fix(nspd-geo): replace f-string bulk INSERT with parametrized execute (SQL injection fix) #123

Merged
lekss361 merged 1 commit from fix/nspd-geo-sql-injection into main 2026-05-14 20:29:12 +00:00

View file

@ -295,17 +295,18 @@ def enqueue_geo_job(
},
).scalar_one()
# Bulk INSERT targets
# Bulk INSERT targets — parametrized to prevent SQL injection
if cad_nums_with_thematic:
values = ",".join(
f"({job_id}, '{c.replace(chr(39), chr(39)*2)}', {t}, 'pending')"
for c, t in cad_nums_with_thematic
)
db.execute(
text(
f"INSERT INTO nspd_geo_targets (job_id, cad_num, thematic_id, status) "
f"VALUES {values} ON CONFLICT (job_id, cad_num, thematic_id) DO NOTHING"
)
"INSERT INTO nspd_geo_targets (job_id, cad_num, thematic_id, status) "
"VALUES (:job_id, :cad_num, :thematic_id, 'pending') "
"ON CONFLICT (job_id, cad_num, thematic_id) DO NOTHING"
),
[
{"job_id": job_id, "cad_num": c, "thematic_id": t}
for c, t in cad_nums_with_thematic
],
)
db.commit()
return int(job_id)