Skip to content

Fix SQL injection vulnerabilities in database queries #256

Description

@gita-agents

Eliminate SQL injection risks by replacing f-string interpolation with parameterized queries and validating dynamic SQL components.

Findings (2)

  • [HIGH] security at backend/app/database/connection.py:185 — SQL injection vulnerability in add_column_if_not_exists: column_definition is interpolated directly into ALTER TABLE statement on line 185 without full validation. While parts[0] is validated, the rest of column_definition (type, constraints) is not validated and is directly embedded in the f-string.
    Fix sketch: Validate all parts of column_definition against a whitelist of allowed SQL keywords and types, or use a safer approach that doesn't require dynamic SQL construction.
  • [HIGH] security at backend/app/models/assignment.py:237 — SQL injection vulnerability in get_assignments_due_soon: the days parameter is interpolated directly into the SQL query string using f-string on line 237 ('+{days} days'), allowing an attacker to inject arbitrary SQL by passing a malicious days value.
    Fix sketch: Use parameterized query with days as a bound parameter instead of f-string interpolation.

Generated by GITA v0.1.0 onboarding agent against amass. Milestone confidence: 0.95.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions