Skip to content

fix(albums): sanitize image_ids and secure IN clause #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(albums): sanitize image_ids and secure IN clause #629

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
009f36f
fix(albums): sanitize image_ids and secure IN clause to prevent SQL i…
g-k-s-03 Nov 11, 2025
e3ea331
Fix: optimize db_add_images_to_album for UUID support and single IN q…
g-k-s-03 Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 35 additions & 11 deletions backend/app/database/albums.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,24 +169,48 @@ def db_get_album_images(album_id: str):


def db_add_images_to_album(album_id: str, image_ids: list[str]):
"""
Safely adds images to an album using parameterized queries.
Maintains UUID support and uses efficient single queries.
"""
# Validate input type
if not isinstance(image_ids, list):
raise ValueError("image_ids must be a list of IDs")

# Remove integer conversion - keep IDs as strings for UUID support
sanitized_ids = []
for img_id in image_ids:
# Basic validation - ensure it's a non-empty string
if isinstance(img_id, str) and img_id.strip():
sanitized_ids.append(img_id.strip())

if not sanitized_ids:
raise ValueError("No valid image IDs provided")

with get_db_connection() as conn:
cursor = conn.cursor()

query = (
f"SELECT id FROM images WHERE id IN ({','.join('?' for _ in image_ids)})"
)
cursor.execute(query, image_ids)
valid_images = [row[0] for row in cursor.fetchall()]

if valid_images:
cursor.executemany(
"INSERT OR IGNORE INTO album_images (album_id, image_id) VALUES (?, ?)",
[(album_id, img_id) for img_id in valid_images],
)
# Efficient single query with parameterized IN clause
if sanitized_ids:
# Generate placeholders safely based on list length
placeholders = ",".join(["?"] * len(sanitized_ids))
query = f"SELECT id FROM images WHERE id IN ({placeholders})"
cursor.execute(query, sanitized_ids) # Pass string IDs directly
valid_images = [row[0] for row in cursor.fetchall()]
else:
valid_images = []

if not valid_images:
raise ValueError("None of the provided image IDs exist in the database.")

# Insert into album_images using executemany
cursor.executemany(
"INSERT OR IGNORE INTO album_images (album_id, image_id) VALUES (?, ?)",
[(album_id, img_id) for img_id in valid_images],
)
conn.commit()


def db_remove_image_from_album(album_id: str, image_id: str):
with get_db_connection() as conn:
cursor = conn.cursor()
Expand Down
Loading