Doesn't it cause a "Javascript eval injection" vulnerability?
I don't know Javascript so I may be wrong here, but:
* Suppose someone uses this library to create a "MariaSQL Explorer App", where you give the app connection credentials and it connects to the database and shows you the data etc.
* A malicious attacker tells a user "have a look at my database" and the user goes to the attacker's database.
* The attacker's database (or spoof of one) has a column called 'dummy": MALICIOUS_CODE(), "colname'. notice the '"' chars inside column name.
* The MALICIOUS_CODE() runs in the user's node.js app. Perhaps it sends the attacker the passwords to other databases from the app's keychain or something..
As Groxx points out, yes, you need to sanitize input. It's pretty easy to return an error if the user input doesn't match a whitelisting regex. It can be as simple as /[a-z][a-z0-9]*/i
However, in a Lisp, eval typically works on lists, not on strings. In effect, behaving like a parametric SQL query: a quotation mark or close paren or whatever in the string would be harmless.
I don't know Javascript so I may be wrong here, but:
* Suppose someone uses this library to create a "MariaSQL Explorer App", where you give the app connection credentials and it connects to the database and shows you the data etc.
* A malicious attacker tells a user "have a look at my database" and the user goes to the attacker's database.
* The attacker's database (or spoof of one) has a column called 'dummy": MALICIOUS_CODE(), "colname'. notice the '"' chars inside column name.
* The MALICIOUS_CODE() runs in the user's node.js app. Perhaps it sends the attacker the passwords to other databases from the app's keychain or something..
* Profit