Fix: Sanitize SQL field names to prevent injection #17
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The queryBuilder function was constructing SQL queries using
unsanitized field names from user input, creating a potential
SQL injection vulnerability.
This change:
- Sanitizes field names to only allow [a-z_] characters
- Skips invalid field names entirely
- Matches the existing table name sanitization pattern
The 'post' object in Controller.ts is typed as 'any' and comes
from user input via c.get('content'), making field name
sanitization necessary for security.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a potential SQL injection vulnerability in the
queryBuilderfunction inapp/src/v1/Mapper.ts.Problem
The
queryBuilderfunction was constructing SQL queries using unsanitized field names directly from user input. Thepostobject inController.tsis typed asanyand populated from user-controlled content viac.get('content'), making it possible for malicious field names (e.g.,"filename; DROP TABLE files--": "value") to be injected into SQL queries.While table names are already sanitized (line 47:
table.replace(/[^a-z_]/g, '')), field names were not receiving the same treatment.Solution
This change:
[a-z_]charactersTesting
All existing functionality should continue to work as normal since valid field names (lowercase alphanumeric and underscores) pass through unchanged. The change is defensive programming to prevent potential security issues.
Files Changed
app/src/v1/Mapper.ts- Added field name sanitization inqueryBuilderfunction