.2 security release advertised the SQL identifier escaping fix
for the PostgreSQL, MySQL, SQLite, SingleStore, AND Gel dialects, but
the patch commit (273c780) only touched the first four. The Gel dialect
escapeName still does

  return `"${name}"`;

which leaves the same identifier-delimiter injection that the parent CVE
documented. This brings Gel in line with the other dialects:

  return `"${name.replace(/"/g, '""')}"`;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sravan27