security: fix HIGH vulnerabilities (H1, H2, H3, H6) (#5599)

ink-the-squid · web-flow · commit 4c20bb72df70 · 2026-02-20T21:06:50.000-08:00
H1: AlertStore SQL injection — sanitize grouping property names
    (escape quotes), validate grouping column names against whitelist,
    and validate threshold/minimum_request_count as numbers.

H2: SessionManager SQL injection — validate and clamp limit/offset
    as integers before interpolation into ClickHouse queries.

H3: Feedback API SQL injection — convert org_id from string
    interpolation to parameterized query ($1).

H6: HqlStore path traversal — validate fileName with path.basename()
    check and reject paths containing '..'.
diff --git a/valhalla/jawn/src/lib/stores/HqlStore.ts b/valhalla/jawn/src/lib/stores/HqlStore.ts
@@ -2,6 +2,7 @@ import { createArrayCsvWriter } from "csv-writer";
 import { err, ok, Result } from "../../packages/common/result";
 import { S3Client } from "../shared/db/s3Client";
 import fs from "fs";
+import path from "path";
 
 const HQL_STORE_BUCKET = process.env.HQL_STORE_BUCKET || "hql-store";
 
@@ -24,7 +25,12 @@ export class HqlStore {
     rows: Record<string, any>[]
   ): Promise<Result<string, string>> {
     // if result is ok, if over 100k store in s3 and return url
-    const key = `${organizationId}/${fileName}`;
+    // Validate fileName to prevent path traversal
+    const baseName = path.basename(fileName);
+    if (baseName !== fileName || fileName.includes("..")) {
+      return err("Invalid file name");
+    }
+    const key = `${organizationId}/${baseName}`;
     // Determine column order from keys of first row
     if (rows.length === 0) {
       return err("No data to export");
diff --git a/valhalla/jawn/src/managers/SessionManager.ts b/valhalla/jawn/src/managers/SessionManager.ts
@@ -344,14 +344,18 @@ export class SessionManager {
   ): Promise<Result<SessionResult[], string>> {
     const {
       timezoneDifference,
-      offset = 0,
-      limit = 50,
+      offset: rawOffset = 0,
+      limit: rawLimit = 50,
     } = requestBody;
 
     if (!isValidTimeZoneDifference(timezoneDifference)) {
       return err("Invalid timezone difference");
     }
 
+    // Validate and clamp numeric values to prevent SQL injection
+    const limit = Math.max(0, Math.min(Math.floor(Number(rawLimit) || 50), 1000));
+    const offset = Math.max(0, Math.floor(Number(rawOffset) || 0));
+
     const { builtFilter, havingFilter } = await this.buildSessionFilters(requestBody);
 
     // Step 1 get all the properties given this filter
diff --git a/web/pages/api/feedback/index.ts b/web/pages/api/feedback/index.ts
@@ -17,11 +17,11 @@ async function getFeedbackMetrics(
     SELECT f.name, f.data_type
     FROM feedback_metrics f
     JOIN helicone_api_keys h ON f.helicone_api_key_id = h.id
-    WHERE h.organization_id = '${org_id}'
+    WHERE h.organization_id = $1
     LIMIT 1000;
   `;
 
-  const { data, error } = await dbExecute<FeedbackMetric>(query, []);
+  const { data, error } = await dbExecute<FeedbackMetric>(query, [org_id]);
   if (error !== null) {
     return { data: null, error: error };
   }
diff --git a/worker/src/lib/db/AlertStore.ts b/worker/src/lib/db/AlertStore.ts
@@ -53,16 +53,25 @@ export class AlertStore {
     private clickhouseClient: ClickhouseClientWrapper
   ) {}
 
+  private static readonly SAFE_IDENTIFIER = /^[a-zA-Z0-9_]+$/;
+
   private buildGroupByColumn(alert: Alert): string {
     if (!alert.grouping) return "";
 
     if (alert.grouping_is_property) {
-      return `properties['${alert.grouping}']`;
+      // Sanitize property name: escape single quotes to prevent injection
+      const sanitized = alert.grouping.replace(/'/g, "\\'");
+      return `properties['${sanitized}']`;
     }
 
-    return (
-      AlertStore.STANDARD_GROUPING_MAP[alert.grouping] || alert.grouping
-    );
+    const mapped = AlertStore.STANDARD_GROUPING_MAP[alert.grouping];
+    if (!mapped) {
+      // Reject unknown grouping values that aren't in the whitelist
+      if (!AlertStore.SAFE_IDENTIFIER.test(alert.grouping)) {
+        throw new Error(`Invalid grouping column: ${alert.grouping}`);
+      }
+    }
+    return mapped || alert.grouping;
   }
 
   private async applyAlertFilter(
@@ -114,11 +123,23 @@ export class AlertStore {
   ): string {
     if (!alert.grouping) return query;
 
+    // Validate numeric values to prevent injection
+    const threshold = Number(alert.threshold);
+    if (isNaN(threshold)) {
+      throw new Error(`Invalid threshold value: ${alert.threshold}`);
+    }
+
     query += ` GROUP BY groupValue`;
-    query += ` HAVING ${thresholdColumn} >= ${alert.threshold}`;
+    query += ` HAVING ${thresholdColumn} >= ${threshold}`;
 
     if (alert.minimum_request_count) {
-      query += ` AND requestCount >= ${alert.minimum_request_count}`;
+      const minCount = Number(alert.minimum_request_count);
+      if (isNaN(minCount)) {
+        throw new Error(
+          `Invalid minimum_request_count: ${alert.minimum_request_count}`
+        );
+      }
+      query += ` AND requestCount >= ${minCount}`;
     }
 
     return query;
