BDMS-471-472-473#403
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
There was a problem hiding this comment.
Pull request overview
This PR refactors the database role granting logic by replacing a parameterized SQL statement with an inline f-string approach for granting the app_read role to members.
Changes:
- Removed the
GRANT_MEMBER_SQLconstant that used SQL parameters - Implemented inline SQL statement construction with string escaping in the
grant_app_read_membersfunction
| safe_member = member.replace("'", "''") | ||
| stmt = text( | ||
| f""" | ||
| DO $$ | ||
| BEGIN | ||
| IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{safe_member}') THEN | ||
| EXECUTE 'GRANT app_read TO {safe_member}'; | ||
| END IF; | ||
| END $$; | ||
| """ | ||
| ) | ||
| executor.execute(stmt) | ||
|
|
||
|
|
There was a problem hiding this comment.
Using string replacement for SQL escaping is insufficient and creates SQL injection vulnerabilities. The original parameterized approach with bindparams was secure. Revert to using parameterized queries with proper SQL parameter binding instead of f-strings.
| safe_member = member.replace("'", "''") | |
| stmt = text( | |
| f""" | |
| DO $$ | |
| BEGIN | |
| IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{safe_member}') THEN | |
| EXECUTE 'GRANT app_read TO {safe_member}'; | |
| END IF; | |
| END $$; | |
| """ | |
| ) | |
| executor.execute(stmt) | |
| stmt = text( | |
| """ | |
| DO $$ | |
| BEGIN | |
| IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = :member) THEN | |
| EXECUTE format('GRANT app_read TO %I', :member); | |
| END IF; | |
| END $$; | |
| """ | |
| ) | |
| executor.execute(stmt, {"member": member}) |
| safe_member = member.replace("'", "''") | ||
| stmt = text( | ||
| f""" | ||
| DO $$ | ||
| BEGIN | ||
| IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{safe_member}') THEN | ||
| EXECUTE 'GRANT app_read TO {safe_member}'; | ||
| END IF; | ||
| END $$; | ||
| """ | ||
| ) | ||
| executor.execute(stmt) |
There was a problem hiding this comment.
The EXECUTE statement uses single quotes which treats the content as a literal string rather than an identifier. This should use format() with %I to properly quote the identifier, similar to the original implementation.
| safe_member = member.replace("'", "''") | |
| stmt = text( | |
| f""" | |
| DO $$ | |
| BEGIN | |
| IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{safe_member}') THEN | |
| EXECUTE 'GRANT app_read TO {safe_member}'; | |
| END IF; | |
| END $$; | |
| """ | |
| ) | |
| executor.execute(stmt) | |
| stmt = text( | |
| """ | |
| DO $$ | |
| DECLARE | |
| role_name text := :role_name; | |
| BEGIN | |
| IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = role_name) THEN | |
| EXECUTE format('GRANT app_read TO %I', role_name); | |
| END IF; | |
| END $$; | |
| """ | |
| ) | |
| executor.execute(stmt, {"role_name": member}) |
Why
This PR addresses the following problem / context:
How
Implementation summary - the following was changed / added / removed:
Notes
Any special considerations, workarounds, or follow-up work to note?