eliott/anything-llm
1
0
Fork 0
mirror of https://github.com/Mintplex-Labs/anything-llm synced 2026-04-26 09:35:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix SQL injection in SQL Agent plugin via parameterized queries

Browse Source 
Replace string concatenation with parameterized queries in all database
connectors to prevent SQL injection through LLM-generated table names.

Changes:
- PostgreSQL: Use $1, $2 placeholders with pg client parameterization
- MySQL: Use ? placeholders with mysql2 execute() prepared statements
- MSSQL: Use @p0 placeholders with request.input() parameterization
- Update handlers to support parameterized query objects
- Add formatQueryForDisplay() for logging parameterized queries

Security: Mitigates potential SQL injection when LLM passes unsanitized
user input as table_name parameter to getTableSchemaSql/getTablesSql.
GHSA-jwjx-mw2p-5wc7
This commit is contained in:
Timothy Carambat
2026-03-12 21:56:57 -07:00
parent 9e2d144dc8
commit 334ce052f0
5 changed files with 81 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
server/utils/agents/aibitat/plugins/sql-agent/SQLConnectors/MySQL.js
View File

@@ -30,13 +30,17 @@ class MySQLConnector {
/**
*
* @param {string} queryString the SQL query to be run
* @param {Array} params optional parameters for prepared statement
* @returns {Promise<import(".").QueryResult>}
*/
async runQuery(queryString = "") {
async runQuery(queryString = "", params = []) {
const result = { rows: [], count: 0, error: null };
try {
if (!this.#connected) await this.connect();
const [query] = await this._client.query(queryString);
const [query] =
params.length > 0
? await this._client.execute(queryString, params)
: await this._client.query(queryString);
result.rows = query;
result.count = query?.length;
} catch (err) {
@@ -62,10 +66,17 @@ class MySQLConnector {
}
getTablesSql() {
return `SELECT table_name FROM information_schema.tables WHERE table_schema = '${this.database_id}'`;
return {
query: `SELECT table_name FROM information_schema.tables WHERE table_schema = ?`,
params: [this.database_id],
};
}
getTableSchemaSql(table_name) {
return `SHOW COLUMNS FROM ${this.database_id}.${table_name};`;
return {
query: `SELECT COLUMN_NAME, COLUMN_TYPE, IS_NULLABLE, COLUMN_KEY, COLUMN_DEFAULT, EXTRA FROM information_schema.columns WHERE table_schema = ? AND table_name = ?`,
params: [this.database_id, table_name],
};
}
}