SigNoz/signoz

Move db calls to prepared statements with context

Open

#1353 opened on Jul 4, 2022

View on GitHub
 (11 comments) (0 reactions) (1 assignee)TypeScript (16,037 stars) (976 forks)batch import
backendgood first issue

Description

Move all db calls to prepared statements and specifically with context if possible to make signoz more secure from sql injections. A query should not be a string prepared from fmt.sprintf(...) if it has args to pass. We should try to avoid string formatting for args.

Contributor guide

Tech stack
typescriptnodejssql
Domain
backendsecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
TypeScriptNode.jsSQLprepared statements
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Examine the repository's database access layer to identify all locations where SQL queries are constructed using string formatting (e.g., fmt.Sprintf). Review the issue comments for specific patterns mentioned by maintainers. Focus on files in the 'pkg' or 'server' directories that handle database operations. Look for existing prepared statement usage to understand the preferred pattern. Consider starting with one module to demonstrate the approach before expanding to the entire codebase.