🛡️ Sentinel: [CRITICAL] Fix SQL injection in jsonExtract using sql.raw#110
🛡️ Sentinel: [CRITICAL] Fix SQL injection in jsonExtract using sql.raw#110Donach wants to merge 1 commit into
Conversation
Replaces the vulnerable \`sql.raw\` block in the PostgreSQL jsonExtract builder with parameterized SQL blocks bound to \`::text\` casts, preventing dynamic JSON keys from being exposed to SQL injection. Also adds this finding to the Sentinel journal for future prevention. Co-authored-by: Donach <39565367+Donach@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Sentinel has identified a potential SQL injection vulnerability in
packages/core/src/db/database-wrapper.ts.When resolving PostgreSQL JSON paths in
jsonExtract, the code previously relied onsql.rawstring interpolation, which bypasses Drizzle's parameterization and exposes the application to SQL injection if any of the JSON path keys were dynamically generated or supplied from an untrusted source.This PR fixes the vulnerability by using Drizzle ORM's parameterized template literals and explicitly casting the bound parameters to
::textso that the overloaded PostgreSQL JSON operators (->and->>) resolve correctly withoutsql.raw.Also appended this learning to the
.jules/sentinel.mdjournal.PR created automatically by Jules for task 3033738078864178928 started by @Donach