SQL INJECTION VULNERABILITY FIXES - VERIFICATION GUIDE ===================================================== FILES MODIFIED: -------------- 1. api/services/conversation_context_service.py 2. api/routers/conversation_contexts.py CHANGES SUMMARY: --------------- FILE 1: api/services/conversation_context_service.py ---------------------------------------------------- Line 13: ADDED import OLD: from sqlalchemy import or_, text NEW: from sqlalchemy import or_, text, func Lines 178-201: FIXED search_term SQL injection OLD: if search_term: fulltext_match = text( "MATCH(title, dense_summary) AGAINST(:search_term IN NATURAL LANGUAGE MODE)" ).bindparams(search_term=search_term) query = query.filter( or_( fulltext_match, ConversationContext.title.like(f"%{search_term}%"), # VULNERABLE ConversationContext.dense_summary.like(f"%{search_term}%") # VULNERABLE ) ) NEW: if search_term: try: fulltext_condition = text( "MATCH(title, dense_summary) AGAINST(:search_term IN NATURAL LANGUAGE MODE)" ).bindparams(search_term=search_term) like_condition = or_( ConversationContext.title.like(func.concat('%', search_term, '%')), # SECURE ConversationContext.dense_summary.like(func.concat('%', search_term, '%')) # SECURE ) query = query.filter(or_(fulltext_condition, like_condition)) except Exception: like_condition = or_( ConversationContext.title.like(func.concat('%', search_term, '%')), ConversationContext.dense_summary.like(func.concat('%', search_term, '%')) ) query = query.filter(like_condition) Lines 210-220: FIXED tags SQL injection OLD: if tags: tag_filters = [] for tag in tags: tag_filters.append(ConversationContext.tags.like(f'%"{tag}"%')) # VULNERABLE if tag_filters: query = query.filter(or_(*tag_filters)) NEW: if tags: # Use secure func.concat to prevent SQL injection tag_filters = [] for tag in tags: tag_filters.append( ConversationContext.tags.like(func.concat('%"', tag, '"%')) # SECURE ) if tag_filters: query = query.filter(or_(*tag_filters)) FILE 2: api/routers/conversation_contexts.py -------------------------------------------- Lines 79-90: ADDED input validation for search_term NEW: search_term: Optional[str] = Query( None, max_length=200, pattern=r'^[a-zA-Z0-9\s\-_.,!?()]+$', # Whitelist validation description="Full-text search term (alphanumeric, spaces, and basic punctuation only)" ), Lines 86-90: ADDED validation for tags NEW: tags: Optional[List[str]] = Query( None, description="Filter by tags (OR logic)", max_items=20 # Prevent DoS ), Lines 121-130: ADDED runtime tag validation NEW: # Validate tags to prevent SQL injection if tags: import re tag_pattern = re.compile(r'^[a-zA-Z0-9\-_]+$') for tag in tags: if not tag_pattern.match(tag): raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail=f"Invalid tag format: '{tag}'. Tags must be alphanumeric with hyphens or underscores only." ) TESTING THE FIXES: ----------------- Test 1: Valid Input (should work - HTTP 200) curl "http://172.16.3.30:8001/api/conversation-contexts/recall?search_term=test" \ -H "Authorization: Bearer $JWT_TOKEN" Test 2: SQL Injection Attack (should be rejected - HTTP 422) curl "http://172.16.3.30:8001/api/conversation-contexts/recall?search_term=%27%20OR%20%271%27%3D%271" \ -H "Authorization: Bearer $JWT_TOKEN" Test 3: Tag Injection (should be rejected - HTTP 400) curl "http://172.16.3.30:8001/api/conversation-contexts/recall?tags[]=%27%20OR%20%271%27%3D%271" \ -H "Authorization: Bearer $JWT_TOKEN" KEY SECURITY IMPROVEMENTS: ------------------------- 1. NO F-STRING INTERPOLATION IN SQL - All LIKE patterns use func.concat() - All parameterized queries use .bindparams() 2. INPUT VALIDATION AT ROUTER LEVEL - Regex pattern enforcement - Length limits - Character whitelisting 3. RUNTIME TAG VALIDATION - Additional validation in endpoint - Prevents bypass of Query validation 4. DEFENSE IN DEPTH - Multiple layers of protection - Validation + Parameterization + Database escaping DEPLOYMENT NEEDED: ----------------- These changes are in D:\ClaudeTools but need to be deployed to the running API server at 172.16.3.30:8001 After deployment, run: bash test_sql_injection_simple.sh