Skip to content

fix(ton-trading-bot): fix SQL injection in risk metrics and scheduled trades queries#72

Merged
xlabtg merged 3 commits intoxlabtg:mainfrom
konard:issue-64-7a6bdcb7d1ac
Mar 27, 2026
Merged

fix(ton-trading-bot): fix SQL injection in risk metrics and scheduled trades queries#72
xlabtg merged 3 commits intoxlabtg:mainfrom
konard:issue-64-7a6bdcb7d1ac

Conversation

@konard
Copy link
Copy Markdown

@konard konard commented Mar 27, 2026
edited
Loading

Summary

  • Root cause: Two SQL queries in ton-trading-bot/index.js used template-literal string interpolation to embed enum values (mode and status) directly into SQL strings, making them vulnerable to SQL injection.
  • Fix: Replaced string interpolation with parameterized ? placeholders and passed the values as bound parameters — exactly how every other query in the file already works.
  • Tests: Added 4 regression tests to tests/index.test.js that assert (1) the SQL string never contains the literal value and always uses ?, and (2) an injection payload (' OR '1'='1) never appears in the query string.

Changed lines

Location Before (vulnerable) After (safe)
index.js ~L1585 `AND mode = '${mode}'` "AND mode = ?" with mode as bound param
index.js ~L2029 `WHERE status = '${status}'` "WHERE status = ?" with status as bound param

Test plan

  • All existing tests pass locally (npm test)
  • 4 new SQL injection prevention tests pass
  • No other string-interpolated SQL patterns found in the file

Fixes #64

🤖 Generated with Claude Code

konard and others added 2 commits March 27, 2026 01:15
@konard
Initial commit with task details
0bd6738 
Adding .gitkeep for PR creation (default mode).
This file will be removed when the task is complete.

Issue: xlabtg#64
@konard @claude
fix(ton-trading-bot): fix SQL injection in risk metrics and scheduled…
7960347 
… trades queries

Replace string interpolation of `mode` and `status` enum values in SQL queries
with parameterized `?` placeholders, consistent with all other queries in the file.
Adds 4 regression tests that verify injection payloads never appear in query strings.

Fixes xlabtg#64

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@konard konard changed the title [WIP] ton-trading-bot: SQL injection vulnerability (L1580, L1938) fix(ton-trading-bot): fix SQL injection in risk metrics and scheduled trades queries Mar 27, 2026
@konard konard marked this pull request as ready for review March 27, 2026 01:19
@konard
Copy link
Copy Markdown
Author

konard commented Mar 27, 2026

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Public pricing estimate: $0.747104
  • Calculated by Anthropic: $0.580639 USD
  • Difference: $-0.166466 (-22.28%)

🤖 Models used:

  • Tool: Anthropic Claude Code
  • Requested: sonnet
  • Model: Claude Sonnet 4.6 (claude-sonnet-4-6)

📎 Log file uploaded as Gist (863KB)

Now working session is ended, feel free to review and add any feedback on the solution draft.

@xlabtg xlabtg merged commit b79b8a8 into xlabtg:main Mar 27, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ton-trading-bot: SQL injection vulnerability (L1580, L1938)

2 participants

@konard @xlabtg