You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Eliminate SQL injection risks by replacing f-string interpolation with parameterized queries and validating dynamic SQL components.
Findings (2)
[HIGH] security at backend/app/database/connection.py:185 — SQL injection vulnerability in add_column_if_not_exists: column_definition is interpolated directly into ALTER TABLE statement on line 185 without full validation. While parts[0] is validated, the rest of column_definition (type, constraints) is not validated and is directly embedded in the f-string. Fix sketch: Validate all parts of column_definition against a whitelist of allowed SQL keywords and types, or use a safer approach that doesn't require dynamic SQL construction.
[HIGH] security at backend/app/models/assignment.py:237 — SQL injection vulnerability in get_assignments_due_soon: the days parameter is interpolated directly into the SQL query string using f-string on line 237 ('+{days} days'), allowing an attacker to inject arbitrary SQL by passing a malicious days value. Fix sketch: Use parameterized query with days as a bound parameter instead of f-string interpolation.
Generated by GITA v0.1.0 onboarding agent against amass. Milestone confidence: 0.95.
Eliminate SQL injection risks by replacing f-string interpolation with parameterized queries and validating dynamic SQL components.
Findings (2)
backend/app/database/connection.py:185— SQL injection vulnerability in add_column_if_not_exists: column_definition is interpolated directly into ALTER TABLE statement on line 185 without full validation. While parts[0] is validated, the rest of column_definition (type, constraints) is not validated and is directly embedded in the f-string.Fix sketch: Validate all parts of column_definition against a whitelist of allowed SQL keywords and types, or use a safer approach that doesn't require dynamic SQL construction.
backend/app/models/assignment.py:237— SQL injection vulnerability in get_assignments_due_soon: the days parameter is interpolated directly into the SQL query string using f-string on line 237 ('+{days} days'), allowing an attacker to inject arbitrary SQL by passing a malicious days value.Fix sketch: Use parameterized query with days as a bound parameter instead of f-string interpolation.
Generated by GITA v0.1.0 onboarding agent against
amass. Milestone confidence: 0.95.