Context
Pre-existing code in store.rs bfs_with_depth builds dynamic SQL by formatting integer IDs into a placeholder list.
Problem
The BFS traversal formats frontier IDs into SQL placeholders:
let placeholders = frontier.iter().enumerate().map(|(i, _)| format!("?{}", i + 1))...
let neighbour_sql = format!("... WHERE source_entity_id IN ({placeholders}) ...");The values are i64 entity IDs from the database (not user input), so there is no current injection risk. However, the pattern is fragile: if the source of IDs ever changes to accept user-supplied values, this becomes vulnerable.
Suggested Fix
Wrap entity IDs in a newtype EntityId(i64) that can only be constructed from trusted internal sources. This enforces the invariant at compile time and prevents accidental misuse.
Source
SEC-CD-02 from Phase 5 security audit. This is a pre-existing pattern, not introduced by Phase 5.
Context
Pre-existing code in
store.rsbfs_with_depthbuilds dynamic SQL by formatting integer IDs into a placeholder list.Problem
The BFS traversal formats
frontierIDs into SQL placeholders:The values are i64 entity IDs from the database (not user input), so there is no current injection risk. However, the pattern is fragile: if the source of IDs ever changes to accept user-supplied values, this becomes vulnerable.
Suggested Fix
Wrap entity IDs in a newtype
EntityId(i64)that can only be constructed from trusted internal sources. This enforces the invariant at compile time and prevents accidental misuse.Source
SEC-CD-02 from Phase 5 security audit. This is a pre-existing pattern, not introduced by Phase 5.