From 16b2ecfaf08ecf4d65b11e0d5e08762e7def2314 Mon Sep 17 00:00:00 2001
From: Sehrope Sarkuni <sehrope@jackdb.com>
Date: Thu, 19 Jan 2023 07:59:21 -0500
Subject: [PATCH 1/2] Add SASL test to ensure that client password is a string

---
 .../pg/test/unit/client/sasl-scram-tests.js   | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/packages/pg/test/unit/client/sasl-scram-tests.js b/packages/pg/test/unit/client/sasl-scram-tests.js
index e53448bdf..293ae1683 100644
--- a/packages/pg/test/unit/client/sasl-scram-tests.js
+++ b/packages/pg/test/unit/client/sasl-scram-tests.js
@@ -80,6 +80,26 @@ test('sasl/scram', function () {
       )
     })
 
+    test('fails when client password is not a string', function () {
+      for(const badPasswordValue of [null, undefined, 123, new Date(), {}]) {
+        assert.throws(
+          function () {
+            sasl.continueSession(
+              {
+                message: 'SASLInitialResponse',
+                clientNonce: 'a',
+              },
+              badPasswordValue,
+              'r=1,i=1'
+            )
+          },
+          {
+            message: 'SASL: SCRAM-SERVER-FIRST-MESSAGE: client password must be a string',
+          }
+        )
+      }
+    })
+
     test('fails when iteration is missing in server message', function () {
       assert.throws(
         function () {

From 49432be14bb44e798092ccb62e65e387769bce3e Mon Sep 17 00:00:00 2001
From: Sehrope Sarkuni <sehrope@jackdb.com>
Date: Thu, 19 Jan 2023 08:01:15 -0500
Subject: [PATCH 2/2] Add informative error when SASL password is empty string

---
 packages/pg/lib/sasl.js                        |  3 +++
 .../pg/test/unit/client/sasl-scram-tests.js    | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/packages/pg/lib/sasl.js b/packages/pg/lib/sasl.js
index fb703b270..c8d2d2bdc 100644
--- a/packages/pg/lib/sasl.js
+++ b/packages/pg/lib/sasl.js
@@ -23,6 +23,9 @@ function continueSession(session, password, serverData) {
   if (typeof password !== 'string') {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: client password must be a string')
   }
+  if (password === '') {
+    throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: client password must be a non-empty string')
+  }
   if (typeof serverData !== 'string') {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: serverData must be a string')
   }
diff --git a/packages/pg/test/unit/client/sasl-scram-tests.js b/packages/pg/test/unit/client/sasl-scram-tests.js
index 293ae1683..36a5556b4 100644
--- a/packages/pg/test/unit/client/sasl-scram-tests.js
+++ b/packages/pg/test/unit/client/sasl-scram-tests.js
@@ -100,6 +100,24 @@ test('sasl/scram', function () {
       }
     })
 
+    test('fails when client password is an empty string', function () {
+      assert.throws(
+        function () {
+          sasl.continueSession(
+            {
+              message: 'SASLInitialResponse',
+              clientNonce: 'a',
+            },
+            '',
+            'r=1,i=1'
+          )
+        },
+        {
+          message: 'SASL: SCRAM-SERVER-FIRST-MESSAGE: client password must be a non-empty string',
+        }
+      )
+    })
+
     test('fails when iteration is missing in server message', function () {
       assert.throws(
         function () {