Skip to content

fix(jsonfilter): Sanitize input when parsing filters#3205

Merged
javirln merged 1 commit into
chainloop-dev:mainfrom
javirln:fix/pfm-6378
Jun 14, 2026
Merged

fix(jsonfilter): Sanitize input when parsing filters#3205
javirln merged 1 commit into
chainloop-dev:mainfrom
javirln:fix/pfm-6378

Conversation

@javirln

@javirln javirln commented Jun 14, 2026

Copy link
Copy Markdown
Member

This pull request strengthens the security of JSON field path filtering in workflow queries by validating user-supplied field paths to prevent SQL injection. It introduces a strict allowlist for field path syntax, surfaces validation errors to the API, and adds comprehensive tests to ensure only safe paths are accepted.

Security improvements for JSON field path filtering:

  • Added a regular expression (fieldPathRegexp) in pkg/jsonfilter/jsonfilter.go to strictly validate JSON field paths, allowing only dot-separated identifiers and numeric array indices, and rejecting any unsafe characters that could lead to SQL injection.
  • Implemented the validateFieldPath function in pkg/jsonfilter/jsonfilter.go to enforce this validation before building SQL predicates. [1] [2]
  • Updated BuildEntSelectorFromJSONFilter to return an error if the field path is unsafe, preventing unsafe queries from being constructed.

Workflow query logic and error handling:

  • Refactored applyWorkflowFilters in app/controlplane/pkg/data/workflow.go to return an error if any JSON filter is invalid, ensuring validation errors are surfaced instead of silently ignored. [1] [2] [3] [4]
  • Updated integration tests in app/controlplane/pkg/biz/workflow_integration_test.go to verify that unsafe field paths are rejected with a validation error, and safe paths are accepted.

Test coverage:

  • Expanded unit tests in pkg/jsonfilter/jsonfilter_test.go to cover a wide range of valid and invalid field path scenarios, ensuring the validator correctly allows safe paths and rejects unsafe ones. [1] [2]

Other:

  • Updated copyright years in pkg/jsonfilter/jsonfilter.go.
  • Added missing import for jsonfilter in integration tests.

Review in cubic

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln requested a review from a team June 14, 2026 11:05
@javirln javirln added the hotfix label Jun 14, 2026
@javirln javirln enabled auto-merge (squash) June 14, 2026 11:05

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Re-trigger cubic

@javirln javirln self-assigned this Jun 14, 2026
@javirln javirln disabled auto-merge June 14, 2026 11:18
@javirln javirln enabled auto-merge (squash) June 14, 2026 11:18

@migmartri migmartri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How did you find this?

@javirln javirln merged commit 8886abb into chainloop-dev:main Jun 14, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants