btp-generative-ai-hub-use-cases icon indicating copy to clipboard operation
btp-generative-ai-hub-use-cases copied to clipboard

Published 20 hours ago verified publisher icon SAP-samples

Potential SQL injection in example code

Open MKusber opened this issue 1 year ago • 0 comments
trafficstars

Referring to code samples like here: https://github.com/SAP-samples/btp-generative-ai-hub-use-cases/blob/f11b16bc63b2a9cd0a7a17d3c197e9eb26b11d8f/02-embedding-business-context-vector-engine/cap-app/api/srv/rag-service.ts#L63-L80

Taking into account the documentation here and the specific below paragraph, the provided code in the examples seem to be dangerous as unsanitized user input is used directly to concatenate a SQL string without using proper cds.ql.

Please verify if this is correct interpretation of the security of the provided samples and whether this should be corrected throughout the samples.

image

MKusber avatar Jun 14 '24 09:06 MKusber