HIGH: SQL injection surface in analyticsService.js - string interpolation in WHERE clause #71
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#71
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
The buildBillWhere() function (services/analyticsService.js:81) constructs SQL WHERE clauses via string interpolation:
const billWhere = buildBillWhere({ ...parsed, userId });
// ...later:
WHERE ${billWhere.where}
While the current implementation is safe (buildBillWhere only uses parameterized values for user-supplied data), this pattern is fragile. Any future modification that passes unsanitized input through billWhere could introduce SQL injection.
Affected Files
Impact
Currently safe, but architecturally risky. A single typo or refactoring mistake could introduce injection.
Recommended Fix
Refactor buildBillWhere() to return a structured object with separate clauses array and params array, then build the query using parameterized placeholders (?) instead of string interpolation. This makes injection impossible by construction.
Both patterns are safe and no changes are needed. The report confused "string interpolation of SQL fragments" (safe, it's just building the query structure) with "string interpolation of user input" (unsafe). The code correctly separates the two.