Logflare / logflare / 5d39eb7d5cc4e4a6aef89689e625944f1a0830ce
79%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 474
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 79.363% (+0.003%) from 79.36%
5d39eb7d5cc4e4a6aef89689e625944f1a0830ce

push

github

web-flow 
Fix BigQuery SQL injection vulnerabilities in query construction pipeline (#3421)

* Fix BigQuery SQL injection vulnerabilities in query construction pipeline

- Validate bigquery_dataset_id at User changeset level to only allow
  [a-zA-Z0-9_] characters, preventing injection via stored dataset IDs
- Validate dataset_id and project_id in BigQueryAdaptor.validate_config
  with format-specific allowlist patterns
- Backtick-quote all three components (project, dataset, table) in
  generate_bq_table_id/1 to isolate each identifier from SQL context
- Wrap the $$__DEFAULT_DATASET__$$ substitution in backticks to prevent
  raw string interpolation into SQL identifiers
- Escape single quotes in sql_params_to_sql/2 STRING parameters using
  SQL-standard doubling ('') to neutralize early quote termination
- Escape backticks in replace_table_with_source_name/2 source names
  using BigQuery's backslash-escape syntax to preserve quoting context

https://claude.ai/code/session_0128QMzSJtg1wEPPSy78hLSH

* test: replace manual injection fixtures with StreamData property tests

Use ExUnitProperties + StreamData to generate strings with arbitrary
injection characters (SQL delimiters, quoting chars, whitespace,
metacharacters) rather than a fixed handful of examples. Also remove
now-redundant assertion messages from refute calls.

https://claude.ai/code/session_0128QMzSJtg1wEPPSy78hLSH

* chore formatting

* fix: escape backticks in DB-sourced identifiers before interpolation

Changeset validation blocks new invalid values but cannot retroactively
clean data already in the database. Any bigquery_dataset_id stored
before this PR that contains a backtick would break out of the
backtick-quoted identifier produced by generate_bq_table_id/1 and the
DEFAULT_DATASET substitution in BigQueryAdaptor.

Add a private escape_bq_identifier/1 helper to both modules that
replaces ` with \` and apply it to every value interpolated into a
backtick-quoted BigQuery identifier.

https://cl... (continued)

11 of 14 new or added lines in 4 files covered. (78.57%)

5 existing lines in 3 files now uncovered.

12337 of 15545 relevant lines covered (79.36%)

4863.32 hits per line

Uncovered Changes

Lines Coverage File
3
88.1
 -4.21% lib/logflare_web/utils.ex

Coverage Regressions

Lines Coverage File
2
73.85
 -3.08% lib/logflare/logs/search_query_executor.ex
2
74.36
 -5.13% lib/logflare/sources/counters.ex
1
30.77
 -3.85% lib/logflare/sources/source/text_notification_server.ex
Jobs
ID Job ID Ran Files Coverage
1 5d39eb7d5cc4e4a6aef89689e625944f1a0830ce.1 474
79.36
 GitHub Action Run
Source Files on build 5d39eb7d5cc4e4a6aef89689e625944f1a0830ce