Skip to content

Comments

fix: prevent SQL injection in search queries#386

Merged
mhieta merged 2 commits intomainfrom
PL-210/search-use-psycopg-sql
Feb 12, 2026
Merged

fix: prevent SQL injection in search queries#386
mhieta merged 2 commits intomainfrom
PL-210/search-use-psycopg-sql

Conversation

@mhieta
Copy link
Contributor

@mhieta mhieta commented Feb 12, 2026
edited by atlassian bot
Loading

Description

Replace f-string SQL construction with parameterized queries using psycopg.sql module. Sanitize user-controlled values like language_short and config_language that were directly interpolated into SQL strings.

  • Use sql.SQL() with sql.Identifier() for column names
  • Use sql.Literal() for configuration values
  • Pass search_query_str and limits as query parameters
  • Apply fix to both conditional branches in main search query
  • Apply similar parameterization to address sorting query

This ensures all user input is properly sanitized before being executed as SQL queries.

Context

PL-210

@mhieta
fix: prevent SQL injection in search queries
674f3fc 
Replace f-string SQL construction with parameterized queries using
psycopg.sql module. Sanitize user-controlled values like
language_short and config_language that were directly interpolated
into SQL strings.

- Use sql.SQL() with sql.Identifier() for column names
- Use sql.Literal() for configuration values
- Pass search_query_str and limits as query parameters
- Apply fix to both conditional branches in main search query
- Apply similar parameterization to address sorting query

This ensures all user input is properly sanitized before being
executed as SQL queries.

Refs: PL-210
@azure-pipelines
Copy link

azure-pipelines bot commented Feb 12, 2026

PALVELUKARTTA-API branch is deployed to platta: https://palvelukartta-api-pr386.dev.hel.ninja 🚀🚀🚀

@mhieta
fix: mock geocode_address in test_address_filter
3f9f256 
The test was failing with a 509 error
because it was making actual HTTP requests
to the Nominatim geocoding service.

Added @patch decorator to mock
the geocode_address function, preventing
external API calls and ensuring reliable test
execution. The mock returns controlled
coordinates to test both inside and outside
the test area boundaries.

Refs: PL-210
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 12, 2026
edited
Loading

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
83.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mhieta mhieta marked this pull request as ready for review February 12, 2026 12:53
@mhieta mhieta requested a review from a team as a code owner February 12, 2026 12:53
@azure-pipelines
Copy link

azure-pipelines bot commented Feb 12, 2026

PALVELUKARTTA-API branch is deployed to platta: https://palvelukartta-api-pr386.dev.hel.ninja 🚀🚀🚀

@mhieta mhieta merged commit 85ad493 into main Feb 12, 2026
7 checks passed
@mhieta mhieta deleted the PL-210/search-use-psycopg-sql branch February 12, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicobav nicobav nicobav approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mhieta @nicobav