Skip to content

fix: 🔒 Fixed funcapi possible injections#16

Merged
bitechsystems merged 9 commits intomainfrom
fix-funcapi
Dec 31, 2025
Merged

fix: 🔒 Fixed funcapi possible injections#16
bitechsystems merged 9 commits intomainfrom
fix-funcapi

Conversation

@warkanum
Copy link
Member

@warkanum warkanum commented Dec 31, 2025

No description provided.

@warkanum
Copy link
Member Author

warkanum commented Dec 31, 2025

@copilot Check the security issues in these changes

Copilot AI mentioned this pull request Dec 31, 2025
Merged
Copy link
Contributor

Copilot AI commented Dec 31, 2025

@warkanum I've opened a new pull request, #17, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI and others added 7 commits December 31, 2025 07:19
@warkanum
fix: Enhanced SQL injection protection in funcspec
f711bf3 
- Added sanitization for path parameters in mergePathParams
- Added sanitization for query parameters with p- prefix in mergeQueryParams
- Added sanitization for header parameters in mergeHeaderParams
- Fixed IN clause to sanitize all values individually
- Improved ValidSQL function with better escaping and more injection patterns
- Added backslash escaping to colvalue mode
- Extended dangerous keyword list in select mode

Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
@warkanum
fix: Improved SQL injection protections based on code review
6528e94 
- Fixed backslash escaping order in colvalue mode
- Added proper quoting for IN clause values
- Simplified dangerous pattern matching with case-insensitive approach
- All funcspec tests pass (except pre-existing test failure)

Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
@warkanum
fix: Fixed SQL quoting for empty/zero values and sanitized match filter
8cdc353 
- Sanitize colval immediately after extraction in match= filter
- Fixed empty/zero value handling to use proper SQL literals (0 vs '')
- Applied proper quoting for string vs numeric comparisons
- Fixed x-fieldfilter handlers for proper value handling

Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
@warkanum
fix: Improved SQL injection protection with proper handling
a7cc420 
- Fixed IN clause to conditionally quote only string values (not numeric)
- Fixed LIKE pattern sanitization to preserve wildcards while preventing injection
- Improved dangerous pattern removal with case-insensitive regex while preserving case
- All funcspec tests now pass (except pre-existing TestReplaceMetaVariables)

Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
@warkanum
fix: Optimized regex performance and added backslash escaping for LIK…
a6a17d0 
…E patterns

- Added backslash escaping to LIKE pattern sanitization
- Optimized ValidSQL select mode with single pre-compiled regex
- All funcspec tests pass (except pre-existing TestReplaceMetaVariables)

Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
@warkanum
Merge pull request #17 from bitechdev/copilot/sub-pr-16
191822b 
fix: Comprehensive SQL injection protection in funcspec handlers
refactor: 🚨 linting issues
fae9a08
@bitechsystems bitechsystems merged commit b99b084 into main Dec 31, 2025
6 checks passed
@bitechsystems bitechsystems deleted the fix-funcapi branch December 31, 2025 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bitechsystems bitechsystems bitechsystems approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@warkanum @bitechsystems