Potential Injection Vulnerability in Filter Conditions #35
Description
ISSUE_NUMBER: GH-6
Description
The code constructs Prisma filter conditions based on the search_params extracted from the Gemini API response. There's a potential risk of injection if the Gemini API returns malicious or unexpected values.
File: repositories/jobflowapi/controllers/chat.py
Line: 158
Severity: high
Current Behavior
The application constructs Prisma filter conditions without proper sanitization of the input values.
Expected Behavior
The application should sanitize the input values before constructing the Prisma filter conditions.
Suggested Fix
Add input validation and sanitization to the search_params extracted from the Gemini API response.
Code Context
filter_conditions = {}
# Handle job title (could be multiple) - Using regex for better matching
if search_params.get('title'):
titles = search_params['title']
if isinstance(titles, list) and titles:
# If multiple titles, use OR condition with contains matching
title_conditions = []
for title in titles:
# Split the search term into words for more flexible matching
title_words = title.split()
for word in title_words:
title_conditions.append({
'title': {'contains': word, 'mode': 'insensitive'}
})
filter_conditions['OR'] = title_conditions
elif isinstance(titles, str):
# Split single title into words for flexible matching
title_words = titles.split()
filter_conditions['OR'] = [
{'title': {'contains': word, 'mode': 'insensitive'}}
for word in title_words
]Additional Notes
This could lead to a security vulnerability if the Gemini API returns malicious values.