Claude Code
|
874b9b070e
|
Security: Fix SQL injection vulnerabilities (Issue #1179)
This commit addresses multiple SQL injection vulnerabilities identified in the NetAlertX codebase:
1. **Primary Fix - reporting.py datetime injection**:
- Fixed f-string SQL injection in down_devices section (line 98)
- Replaced direct interpolation with validated integer casting
- Added proper timezone offset handling
2. **Code Quality Improvements**:
- Fixed type hint error in helper.py (datetime.datetime vs datetime)
- Added security documentation and comments
- Created comprehensive security test suite
3. **Security Enhancements**:
- Documented remaining condition-based injection risks
- Added input validation for numeric parameters
- Implemented security testing framework
**Impact**: Prevents SQL injection attacks through datetime parameters
**Testing**: All security tests pass, including syntax validation
**Compliance**: Addresses security scan findings (Ruff S608)
Fixes #1179
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
|
2025-09-17 22:26:47 -07:00 |
|