Skip to content

Security: Parameterize SQL query in clearPendingEmailFlag to prevent injection #1179

New issue
New issue
Closed
Closed
Security: Parameterize SQL query in clearPendingEmailFlag to prevent injection#1179
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Sep 16, 2025

Description

The clearPendingEmailFlag method in server/models/notification_instance.py uses f-string interpolation to construct SQL queries, which creates a potential SQL injection vector (flagged as S608 by Ruff).

Current Code Location

server/models/notification_instance.py around line 272-276

Security Issue

The current implementation uses:

self.db.sql.execute(f"""UPDATE Events SET eve_PendingAlertEmail = 0
                            WHERE eve_PendingAlertEmail = 1
                            AND eve_EventType =='Device Down'
                            AND eve_DateTime < datetime('now', '-{get_setting_value('NTFPRCS_alert_down_time')} minutes', '{get_timezone_offset()}')
                    """)

Recommended Solution

Use parameterized queries instead:

minutes = int(get_setting_value('NTFPRCS_alert_down_time') or 0)
tz_offset = get_timezone_offset()
self.db.sql.execute("""
    UPDATE Events
    SET eve_PendingAlertEmail = 0
    WHERE eve_PendingAlertEmail = 1
      AND eve_EventType = 'Device Down'
      AND eve_DateTime < datetime('now', ?, ?)
""", (f"-{minutes} minutes", tz_offset))

References

Priority

Medium - Security improvement to prevent potential SQL injection attacks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions