SQL REVIEW REMAINING - nself-org/cli GitHub Wiki
Status: TODO Priority: HIGH Date: 2026-01-30
This document tracks files that still need to be reviewed and updated for SQL injection protection.
- ✅
/src/lib/admin/api.sh - ✅
/src/lib/auth/user-manager.sh - ✅
/src/lib/auth/role-manager.sh
-
/src/lib/auth/permission-manager.sh -
/src/lib/auth/audit-log.sh -
/src/lib/auth/apikey-manager.sh -
/src/lib/auth/session-manager.sh -
/src/lib/auth/user-metadata.sh -
/src/lib/auth/user-profile.sh -
/src/lib/auth/device-manager.sh -
/src/lib/auth/jwt-manager.sh -
/src/lib/auth/custom-claims.sh -
/src/lib/auth/user-import-export.sh -
/src/lib/auth/magic-link.sh -
/src/lib/auth/hooks.sh -
/src/lib/auth/auth-manager.sh
-
/src/lib/auth/mfa/backup-codes.sh -
/src/lib/auth/mfa/totp.sh -
/src/lib/auth/mfa/policies.sh -
/src/lib/auth/mfa/sms.sh -
/src/lib/auth/mfa/email.sh -
/src/lib/auth/mfa/webauthn.sh
-
/src/lib/billing/core.sh -
/src/lib/billing/stripe.sh -
/src/lib/billing/stripe_new.sh -
/src/lib/billing/usage.sh -
/src/lib/billing/quotas.sh
-
/src/lib/tenant/core.sh -
/src/lib/tenant/lifecycle.sh -
/src/lib/tenant/routing.sh
-
/src/lib/org/core.sh
-
/src/lib/whitelabel/domains.sh -
/src/lib/whitelabel/branding.sh -
/src/lib/whitelabel/themes.sh -
/src/lib/whitelabel/email-templates.sh
-
/src/lib/webhooks/core.sh
-
/src/lib/rate-limit/core.sh -
/src/lib/rate-limit/endpoint-limiter.sh -
/src/lib/rate-limit/user-limiter.sh -
/src/lib/rate-limit/ip-limiter.sh -
/src/lib/rate-limit/strategies.sh
-
/src/lib/redis/core.sh -
/src/lib/redis/cache.sh -
/src/lib/redis/sessions.sh -
/src/lib/redis/rate-limit-distributed.sh
-
/src/lib/database/core.sh
-
/src/lib/storage/graphql-integration.sh -
/src/lib/storage/upload-pipeline.sh
-
/src/lib/build/database.sh -
/src/lib/build/core-modules/database-init.sh
-
/src/lib/backup/automated.sh -
/src/lib/backup/recovery.sh
-
/src/lib/security/scanner.sh -
/src/lib/security/incident-response.sh -
/src/lib/security/webauthn.sh
-
/src/lib/monitoring/alerting.sh -
/src/lib/monitoring/lb-health.sh -
/src/lib/monitoring/metrics-dashboard.sh
-
/src/lib/observability/health.sh -
/src/lib/observability/logging.sh -
/src/lib/observability/metrics.sh -
/src/lib/observability/tracing.sh
-
/src/lib/autofix/postgres-connection.sh -
/src/lib/autofix/comprehensive.sh -
/src/lib/autofix/fixes/healthcheck-complete.sh -
/src/lib/autofix/fixes/healthcheck.sh -
/src/lib/autofix/fixes/database.sh -
/src/lib/autofix/fixes/schema.sh
-
/src/lib/services/hasura-metadata.sh -
/src/lib/services/service-builder.sh
-
/src/lib/migrate/supabase.sh -
/src/lib/migrate/firebase.sh
-
/src/lib/env/switch.sh -
/src/lib/env/create.sh
-
/src/lib/compliance/framework.sh -
/src/lib/compliance/reports.sh
-
/src/lib/secrets/audit.sh -
/src/lib/secrets/encryption.sh -
/src/lib/secrets/environment.sh -
/src/lib/secrets/vault.sh
-
/src/lib/deploy/credentials.sh -
/src/lib/deploy/security-preflight.sh
-
/src/lib/recovery/disaster-recovery.sh
-
/src/lib/dev/sdk-generator.sh -
/src/lib/dev/test-helpers.sh -
/src/lib/dev/docs-generator.sh
-
/src/lib/plugin/registry.sh
These files were flagged by grep but are unlikely to have SQL:
- Help files (
.help.txt) - README files
- Provider files (cloud deployment)
- SSL/certificate files
- Utility files
- Build orchestration files
For each file:
-
Search for SQL queries:
grep -n "psql.*-c" filename.sh grep -n "SELECT\|INSERT\|UPDATE\|DELETE" filename.sh
-
Check for string interpolation:
grep -n "WHERE.*=.*'\$" filename.sh grep -n "VALUES.*'\$" filename.sh
-
If SQL found:
- Source
/src/lib/database/safe-query.sh - Replace with parameterized queries
- Add input validation
- Update function to use
pg_query_*functions
- Source
-
Test:
- Add to
/src/tests/security/test-sql-injection.sh - Run tests
- Verify with malicious input
- Add to
-
Mark as complete:
- Check the box in this document
- Commit with message: "security: fix SQL injection in [filename]"
# Find potential SQL queries
grep -r "SELECT\|INSERT\|UPDATE\|DELETE" src/lib/ \
--include="*.sh" \
| grep -v ".vulnerable" \
| grep -v "safe-query.sh"# Find potential SQL injection points
grep -r "psql.*-c.*\\\$" src/lib/ \
--include="*.sh" \
| grep -v ".vulnerable" \
| grep -v "safe-query.sh"# Count files that need review
grep -c "\[ \]" docs/security/SQL-REVIEW-REMAINING.mdTotal Files: ~90 Reviewed: 3 ✅ Remaining: ~87 📋
High Priority: ~65 files Medium Priority: ~20 files Low Priority: ~5 files
- Backup original files to
.vulnerablebefore modifying - Always add tests for new secure implementations
- Document any special cases or complex queries
- Run full test suite before committing
Last Updated: 2026-01-30