Code-Fixxers · Donach · May 18, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -2,3 +2,8 @@
 **Vulnerability:** A potential SQL injection vulnerability in `createMany` inside `packages/core/src/db/repositories/tasks.ts`. The code used `sql.raw` to interpolate task IDs into an `IN` clause manually without parameterization.
 **Learning:** Using `sql.raw` to join dynamically generated strings (like UUID arrays) bypasses Drizzle's parameterization, exposing the app to SQL injection if any ID string is manipulated.
 **Prevention:** Always use Drizzle ORM's built-in parameterization functions like `inArray` instead of manual string concatenation or `sql.raw`.
+
+## 2024-05-13 - [SQL Injection Risk via sql.raw in jsonExtract]
+**Vulnerability:** A potential SQL injection vulnerability in `jsonExtract` inside `packages/core/src/db/database-wrapper.ts`. The code used `sql.raw` to interpolate JSON path parts into a PostgreSQL query manually without parameterization.
+**Learning:** Using `sql.raw` to construct dynamic SQL paths bypasses Drizzle's parameterization, exposing the application to SQL injection if any path string is manipulated or maliciously constructed.
+**Prevention:** Always use Drizzle ORM's built-in parameterization via `sql\`...\`` tagged templates for dynamic parts instead of `sql.raw()`.
diff --git a/packages/core/src/db/database-wrapper.ts b/packages/core/src/db/database-wrapper.ts
@@ -105,15 +105,15 @@ export function jsonExtract(db: Database, column: SQL.Aliased | SQL | any, path:
   } else {
     // PostgreSQL: column->'path'->'to'->>'field'
     // Use -> for all but the last part (keeps as JSON), ->> for the last part (extracts as text)
-    // IMPORTANT: Use sql.raw() for JSON keys to avoid parameterization
     if (parts.length === 1) {
       // Single level: column->>'key'
-      return sql`${column}${sql.raw(`->>'${parts[0]}'`)}`;
+      // Explicitly cast to ::text so Postgres selects the correct overloaded operator
+      return sql`${column}->>(${parts[0]}::text)`;
     } else {
       // Multiple levels: column->'key1'->'key2'->>'key3'
-      const objectParts = parts.slice(0, -1).map((p) => sql.raw(`->'${p}'`));
+      const objectParts = parts.slice(0, -1).map((p) => sql`->(${p}::text)`);
       const lastPart = parts[parts.length - 1];
-      return sql`${column}${sql.join(objectParts, sql``)}${sql.raw(`->>'${lastPart}'`)}`;
+      return sql`${column}${sql.join(objectParts, sql``)}->>(${lastPart}::text)`;
     }
   }
 }