From 3a6a37e9c2dd7441eed8288d87710c498051e027 Mon Sep 17 00:00:00 2001 From: Reddraconi Date: Fri, 24 Apr 2026 21:25:08 -0500 Subject: [PATCH] Sec: Use bounded parameters for reserved-tag initialization The startup migration that bumps tags-table autoincrement past the reserved range built two SQL statements with f-strings. While RESERVED_TAG_END is hard-coded at the moment, it's a scary pattern that can turn into a SQL injection site if that value ever originates from another location. I swapped the `tag_id` to a SQLAlchemy bind paramter (`:tag_id`) to fix that and so it matches the other queries in the codebase. --- src/tagstudio/core/library/alchemy/db.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/tagstudio/core/library/alchemy/db.py b/src/tagstudio/core/library/alchemy/db.py index 8e3e6a618..9090b32de 100644 --- a/src/tagstudio/core/library/alchemy/db.py +++ b/src/tagstudio/core/library/alchemy/db.py @@ -57,11 +57,15 @@ def make_tables(engine: Engine) -> None: conn.execute( text( "INSERT INTO tags " - "(id, name, color_namespace, color_slug, is_category, is_hidden) VALUES " - f"({RESERVED_TAG_END}, 'temp', NULL, NULL, false, false)" - ) + "(id, name, color_namespace, color_slug, is_category, is_hidden) " + "VALUES (:tag_id, 'temp', NULL, NULL, false, false)" + ), + {"tag_id": RESERVED_TAG_END}, + ) + conn.execute( + text("DELETE FROM tags WHERE id = :tag_id"), + {"tag_id": RESERVED_TAG_END}, ) - conn.execute(text(f"DELETE FROM tags WHERE id = {RESERVED_TAG_END}")) conn.commit() except OperationalError as e: logger.error("Could not initialize built-in tags", error=e)