From d64ab7abf74c8555408aecc07ce2f9819bcb83aa Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Sun, 29 Jun 2025 00:34:14 -0400 Subject: [PATCH] process_fts_update: Fix S608 Possible SQL injection vector. Although this code was not actually vulnerable as written, we never want to be disabling this Ruff rule, in order to discourage later introduction of vulnerabilities. Signed-off-by: Anders Kaseorg --- .../files/postgresql/process_fts_updates | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/puppet/zulip/files/postgresql/process_fts_updates b/puppet/zulip/files/postgresql/process_fts_updates index bae230ccf0..bf1f65d5d9 100755 --- a/puppet/zulip/files/postgresql/process_fts_updates +++ b/puppet/zulip/files/postgresql/process_fts_updates @@ -45,6 +45,7 @@ from collections.abc import Sequence import psycopg2 import psycopg2.extensions +from psycopg2.sql import SQL BATCH_SIZE = 1000 @@ -79,16 +80,22 @@ def update_fts_columns(conn: psycopg2.extensions.connection) -> int: if message_ids: if USING_PGROONGA: - update_sql = "search_pgroonga = escape_html(subject) || ' ' || rendered_content" + update_sql = SQL( + "search_pgroonga = escape_html(subject) || ' ' || rendered_content" + ) else: - update_sql = "search_tsvector = to_tsvector('zulip.english_us_search', subject || rendered_content)" + update_sql = SQL( + "search_tsvector = to_tsvector('zulip.english_us_search', subject || rendered_content)" + ) cursor.execute( - f"UPDATE zerver_message SET {update_sql} " # noqa: S608 - "WHERE ctid IN (" - " SELECT ctid FROM zerver_message" - " WHERE id IN %s" - " ORDER BY id FOR UPDATE" - ")", + SQL( + "UPDATE zerver_message SET {update_sql} " + "WHERE ctid IN (" + " SELECT ctid FROM zerver_message" + " WHERE id IN %s" + " ORDER BY id FOR UPDATE" + ")" + ).format(update_sql=update_sql), (message_ids,), ) if row_ids: