johno/gastown
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fix SQL injection vulnerability in convoy.go (gt-frvun)

Browse Source 
Add input validation for convoyID before using it in SQL query.
Issue IDs must match ^[a-zA-Z0-9_-]+$ to prevent injection attacks.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Steve Yegge
2025-12-30 14:14:46 -08:00
parent d98daed901
commit 9f165d7c82
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
internal/cmd/convoy.go
View File

@@ -7,6 +7,7 @@ import (
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"regexp"
"strings" "strings"
"github.com/spf13/cobra" "github.com/spf13/cobra"
@@ -14,6 +15,10 @@ import (
"github.com/steveyegge/gastown/internal/workspace" "github.com/steveyegge/gastown/internal/workspace"
) )
// safeIDPattern validates that an ID only contains safe characters for SQL queries.
// Issue IDs should only contain alphanumeric characters, hyphens, and underscores.
var safeIDPattern = regexp.MustCompile(`^[a-zA-Z0-9_-]+$`)
// Convoy command flags // Convoy command flags
var ( var (
convoyMolecule string convoyMolecule string
@@ -433,9 +438,15 @@ type trackedIssueInfo struct {
// getTrackedIssues queries SQLite directly to get issues tracked by a convoy. // getTrackedIssues queries SQLite directly to get issues tracked by a convoy.
// This is needed because bd dep list doesn't properly show cross-rig external dependencies. // This is needed because bd dep list doesn't properly show cross-rig external dependencies.
func getTrackedIssues(townBeads, convoyID string) []trackedIssueInfo { func getTrackedIssues(townBeads, convoyID string) []trackedIssueInfo {
// Validate convoyID to prevent SQL injection
if !safeIDPattern.MatchString(convoyID) {
return nil
}
dbPath := filepath.Join(townBeads, "beads.db") dbPath := filepath.Join(townBeads, "beads.db")
// Query tracked dependencies from SQLite // Query tracked dependencies from SQLite
// Note: convoyID is validated above to only contain safe characters
queryCmd := exec.Command("sqlite3", "-json", dbPath, queryCmd := exec.Command("sqlite3", "-json", dbPath,
fmt.Sprintf(`SELECT depends_on_id, type FROM dependencies WHERE issue_id = '%s' AND type = 'tracks'`, convoyID)) fmt.Sprintf(`SELECT depends_on_id, type FROM dependencies WHERE issue_id = '%s' AND type = 'tracks'`, convoyID))