SQL Injection Vulnerabilities (CWE-89) at jobsdb/jobsdb.go

[sathya142003]

Multiple instances of string formatting in SQL queries without proper parameterization.

current code:
// jobsdb/jobsdb.go - Line ~2847
sqlStatement := fmt.Sprintf(SELECT MIN(job_id), MAX(job_id) FROM %q, ds.JobTable)
row := jd.dbHandle.QueryRow(sqlStatement)

// Line ~3234
sqlStatement := fmt.Sprintf(CREATE INDEX "idx_%[1]s_ws" ON %[1]q (workspace_id), newDS.JobTable)

solution:
// Use proper parameterized queries with whitelist validation
func (jd *Handle) validateTableName(tableName string) error {
// Whitelist valid table name pattern
matched, _ := regexp.MatchString(^[a-zA-Z_][a-zA-Z0-9_]*$, tableName)
if !matched || len(tableName) > 64 {
return fmt.Errorf("invalid table name: %s", tableName)
}
return nil
}

// Fixed query execution
func (jd *Handle) getMinMaxJobID(ds dataSetT) (sql.NullInt64, sql.NullInt64, error) {
if err := jd.validateTableName(ds.JobTable); err != nil {
return sql.NullInt64{}, sql.NullInt64{}, err
}

// Use identifier quoting for table names (still need validation above)
sqlStatement := `SELECT MIN(job_id), MAX(job_id) FROM ` + pq.QuoteIdentifier(ds.JobTable)
var minID, maxID sql.NullInt64

err := jd.dbHandle.QueryRow(sqlStatement).Scan(&minID, &maxID)
return minID, maxID, err

}

[contributor-support]

Thanks for opening this issue! We'll get back to you shortly. If it is a bug, please make sure to add steps to reproduce the issue.

[gitcommitshow]

Hey @sathya142003, sql hardening had been performed on jobsdd in the past and various issues had been fixed.
The table names are exclusively controlled by the team so the team does not see this as as security risk.