fix(#8): AnalyzeAsync SQL 인젝션 방지 (parameterized query 사용)

2026-04-26 11:33:16 +09:00
parent e7409f77d5
commit 544b2570fd
1 changed files with 8 additions and 7 deletions
--- a/src/Core/Application/Services/TextToSqlService.cs
+++ b/src/Core/Application/Services/TextToSqlService.cs
@@ -644,11 +644,8 @@ public class TextToSqlService : ITextToSqlService

            foreach (var tagName in tagNames)
            {
-                // SQL 인젝션 방지를 위해 태그명 이스케이프
-                var escapedTagName = tagName.Replace("'", "''");
-                
-                // history_table: tagname (TEXT), recorded_at (TIMESTAMPTZ), value (TEXT)
-                var sql = $@"
+                // SQL 인젝션 방지를 위해 parameterized query 사용
+                var sql = @"
                    SELECT
                        AVG(value::double precision) AS avg_val,
                        MIN(value::double precision) AS min_val,
@@ -658,10 +655,14 @@ public class TextToSqlService : ITextToSqlService
                        last(value::double precision, recorded_at) AS last_val,
                        COUNT(*) AS point_count
                    FROM history_table
-                    WHERE tagname = '{escapedTagName}'
-                      AND recorded_at BETWEEN '{from}' AND '{to}'";
+                    WHERE tagname = @tagName
+                      AND recorded_at BETWEEN @fromTimestamp AND @toTimestamp";

                using var cmd = new NpgsqlCommand(sql, conn);
+                cmd.Parameters.AddWithValue("@tagName", tagName);
+                cmd.Parameters.AddWithValue("@fromTimestamp", DateTime.Parse(from));
+                cmd.Parameters.AddWithValue("@toTimestamp", DateTime.Parse(to));
+                
                using var reader = await cmd.ExecuteReaderAsync();

                if (await reader.ReadAsync())