Merge pull request #368 from Worklenz/fix/sql-injection-vulnerabilities

chamikaJ · web-flow · commit 5f780b6de9ac · 2026-02-09T07:30:36.000+05:30
fix: Address SQL injection vulnerabilities by introducing secure SQL …
diff --git a/manage.sh b/manage.sh
@@ -1108,6 +1108,11 @@ push_images() {
     # Push frontend images
     print_info "Pushing frontend images to Docker Hub..."
     if [ "$frontend_version" != "latest" ]; then
+        # Verify version-tagged image exists locally
+        if ! docker image inspect "${docker_username}/worklenz-frontend:${frontend_version}" >/dev/null 2>&1; then
+            print_error "Image ${docker_username}/worklenz-frontend:${frontend_version} not found locally. Please build it first."
+            return 1
+        fi
         print_info "Pushing ${docker_username}/worklenz-frontend:${frontend_version}..."
         docker push "${docker_username}/worklenz-frontend:${frontend_version}"
         if [ $? -ne 0 ]; then
@@ -1317,16 +1322,32 @@ install_worklenz() {
                     if [ "$backend_version" != "latest" ]; then
                         print_info "Pushing backend image (${backend_version})..."
                         docker push "${docker_username}/worklenz-backend:${backend_version}"
+                        if [ $? -ne 0 ]; then
+                            print_error "Failed to push backend image (${backend_version})"
+                            return 1
+                        fi
                     fi
                     print_info "Pushing backend image (latest)..."
                     docker push "${docker_username}/worklenz-backend:latest"
+                    if [ $? -ne 0 ]; then
+                        print_error "Failed to push backend image (latest)"
+                        return 1
+                    fi
 
                     if [ "$frontend_version" != "latest" ]; then
                         print_info "Pushing frontend image (${frontend_version})..."
                         docker push "${docker_username}/worklenz-frontend:${frontend_version}"
+                        if [ $? -ne 0 ]; then
+                            print_error "Failed to push frontend image (${frontend_version})"
+                            return 1
+                        fi
                     fi
                     print_info "Pushing frontend image (latest)..."
                     docker push "${docker_username}/worklenz-frontend:latest"
+                    if [ $? -ne 0 ]; then
+                        print_error "Failed to push frontend image (latest)"
+                        return 1
+                    fi
 
                     print_success "Images pushed to Docker Hub!"
                 fi
diff --git a/worklenz-backend/src/controllers/reporting/projects/reporting-projects-controller.ts b/worklenz-backend/src/controllers/reporting/projects/reporting-projects-controller.ts
@@ -27,26 +27,26 @@ export default class ReportingProjectsController extends ReportingProjectsBase {
     let statusesClause = "";
     if (req.query.statuses) {
       const statusIds = (req.query.statuses as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(statusIds, 'p.status_id', paramOffset);
-      statusesClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(statusIds, 'status_id', paramOffset);
+      statusesClause = clause.replace('status_id', 'p.status_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
 
     let healthsClause = "";
     if (req.query.healths) {
       const healthIds = (req.query.healths as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(healthIds, 'p.health_id', paramOffset);
-      healthsClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(healthIds, 'health_id', paramOffset);
+      healthsClause = clause.replace('health_id', 'p.health_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
 
     let categoriesClause = "";
     if (req.query.categories) {
       const categoryIds = (req.query.categories as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(categoryIds, 'p.category_id', paramOffset);
-      categoriesClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(categoryIds, 'category_id', paramOffset);
+      categoriesClause = clause.replace('category_id', 'p.category_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
@@ -63,8 +63,8 @@ export default class ReportingProjectsController extends ReportingProjectsBase {
     let teamsClause = "";
     if (req.query.teams) {
       const teamIds = (req.query.teams as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(teamIds, 'p.team_id', paramOffset);
-      teamsClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(teamIds, 'team_id', paramOffset);
+      teamsClause = clause.replace('team_id', 'p.team_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
@@ -149,7 +149,7 @@ export default class ReportingProjectsController extends ReportingProjectsBase {
     if (key === DATE_RANGES.LAST_QUARTER)
       return { clause: ",(SELECT (CURRENT_DATE - INTERVAL '3 months')::DATE) AS start_date, (SELECT (CURRENT_DATE)::DATE) AS end_date", params: [] };
     if (key === DATE_RANGES.ALL_TIME)
-      return { clause: ",(SELECT (MIN(task_work_log.created_at)::DATE) FROM task_work_log WHERE task_id IN (SELECT id FROM tasks WHERE project_id = $1)) AS start_date, (SELECT (MAX(task_work_log.created_at)::DATE) FROM task_work_log WHERE task_id IN (SELECT id FROM tasks WHERE project_id = $1)) AS end_date", params: [] };
+      return { clause: `,(SELECT (MIN(task_work_log.created_at)::DATE) FROM task_work_log WHERE task_id IN (SELECT id FROM tasks WHERE project_id = $${paramOffset})) AS start_date, (SELECT (MAX(task_work_log.created_at)::DATE) FROM task_work_log WHERE task_id IN (SELECT id FROM tasks WHERE project_id = $${paramOffset})) AS end_date`, params: [] };
 
