Skip to content

fix: address SQL injection vulnerabilities and security issues#13

Merged
harishconti merged 4 commits intomainfrom
fix/sql-injection-bug-fixes-20260405
Apr 5, 2026
Merged

fix: address SQL injection vulnerabilities and security issues#13
harishconti merged 4 commits intomainfrom
fix/sql-injection-bug-fixes-20260405

Conversation

@harishconti
Copy link
Copy Markdown
Contributor

@harishconti harishconti commented Apr 5, 2026

  • Added backend/security.py module with is_safe_identifier() and is_safe_table_reference() functions to validate SQL identifiers
  • Fixed SQL injection in all warehouse connectors (trino, databricks, postgres, snowflake, redshift, bigquery, duckdb) by validating table and column names before use in queries
  • Added validation in contracts router for table/column references and restricted custom SQL rules to SELECT/WITH only
  • Added validation in profiling router with safe result handling
  • Added FileNotFoundError handling in config/loader.py
  • Updated .env.example with secure placeholder passwords
  • Added integer casting for numeric parameters to prevent injection

What does this PR do?

Type of change

  • Bug fix
  • New connector
  • New check template
  • Documentation
  • Other

Checklist

  • Tests pass (make test)
  • Linting passes (make lint)
  • CHANGELOG.md updated (for features/fixes)
  • Docs updated if behaviour changed

Related issues

Closes #

Harish and others added 4 commits April 5, 2026 21:05
@claude
fix: address SQL injection vulnerabilities and security issues
09ca048 
- Added backend/security.py module with is_safe_identifier() and
  is_safe_table_reference() functions to validate SQL identifiers
- Fixed SQL injection in all warehouse connectors (trino, databricks,
  postgres, snowflake, redshift, bigquery, duckdb) by validating table
  and column names before use in queries
- Added validation in contracts router for table/column references and
  restricted custom SQL rules to SELECT/WITH only
- Added validation in profiling router with safe result handling
- Added FileNotFoundError handling in config/loader.py
- Updated .env.example with secure placeholder passwords
- Added integer casting for numeric parameters to prevent injection

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
chore: fix lint issues from ruff
ba84ab0 
- Reordered imports to follow ruff standards
- Removed unused imports
- Fixed blank lines with whitespace
- Reformatted code with ruff format

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
chore: update claude settings
72f5903
chore: add tenacity dependency for resilient_query decorator
3c166b0
@harishconti harishconti merged commit 9c125d6 into main Apr 5, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@harishconti