Allow String to be used for table and column names in COPY FROM

ahoppen · ahoppen · commit 1602d85f28df · 2025-07-24T19:39:03.000+02:00
diff --git a/Sources/PostgresNIO/Connection/PostgresConnection+CopyFrom.swift b/Sources/PostgresNIO/Connection/PostgresConnection+CopyFrom.swift
@@ -131,9 +131,12 @@ public struct PostgresCopyFromFormat: Sendable {
 ///
 /// An empty `columns` array signifies that no columns should be specified in the query and that all columns will be
 /// copied by the caller.
+///
+/// - Important: The table and column names are inserted into the `COPY FROM` query as passed and might thus be
+///   susceptible to SQL injection. Ensure no untrusted data is contained in these strings.
 private func buildCopyFromQuery(
-    table: StaticString,
-    columns: [StaticString] = [],
+    table: String,
+    columns: [String] = [],
     format: PostgresCopyFromFormat
 ) -> PostgresQuery {
     var query = """
@@ -173,11 +176,11 @@ extension PostgresConnection {
     ///     Throw an error from the closure to fail the data transfer. The error thrown by the closure will be rethrown
     ///     by the `copyFrom` function.
     ///
-    /// - Note: The table and column names are inserted into the SQL query verbatim. They are forced to be compile-time
-    ///   specified to avoid runtime SQL injection attacks.
+    /// - Important: The table and column names are inserted into the `COPY FROM` query as passed and might thus be
+    ///   susceptible to SQL injection. Ensure no untrusted data is contained in these strings.
     public func copyFrom(
-        table: StaticString,
-        columns: [StaticString] = [],
+        table: String,
+        columns: [String] = [],
         format: PostgresCopyFromFormat = .text(.init()),
         logger: Logger,
         isolation: isolated (any Actor)? = #isolation,
diff --git a/Tests/PostgresNIOTests/New/PostgresConnectionTests.swift b/Tests/PostgresNIOTests/New/PostgresConnectionTests.swift
@@ -966,8 +966,8 @@ class PostgresConnectionTests: XCTestCase {
     ///     and is now expecting a `Sync` to return back to the idle state. The closure may call the `cancelCopyFrom`
     ///     closure that is passed to it to cancel the COPY operation.
     private func assertCopyFrom(
-        table: StaticString = "copy_table",
-        columns: [StaticString] = ["id", "name"],
+        table: String = "copy_table",
+        columns: [String] = ["id", "name"],
         format: PostgresCopyFromFormat = .text(.init()),
         writeData: @escaping @Sendable (PostgresCopyFromWriter) async throws -> Void,
         validateCopyFromError: (@Sendable (any Error) -> Void)? = nil,