     return { clause: "", params: [] };
   }
@@ -272,26 +272,26 @@ export default class ReportingProjectsController extends ReportingProjectsBase {
     let statusesClause = "";
     if (req.query.statuses) {
       const statusIds = (req.query.statuses as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(statusIds, 'p.status_id', paramOffset);
-      statusesClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(statusIds, 'status_id', paramOffset);
+      statusesClause = clause.replace('status_id', 'p.status_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
 
     let healthsClause = "";
     if (req.query.healths) {
       const healthIds = (req.query.healths as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(healthIds, 'p.health_id', paramOffset);
-      healthsClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(healthIds, 'health_id', paramOffset);
+      healthsClause = clause.replace('health_id', 'p.health_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
 
     let categoriesClause = "";
     if (req.query.categories) {
       const categoryIds = (req.query.categories as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(categoryIds, 'p.category_id', paramOffset);
-      categoriesClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(categoryIds, 'category_id', paramOffset);
+      categoriesClause = clause.replace('category_id', 'p.category_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
@@ -308,8 +308,8 @@ export default class ReportingProjectsController extends ReportingProjectsBase {
     let teamsClause = "";
     if (req.query.teams) {
       const teamIds = (req.query.teams as string).split(",").filter(id => id.trim());
-      const { clause, params } = SqlHelper.buildOptionalInClause(teamIds, 'p.team_id', paramOffset);
-      teamsClause = clause;
+      const { clause, params } = SqlHelper.buildOptionalInClause(teamIds, 'team_id', paramOffset);
+      teamsClause = clause.replace('team_id', 'p.team_id');
       filterParams.push(...params);
       paramOffset += params.length;
     }
diff --git a/worklenz-backend/src/shared/sql-helpers.ts b/worklenz-backend/src/shared/sql-helpers.ts
@@ -112,7 +112,7 @@ export class SqlHelper {
 
     conditions.forEach((condition, index) => {
       const conjunction = index === 0 ? "" : ` ${condition.conjunction || "AND"} `;
-      
+
       if (condition.operator.toUpperCase() === "IN") {
         const values = Array.isArray(condition.value) ? condition.value : [condition.value];
         const { clause, params: inParams } = this.buildInClause(values, currentParam);
@@ -148,13 +148,13 @@ export class SqlHelper {
     } = {}
   ): { clause: string; params: string[] } {
     const { caseSensitive = false, prefix = true, suffix = true } = options;
-    
+
     let pattern = searchTerm;
     if (prefix) pattern = `%${pattern}`;
     if (suffix) pattern = `${pattern}%`;
-    
+
     const operator = caseSensitive ? "LIKE" : "ILIKE";
-    
+
     return {
       clause: `${field} ${operator} $${paramOffset}`,
       params: [pattern],
@@ -177,7 +177,7 @@ export class SqlHelper {
     const operator = caseSensitive ? "LIKE" : "ILIKE";
     const pattern = `%${searchTerm}%`;
     const clauses = fields.map(field => `${field} ${operator} $${paramOffset}`);
-    
+
     return {
       clause: `(${clauses.join(" OR ")})`,
       params: [pattern],
@@ -223,14 +223,32 @@ export class SqlHelper {
 
   /**
    * Escape identifier (table/column name) for secure query building
+   * Supports both simple identifiers (e.g., "status_id") and qualified identifiers (e.g., "p.status_id")
    */
   static escapeIdentifier(identifier: string): string {
+    // Handle qualified identifiers (e.g., "p.status_id")
+    if (identifier.includes('.')) {
+      const segments = identifier.split('.');
+      const escapedSegments = segments.map(segment => {
+        const cleaned = segment.replace(/"/g, "");
+
+        if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(cleaned)) {
+          throw new Error(`Invalid identifier segment: ${segment}`);
+        }
+
+        return `"${cleaned}"`;
+      });
+
+      return escapedSegments.join('.');
+    }
+
+    // Handle simple identifiers
     const cleaned = identifier.replace(/"/g, "");
-    
+
     if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(cleaned)) {
       throw new Error(`Invalid identifier: ${identifier}`);
     }
-    
+
     return `"${cleaned}"`;
   }
 
