Skip to content

fix(observability): escape Grafana repo variable to prevent SQL injection#5323

Open
JSONbored wants to merge 1 commit into
mainfrom
codex/fix-sql-injection-vulnerability-in-grafana
Open

fix(observability): escape Grafana repo variable to prevent SQL injection#5323
JSONbored wants to merge 1 commit into
mainfrom
codex/fix-sql-injection-vulnerability-in-grafana

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • The maintainer Reviews & PRs Grafana dashboard interpolated the user-controllable $repo variable directly into raw SQLite SQL inside quotes, which can be abused by a crafted var-repo value to change WHERE clauses or comment out the rest of a query.
  • The change hardens dashboard queries by using Grafana's SQL-string formatting so dashboard-controlled values are properly escaped before being embedded in raw SQL.

Description

  • Replaced occurrences of the unsafe quoted '$repo' pattern with Grafana's SQL-string formatter ${repo:sqlstring} across grafana/dashboards/maintainer-reviews.json so panels use (${repo:sqlstring} = '$__all' OR repo = ${repo:sqlstring}) for repo scoping.
  • Updated test/unit/selfhost-grafana-dashboard.test.ts to simulate Grafana's SQL-string expansion by adding grafanaSqlString() and changing expandGrafanaRange() to accept and SQL-escape a repo selection, and adjusted existing assertions to match the new ${repo:sqlstring} pattern.
  • Added a regression unit test that exercises an injection-shaped repo value (x') OR 1=1 --) and asserts the SQL-escaped value is treated literally (returns no rows) to protect against widening queries.
  • Kept dashboard observability semantics unchanged (the All sentinel logic and time-window bindings remain the same) while only changing how the variable is formatted in SQL.

Testing

  • npx vitest run test/unit/selfhost-grafana-dashboard.test.ts was run and all tests in that file passed.
  • git diff --check and npm run selfhost:validate-observability were run and both succeeded, confirming no formatting or observability-config regressions.
  • npm run test:ci was executed but failed during cf-typegen:check in this environment due to a local Wrangler/workerd generation difference from the committed worker-configuration.d.ts, not related to the dashboard change.
  • npm audit --audit-level=moderate was attempted but failed due to the npm registry audit endpoint returning 403 Forbidden in this environment, so dependency-audit could not be completed here.

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@JSONbored JSONbored self-assigned this Jul 12, 2026
@JSONbored JSONbored marked this pull request as draft July 12, 2026 14:03
@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.34%. Comparing base (7a423be) to head (0f87fb1).
⚠️ Report is 122 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5323   +/-   ##
=======================================
  Coverage   94.34%   94.34%           
=======================================
  Files         473      473           
  Lines       39982    39982           
  Branches    14576    14576           
=======================================
  Hits        37722    37722           
  Misses       1585     1585           
  Partials      675      675           
Flag Coverage Δ
shard-1 46.28% <ø> (-0.13%) ⬇️
shard-2 34.60% <ø> (+0.12%) ⬆️
shard-3 30.99% <ø> (ø)
shard-4 32.90% <ø> (-0.40%) ⬇️
shard-5 33.65% <ø> (-0.04%) ⬇️
shard-6 45.07% <ø> (+0.19%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 12, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-12 21:15:35 UTC

2 files · 2 blockers · readiness 89/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
📋 Copy for AI agents — paste into your coding agent
Fix the following blocker(s) from this PR review:

1. No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

2. Maintainer requires a linked issue — Link the relevant issue (for example `Closes #123`) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers No AI review summary
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (draft PR; no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 44 registered-repo PR(s), 36 merged, 435 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 44 PR(s), 435 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ⚠️ ℹ️ Insufficient signal risk: clean · value: insufficient-signal — Nothing measurable for the structural-improvement analyzers on this PR (e.g. no code files changed).
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 44 PR(s), 435 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Mark ready when done.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@JSONbored JSONbored marked this pull request as ready for review July 12, 2026 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant