REMEDIATION_SUMMARY - nself-org/cli GitHub Wiki
Status: ๐ด IN PROGRESS (0% Complete) Priority: CRITICAL Total Vulnerabilities: ~150 Estimated Effort: 60-80 hours
| Phase | Files | Vulnerabilities | Status | Due Date |
|---|---|---|---|---|
| Phase 1 | 2 files | 60 critical | ๐ด Not Started | Week 1 |
| Phase 2 | 3 files | 90 remaining | ๐ด Not Started | Week 2 |
| Phase 3 | Testing | N/A | ๐ด Not Started | Week 3 |
- โ
Start here:
SQL_INJECTION_REMEDIATION_REPORT.md - โ
Fix guide:
SQL_INJECTION_FIX_GUIDE.md - โ This summary: Quick reference
# Source validation functions
source src/lib/utils/validation.sh
# Source safe query functions
source src/lib/database/safe-query.sh
# Run existing tests
bash src/tests/security/test-sql-injection.sh# File 1: billing/usage.sh (60 vulnerabilities)
# File 2: billing/reports.sh (30 vulnerabilities)
# For each function:
# 1. Add input validation
# 2. Replace ${var} with :'param'
# 3. Add parameters to billing_db_query call
# 4. Test manually
# 5. Commit1. Usage Aggregate Functions (billing/usage.sh)
- Lines: 305-312, 350-357, 839-924
- Impact: Financial data exposure
- Difficulty: Medium
- Time: 4 hours
2. Tenant Provisioning (tenant/lifecycle.sh)
- Lines: 34-79
- Impact: Account takeover, privilege escalation
- Difficulty: Hard
- Time: 3 hours
3. Usage Export (billing/usage.sh)
- Lines: 1195-1310
- Impact: Complete data exfiltration
- Difficulty: Hard (dynamic WHERE clauses)
- Time: 3 hours
# Validate
validate_uuid "$id" || return 1
# Parameterize
billing_db_query "SELECT * FROM table WHERE id = :'id'" "tuples" "id" "$id"# Validate all
validate_uuid "$customer_id" || return 1
validate_service_name "$service" || return 1
# Parameterize all
billing_db_query "
SELECT * FROM table
WHERE customer_id = :'customer_id'
AND service = :'service'
" "tuples" "customer_id" "$customer_id" "service" "$service"# Use COALESCE or conditional SQL
billing_db_query "
SELECT * FROM table
WHERE customer_id = :'customer_id'
AND (:'service' = '' OR service = :'service')
AND (:'start_date' = '' OR date >= :'start_date'::timestamp)
" "tuples" \
"customer_id" "$customer_id" \
"service" "${service:-}" \
"start_date" "${start_date:-}"# Search for string interpolation in SQL
grep -rn "WHERE.*'\${" src/lib/billing/
grep -rn "WHERE.*'\${" src/lib/tenant/
# Search for unparameterized psql calls
grep -rn "psql.*-c.*\"\$" src/lib/tenant/
# Search for unsafe billing_db_query calls
grep -rn "billing_db_query.*'\${" src/lib/billing/# Pattern 1: Single WHERE clause
FROM: WHERE id = '${id}'
TO: WHERE id = :'id'
ADD: "id" "$id" to billing_db_query parameters
# Pattern 2: Multiple WHERE clauses
FROM: WHERE a = '${a}' AND b = '${b}'
TO: WHERE a = :'a' AND b = :'b'
ADD: "a" "$a" "b" "$b" to parameters
# Pattern 3: Dynamic WHERE
FROM: where_clause="customer_id = '${customer_id}'"
TO: (Delete variable, use SQL conditional instead)
WHERE customer_id = :'customer_id'
AND (:'optional' = '' OR field = :'optional')For each fixed function:
# 1. Validation test
result=$(function_name "'; DROP TABLE users; --" 2>&1)
# Should: Error "Invalid format"
# 2. Normal operation test
result=$(function_name "valid-value")
# Should: Work correctly
# 3. Special characters test
result=$(function_name "[email protected]")
# Should: Work correctly (chars treated as literals)
# 4. Edge case test
result=$(function_name "")
# Should: Error "Invalid format"- src/lib/billing/usage.sh (0/60 vulnerabilities)
- src/lib/billing/reports.sh (0/30 vulnerabilities)
- src/lib/tenant/lifecycle.sh (0/25 vulnerabilities)
- src/lib/tenant/core.sh (0/20 vulnerabilities)
- src/lib/tenant/routing.sh (0/15 vulnerabilities)
Billing - Usage (0/13)
- usage_get_all_table()
- usage_get_service_table()
- usage_get_all_json()
- usage_get_all_csv()
- usage_get_service_json()
- usage_get_service_csv()
- usage_aggregate_hourly()
- usage_aggregate_daily()
- usage_aggregate_monthly()
- usage_check_service_alert()
- usage_export_csv()
- usage_export_json()
- usage_get_peaks()
Billing - Reports (0/5)
- report_usage_trends_table()
- report_usage_trends_csv()
- report_usage_trends_json()
- report_churn_table()
- report_aging_table()
Tenant - Lifecycle (0/10)
- tenant_provision()
