From 63dc8800e6873ffc19688e105b9ff65116817063 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sun, 5 Jul 2026 11:23:19 -0700 Subject: [PATCH] fix(web): sql injection risk in dynamic query construction The file `apps/web/e2e/scripts/get-magic-link-token.ts` constructs a SQL LIKE pattern by string concatenation: `value::text ILIKE ${'"email":"' + email + '"%'}`. While the `postgres` library uses parameterized queries for the main query, the LIKE pattern is built via string concatenation before being passed as a parameter. If `email` contains special characters, it could affect pattern matching behavior or cause unexpected query results. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- apps/web/e2e/scripts/get-magic-link-token.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/web/e2e/scripts/get-magic-link-token.ts b/apps/web/e2e/scripts/get-magic-link-token.ts index 0abfc0ade..2ceb8c84c 100644 --- a/apps/web/e2e/scripts/get-magic-link-token.ts +++ b/apps/web/e2e/scripts/get-magic-link-token.ts @@ -35,7 +35,7 @@ async function getMagicLinkToken(): Promise { const result = await sql` SELECT identifier, value, expires_at FROM verification - WHERE value::text ILIKE ${'%"email":"' + email + '"%'} + WHERE value->>'email' = ${email} AND identifier NOT LIKE 'sign-in-otp-%' AND expires_at > NOW() ORDER BY created_at DESC @@ -57,4 +57,4 @@ try { console.error(err instanceof Error ? err.message : String(err)) await sql.end() process.exit(1) -} +} \ No newline at end of file