Summary
Multiple queries use format!() string interpolation instead of parameterized queries, creating SQL injection vectors.
Locations
kill_process (medium risk)
src-tauri/crates/mas-admin/src/lib.rs:104
sqlx::query(&format!("KILL {}", process_id))While process_id is i64 (mitigating the risk), this is an anti-pattern that could become a real injection if the type ever changes.
schema inspector (low-medium risk)
src-tauri/crates/mas-core/src/schema/inspector.rs:258,260,381-382,407-409,431-434
Database/table/view/routine/trigger names are interpolated with format!() and backtick-escaping. However, on lines 408-409, the SHOW CREATE PROCEDURE / SHOW CREATE FUNCTION queries use format!() without backtick-escaping:
sqlx::query_as(&format!("SHOW CREATE PROCEDURE {}", routine_name))This is directly injectable if a routine name contains malicious content.
Fix
Use parameterized queries everywhere:
sqlx::query("KILL ?").bind(process_id)
sqlx::query_as("SHOW CREATE PROCEDURE ?").bind(routine_name)
Summary
Multiple queries use
format!()string interpolation instead of parameterized queries, creating SQL injection vectors.Locations
kill_process (medium risk)
src-tauri/crates/mas-admin/src/lib.rs:104While
process_idisi64(mitigating the risk), this is an anti-pattern that could become a real injection if the type ever changes.schema inspector (low-medium risk)
src-tauri/crates/mas-core/src/schema/inspector.rs:258,260,381-382,407-409,431-434Database/table/view/routine/trigger names are interpolated with
format!()and backtick-escaping. However, on lines 408-409, theSHOW CREATE PROCEDURE/SHOW CREATE FUNCTIONqueries useformat!()without backtick-escaping:This is directly injectable if a routine name contains malicious content.
Fix
Use parameterized queries everywhere: