Security: Fix SQL injection vulnerabilities (Issue #1179)

This commit addresses multiple SQL injection vulnerabilities identified in the NetAlertX codebase: 1. **Primary Fix - reporting.py datetime injection**: - Fixed f-string SQL injection in down_devices section (line 98) - Replaced direct interpolation with validated integer casting - Added proper timezone offset handling 2. **Code Quality Improvements**: - Fixed type hint error in helper.py (datetime.datetime vs datetime) - Added security documentation and comments - Created comprehensive security test suite 3. **Security Enhancements**: - Documented remaining condition-based injection risks - Added input validation for numeric parameters - Implemented security testing framework **Impact**: Prevents SQL injection attacks through datetime parameters **Testing**: All security tests pass, including syntax validation **Compliance**: Addresses security scan findings (Ruff S608) Fixes #1179 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-07 01:26:11 -08:00 · 2025-09-17 22:26:47 -07:00
parent d58471f713
commit 874b9b070e
4 changed files with 204 additions and 4 deletions
--- a/server/helper.py
+++ b/server/helper.py
@@ -96,7 +96,7 @@ def format_event_date(date_str: str, event_type: str) -> str:
        return "<still connected>"

 # -------------------------------------------------------------------------------------------
-def ensure_datetime(dt: Union[str, datetime, None]) -> datetime:
+def ensure_datetime(dt: Union[str, datetime.datetime, None]) -> datetime.datetime:
    if dt is None:
        return timeNowTZ()
    if isinstance(dt, str):