Ensure table and column names escaped

[hardillb]

Description

Enforce escaping for table and column names

[codecov]

Codecov Report

❌ Patch coverage is 0% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.49%. Comparing base (6a59980) to head (8a69d29).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
forge/ee/lib/tables/drivers/postgres-localfs.js	0.00%	17 Missing ⚠️
forge/ee/lib/tables/drivers/postgres-supavisor.js	0.00%	17 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5850      +/-   ##
==========================================
- Coverage   76.56%   76.49%   -0.08%     
==========================================
  Files         369      369              
  Lines       17951    17969      +18     
  Branches     4179     4189      +10     
==========================================
  Hits        13745    13745              
- Misses       4206     4224      +18     

Flag	Coverage Δ
backend	76.49% <0.00%> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Steve-Mcl]

This PR is fine as it (minus the lint errors), but I have concerns regarding other parts of the original merged PR I think we must handle to mitigate what we can

NOTE: the below is applicable to both drivers

1

https://github.com/FlowFuse/flowfuse/pull/5850/files#diff-41c5997c75a79615b0da0be7da5a91b8daea9331ccf48714137091ebf76e5562R247

this should be whitelisted at best, escaped at minimum

2

https://github.com/FlowFuse/flowfuse/pull/5850/files#diff-41c5997c75a79615b0da0be7da5a91b8daea9331ccf48714137091ebf76e5562R251-R255
col.default is user input and should be vetted for length and type and if string, escaped. Something like:

if (typeof col.default === 'string') {
    const escapedDefault = pgLib.pg.escapeLiteral(col.default)
    columnDef += ` DEFAULT ${escapedDefault}`
} else if (typeof col.default === 'number' || typeof col.default === 'boolean') {
    columnDef += ` DEFAULT ${col.default}`
} else {
    throw new Error(`Unsupported default value type for column ${col.name}`)
}

3

There are no unit tests for the createTable or dropTable functions.