fix(webapp): escape realtime tags filter to prevent SQL injection (#3…#4129
fix(webapp): escape realtime tags filter to prevent SQL injection (#3…#4129Purvi09 wants to merge 1 commit into
Conversation
|
|
Hi @Purvi09, thanks for your interest in contributing! This project requires that pull request authors are vouched, and you are not in the list of vouched users. This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
WalkthroughThis change addresses a SQL injection vulnerability in the realtime tags filter. A new exported function, Changes
Sequence Diagram(s)sequenceDiagram
participant Caller
participant RealtimeClient
participant escapeSqlStringLiteral
participant SQLQuery
Caller->>RealtimeClient: streamRuns(params.tags)
RealtimeClient->>escapeSqlStringLiteral: escape each tag
escapeSqlStringLiteral-->>RealtimeClient: escaped tag string
RealtimeClient->>SQLQuery: build runTags where clause with escaped tags
Related issues: References issue Suggested labels: security, bug fix, webapp Suggested reviewers: matt-aitken, ericallam Poem A quote came knocking, sly and bent, ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Closes #3739
✅ Checklist
Testing
The realtime runs stream builds a SQL
WHEREclause that is passed to Electric as thewheresearch param. InstreamRuns(), user-suppliedtagswere interpolated straight into a single-quoted SQL string literal with no escaping, so a tag containing a'could break out of the literal and inject SQL (e.g.?tags=test' OR '1'='1).This PR escapes each tag by doubling embedded single quotes before it is wrapped in the literal, which is sufficient because Postgres runs with
standard_conforming_stringson (the single quote is the only character that can terminate the literal). The other interpolated values in the same file (environment.id,runId,batchId,createdAt) are system-generated IDs/dates that cannot contain a quote, so they are not an injection vector.Added a unit test (
apps/webapp/test/realtimeClientEscapeSqlStringLiteral.test.ts) covering:O'Brien→O''Brien)Run it with:
pnpm run test --filter webapp ./test/realtimeClientEscapeSqlStringLiteral.test.ts --runManual verification of the fix: with the escaped clause,
?tags=test' OR '1'='1produces the literal'test'' OR ''1''=''1', which Postgres reads as a single (nonexistent) tag name rather than executable SQL — the filter no longer breaks out.Changelog
Escape single quotes in the user-supplied realtime
tagsfilter so they cannot break out of the SQL string literal, closing a SQL injection vector in the/realtime/v1/runsstream.Screenshots
N/A — server-side change, no UI.
💯