eliott/anything-llm
1
0
Fork 0
mirror of https://github.com/Mintplex-Labs/anything-llm synced 2026-04-25 17:15:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix SQL injection in SQL Agent plugin via parameterized queries

Browse Source 
Replace string concatenation with parameterized queries in all database
connectors to prevent SQL injection through LLM-generated table names.

Changes:
- PostgreSQL: Use $1, $2 placeholders with pg client parameterization
- MySQL: Use ? placeholders with mysql2 execute() prepared statements
- MSSQL: Use @p0 placeholders with request.input() parameterization
- Update handlers to support parameterized query objects
- Add formatQueryForDisplay() for logging parameterized queries

Security: Mitigates potential SQL injection when LLM passes unsanitized
user input as table_name parameter to getTableSchemaSql/getTablesSql.
GHSA-jwjx-mw2p-5wc7
This commit is contained in:
Timothy Carambat
2026-03-12 21:56:57 -07:00
parent 9e2d144dc8
commit 334ce052f0
5 changed files with 81 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
server/utils/agents/aibitat/plugins/sql-agent/SQLConnectors/MSSQL.js
View File

@@ -62,14 +62,19 @@ class MSSQLConnector {
/**
*
* @param {string} queryString the SQL query to be run
* @param {Array} params optional parameters for prepared statement
* @returns {Promise<import(".").QueryResult>}
*/
async runQuery(queryString = "") {
async runQuery(queryString = "", params = []) {
const result = { rows: [], count: 0, error: null };
try {
if (!this.#connected) await this.connect();
const query = await this._client.query(queryString);
const request = this._client.request();
params.forEach((value, index) => {
request.input(`p${index}`, value);
});
const query = await request.query(queryString);
result.rows = query.recordset;
result.count = query.rowsAffected.reduce((sum, a) => sum + a, 0);
} catch (err) {
@@ -99,7 +104,10 @@ class MSSQLConnector {
}
getTableSchemaSql(table_name) {
return `SELECT COLUMN_NAME,COLUMN_DEFAULT,IS_NULLABLE,DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='${table_name}'`;
return {
query: `SELECT COLUMN_NAME, COLUMN_DEFAULT, IS_NULLABLE, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @p0`,
params: [table_name],
};
}
}

19
server/utils/agents/aibitat/plugins/sql-agent/SQLConnectors/MySQL.js
View File

@@ -30,13 +30,17 @@ class MySQLConnector {
/**
*
* @param {string} queryString the SQL query to be run
* @param {Array} params optional parameters for prepared statement
* @returns {Promise<import(".").QueryResult>}
*/
async runQuery(queryString = "") {
async runQuery(queryString = "", params = []) {
const result = { rows: [], count: 0, error: null };
try {
if (!this.#connected) await this.connect();
const [query] = await this._client.query(queryString);
const [query] =
params.length > 0
? await this._client.execute(queryString, params)
: await this._client.query(queryString);
result.rows = query;
result.count = query?.length;
} catch (err) {
@@ -62,10 +66,17 @@ class MySQLConnector {
}
getTablesSql() {
return `SELECT table_name FROM information_schema.tables WHERE table_schema = '${this.database_id}'`;
return {
query: `SELECT table_name FROM information_schema.tables WHERE table_schema = ?`,
params: [this.database_id],
};
}
getTableSchemaSql(table_name) {
return `SHOW COLUMNS FROM ${this.database_id}.${table_name};`;
return {
query: `SELECT COLUMN_NAME, COLUMN_TYPE, IS_NULLABLE, COLUMN_KEY, COLUMN_DEFAULT, EXTRA FROM information_schema.columns WHERE table_schema = ? AND table_name = ?`,
params: [this.database_id, table_name],
};
}
}

16
server/utils/agents/aibitat/plugins/sql-agent/SQLConnectors/Postgresql.js
View File

