administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2026-03-21 23:58:22 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix: use parameterized query in get_face_ids to prevent SQL injection

Browse Source 
The name parameter was interpolated directly into the SQL query via
f-string, allowing SQL injection through crafted face name values.

Use a parameterized query with ? placeholder instead.
This commit is contained in:
ryzendigo 2026-03-17 06:56:25 +08:00
parent 722ef6a1fe
commit 3a4479397c
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
frigate/embeddings/__init__.py
View File

@ -205,14 +205,14 @@ class EmbeddingsContext:
) )
def get_face_ids(self, name: str) -> list[str]: def get_face_ids(self, name: str) -> list[str]:
sql_query = f""" sql_query = """
SELECT SELECT
id id
FROM vec_descriptions FROM vec_descriptions
WHERE id LIKE '%{name}%' WHERE id LIKE ?
""" """
return self.db.execute_sql(sql_query).fetchall() return self.db.execute_sql(sql_query, (f"%{name}%",)).fetchall()
def reprocess_face(self, face_file: str) -> dict[str, Any]: def reprocess_face(self, face_file: str) -> dict[str, Any]:
return self.requestor.send_data( return self.requestor.send_data(