temoa icon indicating copy to clipboard operation
temoa copied to clipboard
verified publisher icon TemoaProject

Add parameterized queries to prevent SQL injection vulnerabilities

Open coderabbitai[bot] opened this issue 2 months ago • 0 comments

Background

Multiple methods in temoa/data_processing/database_util.py construct SQL queries using f-strings with user-provided input, which could theoretically allow SQL injection attacks.

While the current data access patterns make these low-risk, we should harden the codebase by adopting parameterized queries throughout.

Affected Methods

  • get_time_peridos_for_flags()
  • get_technologies_for_flags()
  • get_commodities_for_flags()
  • Other query-building methods in DatabaseUtil

Proposed Solution

  1. Replace f-string query construction with parameterized queries using ? placeholders
  2. Pass parameters as tuples/lists to cursor.execute(query, params)
  3. Consider enabling SQL injection linting rules (e.g., Ruff's S608) in CI

References

  • PR: https://github.com/TemoaProject/temoa/pull/184
  • Comment: https://github.com/TemoaProject/temoa/pull/184#discussion_r2485120749
  • Reported by: @coderabbitai

cc: @ParticularlyPythonicBS

coderabbitai[bot] avatar Nov 03 '25 13:11 coderabbitai[bot]