Fix SQL Injection Risk in RLS Session Context Assignment

[007-SARANG]

I am Sarang, a GSoC contributor interested in improving security in this project.

In server/app/worker/tasks.py, the RLS session context is currently set using interpolated SQL:

SET app.current_user_id = '{user_id}'

Since user_id originates from request context, this introduces a potential SQL injection risk in a security-sensitive execution path.

Proposed Solution:

• Replace string interpolation with a safe parameterized approach (e.g., using database parameter binding or set_config)
• Enforce strict UUID validation before setting the session context

Acceptance Criteria:

• Remove SQL string interpolation when setting app.current_user_id
• Validate user_id as a proper UUID before database execution
• Reject invalid or malicious inputs with clear error handling
• Preserve existing RLS behavior and upload flow for valid users
• Add unit tests for:
  • Valid UUID input
  • Invalid UUID input
  • Injection-like input (e.g., SQL payloads)

[Rasesh2005]

The database has not been setup yet..

[007-SARANG]

Got it @Rasesh2005 , thanks for the update.

In that case, I’ll explore a safe approach for setting the session context and prepare a patch that avoids string interpolation and includes UUID validation. Once the database setup is finalized, this can be integrated easily.

Please let me know if there are any preferred patterns or conventions for DB interactions in this project.