Articles

A deep dive into PostgreSQL filesystem exploits. Learn how to engineer static analysis guards to prevent unauthorized database-level file access.

A for-loop with an INSERT inside turned a 100ms bulk write into 50 seconds — 500x slower at 1,000 rows. pg/no-batch-insert-loop (CWE-1049) catches the N+1 pattern in CI, before it ships.

Control a connection's search_path and every unqualified query silently resolves to your schema. The obscure-but-lethal PostgreSQL attack, why SET can't be parameterized, the real fixes, and the CWE-426 ESLint rule that catches it.

pool.query('BEGIN') runs on a different pooled client than the UPDATE that follows it — so your 'transaction' isn't atomic and corrupts data under load. The race condition (CWE-362), the dedicated-client fix, and the pg ESLint rule that catches every BEGIN/COMMIT on a pool.

A node-postgres connection leak took our API down: 100 connections gone in 2 minutes on normal traffic. The post-mortem, the finally/pool.query fix, and the structural ESLint rule that flags a checked-out client that's never released — before it merges.

SQL injection, search_path schema hijacking, and the missing client.release() that exhausts your pool — node-postgres bugs that pass tests and take down production. 13 CWE-mapped ESLint rules that catch them in CI.

SQL injection is the famous node-postgres failure — but identifier hijacking, connection-pool exhaustion, and insecure transport page you at 3 AM just as hard. The four data-layer threat classes, the pg-specific ESLint rule for each, and the one config that turns them all on.

Direct concatenation, template literals, and cross-line variable taint: the three structural forms of SQL injection in node-postgres codebases, why each survives code review, and how a pg-specific ESLint rule catches all three.