Skip to content

Comments

fix: prevent SQL injection in search queries#386

Merged
mhieta merged 2 commits intomainfrom
PL-210/search-use-psycopg-sql
Feb 12, 2026
Merged

fix: prevent SQL injection in search queries#386
mhieta merged 2 commits intomainfrom
PL-210/search-use-psycopg-sql

Conversation

@mhieta
Copy link
Contributor

@mhieta mhieta commented Feb 12, 2026

Description

Replace f-string SQL construction with parameterized queries using psycopg.sql module. Sanitize user-controlled values like language_short and config_language that were directly interpolated into SQL strings.

  • Use sql.SQL() with sql.Identifier() for column names
  • Use sql.Literal() for configuration values
  • Pass search_query_str and limits as query parameters
  • Apply fix to both conditional branches in main search query
  • Apply similar parameterization to address sorting query

This ensures all user input is properly sanitized before being executed as SQL queries.

Context

PL-210

Replace f-string SQL construction with parameterized queries using
psycopg.sql module. Sanitize user-controlled values like
language_short and config_language that were directly interpolated
into SQL strings.

- Use sql.SQL() with sql.Identifier() for column names
- Use sql.Literal() for configuration values
- Pass search_query_str and limits as query parameters
- Apply fix to both conditional branches in main search query
- Apply similar parameterization to address sorting query

This ensures all user input is properly sanitized before being
executed as SQL queries.

Refs: PL-210
@azure-pipelines
Copy link

PALVELUKARTTA-API branch is deployed to platta: https://palvelukartta-api-pr386.dev.hel.ninja 🚀🚀🚀

The test was failing with a 509 error
because it was making actual HTTP requests
to the Nominatim geocoding service.

Added @patch decorator to mock
the geocode_address function, preventing
external API calls and ensuring reliable test
execution. The mock returns controlled
coordinates to test both inside and outside
the test area boundaries.

Refs: PL-210
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 12, 2026

@mhieta mhieta marked this pull request as ready for review February 12, 2026 12:53
@mhieta mhieta requested a review from a team as a code owner February 12, 2026 12:53
@azure-pipelines
Copy link

PALVELUKARTTA-API branch is deployed to platta: https://palvelukartta-api-pr386.dev.hel.ninja 🚀🚀🚀

@mhieta mhieta merged commit 85ad493 into main Feb 12, 2026
7 checks passed
@mhieta mhieta deleted the PL-210/search-use-psycopg-sql branch February 12, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants