mirror of
https://github.com/Mintplex-Labs/anything-llm
synced 2026-04-25 17:15:37 +02:00
334ce052f0
Replace string concatenation with parameterized queries in all database connectors to prevent SQL injection through LLM-generated table names. Changes: - PostgreSQL: Use $1, $2 placeholders with pg client parameterization - MySQL: Use ? placeholders with mysql2 execute() prepared statements - MSSQL: Use @p0 placeholders with request.input() parameterization - Update handlers to support parameterized query objects - Add formatQueryForDisplay() for logging parameterized queries Security: Mitigates potential SQL injection when LLM passes unsanitized user input as table_name parameter to getTableSchemaSql/getTablesSql. GHSA-jwjx-mw2p-5wc7