Fixed code execution vulnerability due to Object coercion

refs GHSA-jqv5-7xpx-qj74
fixes TryGhost/Toolbox#491

- when you call `ToString()` on `Napi::Value`, it calls
  `napi_coerce_to_string` underneath, which has the ability to run
  arbitrary JS code if the passed in value is a crafted object
- both remote code execution or denial-of-service are possible via
  this vulnerability
- `toString()` on an Object returns `[object Object]` so instead of
  calling the function, we're going to hardcode it to prevent this
  issue

Credits: Dave McDaniel of Cisco Talos

Author: daniellockyer

src/statement.cc

@@ -208,7 +208,7 @@ template <class T> Values::Field*
         return new Values::Float(pos, source.ToNumber().DoubleValue());
     }
     else if (source.IsObject()) {
-        Napi::String napiVal = source.ToString();
+        Napi::String napiVal = Napi::String::New(source.Env(), "[object Object]");
         // Check whether toString returned a value that is not undefined.
         if(napiVal.Type() == 0) {
             return NULL;

test/other_objects.test.js

@@ -95,4 +95,20 @@ describe('data types', function() {
         });
     });
 
+    it('should ignore faulty toString in array', function(done) {
+        const faulty = [[{toString: null}], 1];
+        db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) {
+            assert.equal(err, null);
+            done();
+        });
+    });
+
+    it('should ignore faulty toString set to function', function(done) {
+        const faulty = [[{toString: function () {console.log('oh no');}}], 1];
+        db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) {
+            assert.equal(err, undefined);
+            done();
+        });
+    });
+
 });