Fix: Check MySQL database name (#5991)

2025-08-31 01:26:32 +08:00 · 2025-08-31 01:26:32 +08:00 · a4d2e077b8
parent 668636c9d5
commit a4d2e077b8
4 changed files with 10 additions and 5 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -80,6 +80,7 @@
                "socket.io": "~4.8.0",
                "socket.io-client": "~4.8.0",
                "socks-proxy-agent": "~8.0.5",
+                "sqlstring": "~2.3.3",
                "tar": "~6.2.1",
                "tcp-ping": "~0.1.1",
                "thirty-two": "~1.0.2",
--- a/package.json
+++ b/package.json
@ -138,6 +138,7 @@
        "socket.io": "~4.8.0",
        "socket.io-client": "~4.8.0",
        "socks-proxy-agent": "~8.0.5",
+        "sqlstring": "~2.3.3",
        "tar": "~6.2.1",
        "tcp-ping": "~0.1.1",
        "thirty-two": "~1.0.2",
--- a/server/database.js
+++ b/server/database.js
@ -12,6 +12,7 @@ const { UptimeCalculator } = require("./uptime-calculator");
 const dayjs = require("dayjs");
 const { SimpleMigrationServer } = require("./utils/simple-migration-server");
 const KumaColumnCompiler = require("./utils/knex/lib/dialects/mysql2/schema/mysql2-columncompiler");
+const SqlString = require("sqlstring");

 /**
 * Database & App Data Folder
@ -256,10 +257,6 @@ class Database {
                }
            };
        } else if (dbConfig.type === "mariadb") {
-            if (!/^\w+$/.test(dbConfig.dbName)) {
-                throw Error("Invalid database name. A database name can only consist of letters, numbers and underscores");
-            }
-
            const connection = await mysql.createConnection({
                host: dbConfig.hostname,
                port: dbConfig.port,
@ -267,7 +264,11 @@ class Database {
                password: dbConfig.password,
            });

-            await connection.execute("CREATE DATABASE IF NOT EXISTS " + dbConfig.dbName + " CHARACTER SET utf8mb4");
+            // Set to true, so for example "uptime.kuma", becomes `uptime.kuma`, not `uptime`.`kuma`
+            // Doc: https://github.com/mysqljs/sqlstring?tab=readme-ov-file#escaping-query-identifiers
+            const escapedDBName = SqlString.escapeId(dbConfig.dbName, true);
+
+            await connection.execute("CREATE DATABASE IF NOT EXISTS " + escapedDBName + " CHARACTER SET utf8mb4");
            connection.end();

            config = {
--- a/server/setup-database.js
+++ b/server/setup-database.js
@ -208,11 +208,13 @@ class SetupDatabase {

                    // Test connection
                    try {
+                        log.info("setup-database", "Testing database connection...");
                        const connection = await mysql.createConnection({
                            host: dbConfig.hostname,
                            port: dbConfig.port,
                            user: dbConfig.username,
                            password: dbConfig.password,
+                            database: dbConfig.dbName,
                        });
                        await connection.execute("SELECT 1");
                        connection.end();