Skip to content

Security: SQL injection risk from dynamic SQL identifier concatenation#3668

Open
tuanaiseo wants to merge 1 commit intometabrainz:masterfrom
tuanaiseo:contribai/fix/security/sql-injection-risk-from-dynamic-sql-iden
Open

Security: SQL injection risk from dynamic SQL identifier concatenation#3668
tuanaiseo wants to merge 1 commit intometabrainz:masterfrom
tuanaiseo:contribai/fix/security/sql-injection-risk-from-dynamic-sql-iden

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 3, 2026

Problem

insert_rows concatenates table (and likely cols) directly into SQL strings. If these values can be influenced by untrusted input, an attacker can inject SQL through identifiers.

Severity: high
File: mbid_mapping/mapping/utils.py

Solution

Treat table/column names as trusted constants only. Enforce allowlists for identifiers and construct SQL with psycopg2.sql.SQL + Identifier instead of string concatenation.

Changes

  • mbid_mapping/mapping/utils.py (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security): sql injection risk from dynamic sql identifier con
cc1c7de 
`insert_rows` concatenates `table` (and likely `cols`) directly into SQL strings. If these values can be influenced by untrusted input, an attacker can inject SQL through identifiers.

Affected files: utils.py

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo