Move db calls to prepared statements with context · SigNoz/signoz#1353

(11 评论) (0 反应) (1 负责人)TypeScript (16,037 star) (976 fork)batch import

backendgood first issue

描述

Move all db calls to prepared statements and specifically with context if possible to make signoz more secure from sql injections. A query should not be a string prepared from fmt.sprintf(...) if it has args to pass. We should try to avoid string formatting for args.

贡献者指南

技术栈: typescriptnodejssql
领域: backendsecurity
议题类型: security
难度: 4
预计时间: over 1 week
活动状态: blocked
清晰度: mostly clear
前置要求: TypeScriptNode.jsSQLprepared statements
新手友好度: 35
研究方向: Examine the repository's database access layer to identify all locations where SQL queries are constructed using string formatting (e.g., fmt.Sprintf). Review the issue comments for specific patterns mentioned by maintainers. Focus on files in the 'pkg' or 'server' directories that handle database operations. Look for existing prepared statement usage to understand the preferred pattern. Consider starting with one module to demonstrate the approach before expanding to the entire codebase.