mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-02-09 14:25:25 -05:00
a1ac109356
### Changes 🏗️ Enhanced SQL query security in the store search functionality by implementing proper parameterization to prevent SQL injection vulnerabilities. **Security Improvements:** - Replaced string interpolation with PostgreSQL positional parameters (`$1`, `$2`, etc.) for all user inputs - Added ORDER BY whitelist validation to prevent injection via `sorted_by` parameter - Parameterized search term, creators array, category, and pagination values - Fixed variable naming conflict (`sql_where_clause` vs `where_clause`) **Testing:** - Added 4 comprehensive tests validating SQL injection prevention across different attack vectors - Tests verify that malicious input in search queries, filters, sorting, and categories are safely handled - All 10 tests in db_test.py pass successfully ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] All existing tests pass (10/10 tests passing) - [x] New security tests validate SQL injection prevention - [x] Verified parameterized queries handle malicious input safely - [x] Code formatting passes (`poetry run format`) #### For configuration changes: - [x] `.env.default` is updated or already compatible with my changes - [x] `docker-compose.yml` is updated or already compatible with my changes - [x] I have included a list of my configuration changes in the PR description (under **Changes**) *Note: No configuration changes required for this security fix*