michael/merlyn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0bfd27c6df
merlyn/server/utils/agents/aibitat/plugins/sql-agent/SQLConnectors
History
Timothy Carambat 334ce052f0 Fix SQL injection in SQL Agent plugin via parameterized queries 
Replace string concatenation with parameterized queries in all database
connectors to prevent SQL injection through LLM-generated table names.

Changes:
- PostgreSQL: Use $1, $2 placeholders with pg client parameterization
- MySQL: Use ? placeholders with mysql2 execute() prepared statements
- MSSQL: Use @p0 placeholders with request.input() parameterization
- Update handlers to support parameterized query objects
- Add formatQueryForDisplay() for logging parameterized queries

Security: Mitigates potential SQL injection when LLM passes unsanitized
user input as table_name parameter to getTableSchemaSql/getTablesSql.
GHSA-jwjx-mw2p-5wc7
2026-03-12 21:56:57 -07:00
..
index.js chore: add ESLint to /server (#5126) 2026-03-05 16:32:45 -08:00
MSSQL.js Fix SQL injection in SQL Agent plugin via parameterized queries 2026-03-12 21:56:57 -07:00
MySQL.js Fix SQL injection in SQL Agent plugin via parameterized queries 2026-03-12 21:56:57 -07:00
Postgresql.js Fix SQL injection in SQL Agent plugin via parameterized queries 2026-03-12 21:56:57 -07:00
utils.js Replace connectionString parser for sql-agent (#3560) 2025-03-28 12:46:21 -07:00