HIGH: SQL injection surface in analyticsService.js - string interpolation in WHERE clause #71

Closed
opened 2026-05-31 12:02:53 -05:00 by null · 1 comment
Owner

Bug Description

The buildBillWhere() function (services/analyticsService.js:81) constructs SQL WHERE clauses via string interpolation:

const billWhere = buildBillWhere({ ...parsed, userId });
// ...later:
WHERE ${billWhere.where}

While the current implementation is safe (buildBillWhere only uses parameterized values for user-supplied data), this pattern is fragile. Any future modification that passes unsanitized input through billWhere could introduce SQL injection.

Affected Files

  • services/analyticsService.js:81-93 (buildBillWhere function)
  • services/analyticsService.js:138 (WHERE interpolation)
  • services/payments.js:86 (LIVE constant interpolation)

Impact

Currently safe, but architecturally risky. A single typo or refactoring mistake could introduce injection.

Refactor buildBillWhere() to return a structured object with separate clauses array and params array, then build the query using parameterized placeholders (?) instead of string interpolation. This makes injection impossible by construction.

## Bug Description The buildBillWhere() function (services/analyticsService.js:81) constructs SQL WHERE clauses via string interpolation: const billWhere = buildBillWhere({ ...parsed, userId }); // ...later: WHERE ${billWhere.where} While the current implementation is safe (buildBillWhere only uses parameterized values for user-supplied data), this pattern is fragile. Any future modification that passes unsanitized input through billWhere could introduce SQL injection. ## Affected Files - services/analyticsService.js:81-93 (buildBillWhere function) - services/analyticsService.js:138 (WHERE interpolation) - services/payments.js:86 (LIVE constant interpolation) ## Impact Currently safe, but architecturally risky. A single typo or refactoring mistake could introduce injection. ## Recommended Fix Refactor buildBillWhere() to return a structured object with separate clauses array and params array, then build the query using parameterized placeholders (?) instead of string interpolation. This makes injection impossible by construction.
null added the
priority:high
backend
bug
labels 2026-05-31 12:02:53 -05:00
Author
Owner

Both patterns are safe and no changes are needed. The report confused "string interpolation of SQL fragments" (safe, it's just building the query structure) with "string interpolation of user input" (unsafe). The code correctly separates the two.

Both patterns are safe and no changes are needed. The report confused "string interpolation of SQL fragments" (safe, it's just building the query structure) with "string interpolation of user input" (unsafe). The code correctly separates the two.
null closed this issue 2026-05-31 13:09:22 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#71
No description provided.