fix: final polish — teardown, image pin, license

2026-06-12 00:49:58 +05:00
parent 7f0b66b18d
commit 5e841e4956
9 changed files with 180 additions and 48 deletions
@@ -93,6 +93,30 @@ describe('assertSafeStatement', () => {
            // \' does not end the string for mysql, so the ; stays inside
            expect(() => assertSafeStatement("select 'a\\'; select 2'", 'mysql')).not.toThrow()
        })
+
+        it('treats postgres E-strings as backslash-escaped (single statement)', () => {
+            // E'it\'s; fine' is one literal: \' is an escaped quote, so the ;
+            // stays inside the string and this is a single statement.
+            expect(() => assertSafeStatement("SELECT E'it\\'s; fine'", 'postgres')).not.toThrow()
+            expect(() => assertSafeStatement("SELECT e'it\\'s; fine'", 'postgres')).not.toThrow()
+        })
+
+        it('does not treat plain postgres strings as backslash-escaped', () => {
+            // In a plain '...' literal \ is a literal char, so 'a\' closes at the
+            // second quote, leaving '; SELECT 1' as a second statement.
+            expect(() => assertSafeStatement("SELECT 'a\\'; SELECT 1", 'postgres')).toThrow(
+                /one SQL statement/
+            )
+        })
+
+        it('does not treat a trailing-E identifier as an E-string prefix', () => {
+            // The E here is the tail of the identifier `somE`, not a standalone
+            // prefix, so backslash escapes stay off: 'a\' closes at the second
+            // quote and '; SELECT 1' is a second statement.
+            expect(() => assertSafeStatement("SELECT somE'a\\'; SELECT 1", 'postgres')).toThrow(
+                /one SQL statement/
+            )
+        })
    })

    describe('session-statement guard', () => {