@@ -25,13 +25,14 @@ class PostgresSQLConnector {
/**
*
* @param {string} queryString the SQL query to be run
* @param {Array} params optional parameters for prepared statement
* @returns {Promise<import(".").QueryResult>}
*/
async runQuery(queryString = "") {
async runQuery(queryString = "", params = []) {
const result = { rows: [], count: 0, error: null };
try {
if (!this.#connected) await this.connect();
const query = await this._client.query(queryString);
const query = await this._client.query(queryString, params);
result.rows = query.rows;
result.count = query.rowCount;
} catch (err) {
@@ -57,10 +58,17 @@ class PostgresSQLConnector {
}
getTablesSql() {
return `SELECT * FROM pg_catalog.pg_tables WHERE schemaname = '${this.schema}'`;
return {
query: `SELECT * FROM pg_catalog.pg_tables WHERE schemaname = $1`,
params: [this.schema],
};
}
getTableSchemaSql(table_name) {
return ` select column_name, data_type, character_maximum_length, column_default, is_nullable from INFORMATION_SCHEMA.COLUMNS where table_name = '${table_name}' AND table_schema = '${this.schema}'`;
return {
query: `SELECT column_name, data_type, character_maximum_length, column_default, is_nullable FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name = $1 AND table_schema = $2`,
params: [table_name, this.schema],
};
}
}

25
server/utils/agents/aibitat/plugins/sql-agent/get-table-schema.js
View File

@@ -6,6 +6,18 @@ module.exports.SqlAgentGetTableSchema = {
getDBClient,
} = require("./SQLConnectors/index.js");
function formatQueryForDisplay(query, params = []) {
if (!params.length) return query;
let formatted = query;
params.forEach((param, index) => {
const value = typeof param === "string" ? `'${param}'` : param;
formatted = formatted.replace(`$${index + 1}`, value);
formatted = formatted.replace(`@p${index}`, value);
formatted = formatted.replace("?", value);
});
return formatted;
}
return {
name: "sql-get-table-schema",
setup(aibitat) {
@@ -67,12 +79,17 @@ module.exports.SqlAgentGetTableSchema = {
this.super.introspect(
`${this.caller}: Querying the table schema for ${table_name} in the ${databaseConfig.database_id} database.`
);
const sqlQuery = db.getTableSchemaSql(table_name);
const isParameterized =
typeof sqlQuery === "object" && sqlQuery.query;
const queryString = isParameterized ? sqlQuery.query : sqlQuery;
const queryParams = isParameterized ? sqlQuery.params : [];
this.super.introspect(
`Running SQL: ${db.getTableSchemaSql(table_name)}`
);
const result = await db.runQuery(
db.getTableSchemaSql(table_name)
`Running SQL: ${formatQueryForDisplay(queryString, queryParams)}`
);
const result = await db.runQuery(queryString, queryParams);
if (result.error) {
this.super.handlerProps.log(

24
server/utils/agents/aibitat/plugins/sql-agent/list-table.js
View File

@@ -6,6 +6,18 @@ module.exports.SqlAgentListTables = {
getDBClient,
} = require("./SQLConnectors/index.js");
function formatQueryForDisplay(query, params = []) {
if (!params.length) return query;
let formatted = query;
params.forEach((param, index) => {
const value = typeof param === "string" ? `'${param}'` : param;
formatted = formatted.replace(`$${index + 1}`, value);
formatted = formatted.replace(`@p${index}`, value);
formatted = formatted.replace("?", value);
});
return formatted;
}
return {
name: "sql-list-tables",
setup(aibitat) {
@@ -61,8 +73,16 @@ module.exports.SqlAgentListTables = {
`${this.caller}: Checking what are the available tables in the ${databaseConfig.database_id} database.`
);
this.super.introspect(`Running SQL: ${db.getTablesSql()}`);
const result = await db.runQuery(db.getTablesSql(database_id));
const sqlQuery = db.getTablesSql();
const isParameterized =
typeof sqlQuery === "object" && sqlQuery.query;
const queryString = isParameterized ? sqlQuery.query : sqlQuery;
const queryParams = isParameterized ? sqlQuery.params : [];
this.super.introspect(
`Running SQL: ${formatQueryForDisplay(queryString, queryParams)}`
);
const result = await db.runQuery(queryString, queryParams);
if (result.error) {
this.super.handlerProps.log(
`sql-list-tables tool reported error`,