Potential SQL Injection via Unescaped Object Keys in SQL Queries

There is a potential security vulnerability in the codebase related to SQL injection. Specifically, object keys (paths) are being used directly in SQL queries without proper escaping or parameterization. This could allow attackers to inject malicious SQL through crafted object keys.

**Suggested Fix:**
- Audit all places where object keys are used to construct SQL queries.
- Ensure that all object keys are properly escaped or, preferably, parameterized.
- Add tests to verify that SQL injection is not possible via object keys.

**Action Items:**
1. Identify all instances in the codebase where object keys are interpolated into SQL queries.
2. Refactor these queries to use parameterized statements or proper escaping mechanisms.
3. Add or update tests to cover these cases and prevent regressions.

cc @aalexfvk

---

I created this issue for @NikitaUnisikhin from https://github.com/yandex/ch-tools/pull/352#discussion_r2113946591.

<details>
<summary>Tips and commands</summary>

#### Getting Help

- [Contact our support team](mailto:support@sourcery.ai) for questions or feedback.
- Visit our [documentation](https://docs.sourcery.ai) for detailed guides and information.
- Keep in touch with the Sourcery team by following us on [X/Twitter](https://x.com/SourceryAI), [LinkedIn](https://www.linkedin.com/company/sourcery-ai/) or [GitHub](https://github.com/sourcery-ai).

</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Potential SQL Injection via Unescaped Object Keys in SQL Queries #353

Getting Help

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Potential SQL Injection via Unescaped Object Keys in SQL Queries #353

Description

Getting Help

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions