Per code review audit (May 14): real SQL injection vector в `enqueue_geo_job`. Manual `chr(39)*2` quote escape НЕ injection-safe — не защищает от backslash escape, Unicode quote tricks. Если cad_num когда-либо придёт из user input — exploitable. ## Change `backend/app/workers/tasks/nspd_geo.py:298-310` — заменил f-string VALUES concatenation на SQLAlchemy `text(...)` + list of dicts (psycopg v3 handles batch executemany под капотом). Pattern consistent с остальными INSERT'ами в этом же файле (_log, _start_job, _save_quarter, _save_parcel, _save_building). ## Preserved - ON CONFLICT (job_id, cad_num, thematic_id) DO NOTHING — verbatim - Return value (int(job_id)) - Surrounding tx/commit/close logic - DB schema, function signature, caller interface — unchanged ## Tests - No test_nspd_geo.py существует — skipped - ruff check passed ## Vault `fixes/Bug_Nspd_Geo_Sql_Injection_May14.md` — created (status: resolved). No backward compat / migration concerns — pure in-place query rewrite. Co-authored-by: lekss361 <claudestars@proton.me> |
||
|---|---|---|
| .. | ||
| alembic | ||
| app | ||
| db/init | ||
| output | ||
| tests | ||
| .dockerignore | ||
| .env.example | ||
| .env.runtime.example | ||
| alembic.ini | ||
| debug.log | ||
| Dockerfile | ||
| pyproject.toml | ||
| uv.lock | ||