- create_tenant_owner()
- initialize_tenant_settings()
- tenant_lifecycle_suspend()
- tenant_lifecycle_activate()
- tenant_soft_delete()
- tenant_permanent_delete()
- tenant_migrate_plan()
- tenant_create_backup()
- tenant_health_check()
Tenant - Core (0/7)
- tenant_list()
- tenant_show()
- tenant_suspend()
- tenant_activate()
- tenant_member_remove()
- tenant_member_list()
- tenant_domain_add()
Tenant - Routing (0/2)
- generate_custom_domain_ssl()
- get_tenant_url()
- Fix usage_get_all_table() - 1 hour
- Fix usage_get_service_table() - 1 hour
- Fix usage_aggregate_hourly() - 1.5 hours
- Fix usage_aggregate_daily() - 1.5 hours
- Fix usage_aggregate_monthly() - 1.5 hours
- Test all fixes - 1.5 hours
Target: 5 functions, ~15 vulnerabilities fixed
- Fix usage_export_csv() - 2 hours
- Fix usage_export_json() - 1.5 hours
- Fix usage_get_peaks() - 1 hour
- Fix usage_check_service_alert() - 1.5 hours
- Test all fixes - 2 hours
Target: 4 functions, ~20 vulnerabilities fixed
- Fix tenant_provision() - 3 hours
- Fix tenant_lifecycle_suspend() - 1 hour
- Fix tenant_lifecycle_activate() - 1 hour
- Fix tenant_soft_delete() - 1 hour
- Test all fixes - 2 hours
Target: 4 functions, ~20 vulnerabilities fixed
- Validation functions:
src/lib/utils/validation.sh - Safe query functions:
src/lib/database/safe-query.sh - Working examples:
src/lib/billing/quotas.sh(already fixed) - Test framework:
src/tests/security/test-sql-injection.sh
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- PostgreSQL Prepared Statements: https://www.postgresql.org/docs/current/sql-prepare.html
- Input Validation Guide: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
# Find all string interpolation in SQL
rg "'\\\${" src/lib/billing/ src/lib/tenant/
# Find all unvalidated psql calls
rg "psql.*-c.*'\\\$" src/lib/
# Find all billing_db_query without parameters
rg "billing_db_query.*'\\\${" src/lib/billing/# Run all security tests
bash src/tests/security/test-sql-injection.sh
# Run specific function test
bash src/tests/security/test-usage-functions.sh usage_get_all_table
# Manual injection test
result=$(usage_get_all_table "'; DROP TABLE billing_usage_records; --" 2>&1)
echo "$result" | grep -q "Invalid" && echo "PASS" || echo "FAIL"# Good commit message format
git commit -m "security: fix SQL injection in usage_get_all_table()
- Add customer_id validation
- Parameterize all WHERE clause variables
- Replace string interpolation with :param syntax
- Add test for injection attempt
Fixes: #XXX (SQL Injection in billing module)
"-
โ Forgetting Validation
# WRONG billing_db_query "WHERE id = :'id'" "tuples" "id" "$user_input" # RIGHT validate_uuid "$user_input" || return 1 billing_db_query "WHERE id = :'id'" "tuples" "id" "$user_input"
-
โ Partial Parameterization
# WRONG - service is still vulnerable billing_db_query "WHERE id = :'id' AND service = '${service}'" "tuples" "id" "$id" # RIGHT billing_db_query "WHERE id = :'id' AND service = :'service'" "tuples" "id" "$id" "service" "$service"
-
โ Building SQL Fragments
# WRONG filter="AND status = '${status}'" billing_db_query "SELECT * FROM table WHERE id = :'id' ${filter}" "tuples" "id" "$id" # RIGHT billing_db_query " SELECT * FROM table WHERE id = :'id' AND (:'status' = '' OR status = :'status') " "tuples" "id" "$id" "status" "${status:-}"
If stuck on a particularly complex vulnerability:
- Review the fix guide for similar patterns
- Check
src/lib/billing/quotas.shfor working examples - Search for existing safe implementations in codebase
- Ask for code review before committing
Remember: Better to ask for help than to commit an incorrect fix!
Before considering remediation complete:
- All 150 vulnerabilities fixed and tested
- All validation functions in place
- All queries use parameterized syntax
- No string interpolation in SQL strings
- All tests passing (including new security tests)
- Code review completed
- Documentation updated
- CI/CD includes SQL injection tests
- Production deployment blocked until complete
Next Steps: Start with Day 1 goals, fix first 5 functions, get code review.
Estimated Completion: 3 weeks (15 working days at 8 hours/day)
Last Updated: 2026-01-31 Progress: 0% (0/150 vulnerabilities fixed)