fix: add parameterized queries in ability.go#5762
Conversation
Automated security fix generated by OrbisAI Security
The FixAbility function executes raw SQL queries using string concatenation without parameterization
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
Walkthrough
ChangesAbility reset and rebuild test
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
model/ability.go (1)
343-343: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueStale comment.
The operation no longer issues a
TRUNCATE; the comment now misdescribes the code.- // truncate abilities table + // clear abilities table🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@model/ability.go` at line 343, The comment above the abilities table cleanup is stale and still says TRUNCATE even though the code no longer does that. Update the comment near the abilities-table operation in the ability-related logic to match the actual behavior, or remove it if it adds no value, so it no longer misdescribes the code.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@model/ability_invariant_test.go`:
- Around line 1-59: The current TestFixAbilitySQLInjection is invalid because it
tries to mock DB as if gorm.DB were an interface, but FixAbility uses the
concrete DB session/query methods and never consumes any payload. Replace this
with a real database-backed test for FixAbility that exercises its actual
behavior: clear/reset abilities and rebuild them from channels, then assert the
resulting rows/state using a test DB setup. Remove the unused payload-driven
assertions and the mockDatabase approach, and use require/assert with the
existing FixAbility symbol so the test compiles and verifies something
meaningful.
---
Nitpick comments:
In `@model/ability.go`:
- Line 343: The comment above the abilities table cleanup is stale and still
says TRUNCATE even though the code no longer does that. Update the comment near
the abilities-table operation in the ability-related logic to match the actual
behavior, or remove it if it adds no value, so it no longer misdescribes the
code.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 96d3343f-594b-4ef4-bc4d-3814b09bdd10
📒 Files selected for processing (2)
model/ability.gomodel/ability_invariant_test.go
- Fix stale comment in FixAbility (truncate -> clear) - Replace non-compiling mock-based test with a real SQLite-backed integration test that verifies FixAbility clears stale rows and rebuilds abilities from channel definitions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Summary
Fix critical severity security issue in
model/ability.go.Vulnerability
V-001model/ability.go:340Description: The FixAbility function executes raw SQL queries using string concatenation without parameterization. While the current query uses constant strings, this pattern creates a dangerous precedent and could lead to SQL injection if similar patterns are used elsewhere with user input.
Evidence
Exploitation scenario: An attacker who can trigger the FixAbility function (likely through an admin API endpoint) could potentially inject SQL if the function is modified or if similar patterns exist elsewhere with.
Scanner confirmation: multi_agent_ai rule
V-001flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Threat Model Context
This is a Go service - vulnerabilities in HTTP handlers are remotely exploitable.
Changes
model/ability.goVerification
Security Invariant
Regression test
This test guards against regressions — it's useful independent of the code change above.
Automated security fix by OrbisAI Security
Summary by CodeRabbit
Bug Fixes
Tests