From aea91a91d5b961178b3d0a89d6117e0d33e06574 Mon Sep 17 00:00:00 2001
From: ryzendigo <48058157+ryzendigo@users.noreply.github.com>
Date: Tue, 17 Mar 2026 07:23:44 +0800
Subject: [PATCH] fix: use parameterized query in get_face_ids to prevent SQL
 injection (#22500)

The name parameter was interpolated directly into the SQL query via
f-string, allowing SQL injection through crafted face name values.

Use a parameterized query with ? placeholder instead.
---
 frigate/embeddings/__init__.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frigate/embeddings/__init__.py b/frigate/embeddings/__init__.py
index 0a854fcfa..5e14d0d8c 100644
--- a/frigate/embeddings/__init__.py
+++ b/frigate/embeddings/__init__.py
@@ -205,14 +205,14 @@ class EmbeddingsContext:
         )
 
     def get_face_ids(self, name: str) -> list[str]:
-        sql_query = f"""
+        sql_query = """
             SELECT
                 id
             FROM vec_descriptions
-            WHERE id LIKE '%{name}%'
+            WHERE id LIKE ?
         """
 
-        return self.db.execute_sql(sql_query).fetchall()
+        return self.db.execute_sql(sql_query, (f"%{name}%",)).fetchall()
 
     def reprocess_face(self, face_file: str) -> dict[str, Any]:
         return self.requestor.send_data(