gendesign/backend/app/workers
lekss361 08118f0476 fix(nspd-geo): replace f-string bulk INSERT with parametrized batch execute
Per code review audit (May 14): real SQL injection vector в `enqueue_geo_job`.
Manual `chr(39)*2` quote escape НЕ injection-safe — не защищает от backslash
escape, Unicode quote tricks. Если cad_num когда-либо придёт из user input —
exploitable.

## Change

`backend/app/workers/tasks/nspd_geo.py:298-310` — заменил f-string VALUES
concatenation на SQLAlchemy `text(...)` + list of dicts (psycopg v3 handles
batch executemany под капотом).

Pattern consistent с остальными INSERT'ами в этом же файле (_log,
_start_job, _save_quarter, _save_parcel, _save_building).

## Preserved

- ON CONFLICT (job_id, cad_num, thematic_id) DO NOTHING — verbatim
- Return value (int(job_id))
- Surrounding tx/commit/close logic
- DB schema, function signature, caller interface — unchanged

## Tests

- No test_nspd_geo.py существует — skipped
- ruff check passed

## Vault

`fixes/Bug_Nspd_Geo_Sql_Injection_May14.md` — created (status: resolved).

No backward compat / migration concerns — pure in-place query rewrite.
2026-05-14 23:22:27 +03:00
..
tasks fix(nspd-geo): replace f-string bulk INSERT with parametrized batch execute 2026-05-14 23:22:27 +03:00
__init__.py init 2026-04-25 13:45:19 +03:00
celery_app.py feat(nspd): harvest_quarter Celery task + beat + admin endpoint (#94 pt.4 part A) (#111) 2026-05-12 18:45:57 +03:00