Code-Fixxers · Donach · May 15, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -2,3 +2,8 @@
 **Vulnerability:** A potential SQL injection vulnerability in `createMany` inside `packages/core/src/db/repositories/tasks.ts`. The code used `sql.raw` to interpolate task IDs into an `IN` clause manually without parameterization.
 **Learning:** Using `sql.raw` to join dynamically generated strings (like UUID arrays) bypasses Drizzle's parameterization, exposing the app to SQL injection if any ID string is manipulated.
 **Prevention:** Always use Drizzle ORM's built-in parameterization functions like `inArray` instead of manual string concatenation or `sql.raw`.
+
+## 2025-05-15 - [SQL Injection Risk via sql.raw in jsonExtract]
+**Vulnerability:** A potential SQL injection vulnerability in `jsonExtract` function located in `packages/core/src/db/database-wrapper.ts`. The code used `sql.raw` to directly interpolate dynamic paths and property keys into the Postgres JSON extraction string. Since path strings can originate from untrusted input, it opens up a potential vector for SQL injection when querying JSON fields.
+**Learning:** `sql.raw` bypasses Drizzle's normal parameterization. Using it with anything dynamically generated based on user input exposes the application to SQL injection.
+**Prevention:** Always use parameterized tags (`sql\`->\${param}\``) or appropriate query builder operators instead of concatenating raw SQL strings or relying on `sql.raw`.
diff --git a/packages/core/src/db/database-wrapper.ts b/packages/core/src/db/database-wrapper.ts
@@ -105,15 +105,15 @@ export function jsonExtract(db: Database, column: SQL.Aliased | SQL | any, path:
   } else {
     // PostgreSQL: column->'path'->'to'->>'field'
     // Use -> for all but the last part (keeps as JSON), ->> for the last part (extracts as text)
-    // IMPORTANT: Use sql.raw() for JSON keys to avoid parameterization
+    // CRITICAL SECURITY FIX: Never use sql.raw() for user input paths. Use parameters.
     if (parts.length === 1) {
       // Single level: column->>'key'
-      return sql`${column}${sql.raw(`->>'${parts[0]}'`)}`;
+      return sql`${column} ->> ${parts[0]}`;
     } else {
       // Multiple levels: column->'key1'->'key2'->>'key3'
-      const objectParts = parts.slice(0, -1).map((p) => sql.raw(`->'${p}'`));
+      const objectParts = parts.slice(0, -1).map((p) => sql`->${p}`);
       const lastPart = parts[parts.length - 1];
-      return sql`${column}${sql.join(objectParts, sql``)}${sql.raw(`->>'${lastPart}'`)}`;
+      return sql`${column}${sql.join(objectParts, sql``)}->>${lastPart}`;
     }
   }
 }