Merge branch 'fix/sast-findings-dcf712' into 'main'

fix: remediate SAST findings (CWE-78, CWE-918, CWE-770, CWE-489, CWE-185)

See merge request postgres-ai/postgresai!228

Author: NikolayS

cli/bin/postgres-ai.ts

@@ -55,20 +55,6 @@ function closeReadline() {
 }
 
 // Helper functions for spawning processes - use Node.js child_process for compatibility
-async function execPromise(command: string): Promise<{ stdout: string; stderr: string }> {
-  return new Promise((resolve, reject) => {
-    childProcess.exec(command, (error, stdout, stderr) => {
-      if (error) {
-        const err = error as Error & { code: number };
-        err.code = typeof error.code === "number" ? error.code : 1;
-        reject(err);
-      } else {
-        resolve({ stdout, stderr });
-      }
-    });
-  });
-}
-
 async function execFilePromise(file: string, args: string[]): Promise<{ stdout: string; stderr: string }> {
   return new Promise((resolve, reject) => {
     childProcess.execFile(file, args, (error, stdout, stderr) => {
@@ -2594,8 +2580,8 @@ mon
 
       if (!grafanaPassword) {
         console.log("Generating secure Grafana password...");
-        const { stdout: password } = await execPromise("openssl rand -base64 12 | tr -d '\n'");
-        grafanaPassword = password.trim();
+        const { stdout: password } = await execFilePromise("openssl", ["rand", "-base64", "12"]);
+        grafanaPassword = password.trim().replace(/\n/g, "");
 
         let configContent = "";
         if (fs.existsSync(cfgPath)) {
@@ -2634,8 +2620,8 @@ mon
         console.log("Generating VictoriaMetrics auth credentials...");
         vmAuthUsername = vmAuthUsername || "vmauth";
         if (!vmAuthPassword) {
-          const { stdout: vmPass } = await execPromise("openssl rand -base64 12 | tr -d '\n'");
-          vmAuthPassword = vmPass.trim();
+          const { stdout: vmPass } = await execFilePromise("openssl", ["rand", "-base64", "12"]);
+          vmAuthPassword = vmPass.trim().replace(/\n/g, "");
         }
 
         // Update .env file with VM auth credentials
@@ -2947,16 +2933,16 @@ mon
 
       // Fetch latest changes
       console.log("Fetching latest changes...");
-      await execPromise("git fetch origin");
+      await execFilePromise("git", ["fetch", "origin"]);
 
       // Check current branch
-      const { stdout: branch } = await execPromise("git rev-parse --abbrev-ref HEAD");
+      const { stdout: branch } = await execFilePromise("git", ["rev-parse", "--abbrev-ref", "HEAD"]);
       const currentBranch = branch.trim();
       console.log(`Current branch: ${currentBranch}`);
 
       // Pull latest changes
       console.log("Pulling latest changes...");
-      const { stdout: pullOut } = await execPromise("git pull origin " + currentBranch);
+      const { stdout: pullOut } = await execFilePromise("git", ["pull", "origin", currentBranch]);
       console.log(pullOut);
 
       // Update Docker images
@@ -3214,7 +3200,8 @@ targets
       // If YAML parsing fails, fall back to simple check
       const isFile = fs.existsSync(file) && !fs.lstatSync(file).isDirectory();
       const content = isFile ? fs.readFileSync(file, "utf8") : "";
-      if (new RegExp(`^- name: ${instanceName}$`, "m").test(content)) {
+      const escapedName = instanceName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      if (new RegExp(`^- name: ${escapedName}$`, "m").test(content)) {
         console.error(`Monitoring target '${instanceName}' already exists`);
         process.exitCode = 1;
         return;
@@ -3658,10 +3645,10 @@ mon
 
     try {
       // Generate secure password using openssl
-      const { stdout: password } = await execPromise(
-        "openssl rand -base64 12 | tr -d '\n'"
+      const { stdout: password } = await execFilePromise(
+        "openssl", ["rand", "-base64", "12"]
       );
-      const newPassword = password.trim();
+      const newPassword = password.trim().replace(/\n/g, "");
 
       if (!newPassword) {
         console.error("Failed to generate password");
@@ -4712,7 +4699,7 @@ mcp
       // Get the path to the current pgai executable
       let pgaiPath: string;
       try {
-        const execPath = await execPromise("which pgai");
+        const execPath = await execFilePromise("which", ["pgai"]);
         pgaiPath = execPath.stdout.trim();
       } catch {
         // Fallback to just "pgai" if which fails
@@ -4724,8 +4711,8 @@ mcp
         console.log("Installing PostgresAI MCP server for Claude Code...");
 
         try {
-          const { stdout, stderr } = await execPromise(
-            `claude mcp add -s user postgresai ${pgaiPath} mcp start`
+          const { stdout, stderr } = await execFilePromise(
+            "claude", ["mcp", "add", "-s", "user", "postgresai", pgaiPath, "mcp", "start"]
           );
 
           if (stdout) console.log(stdout);

cli/lib/supabase.ts

@@ -350,6 +350,10 @@ export async function fetchPoolerDatabaseUrl(
   config: SupabaseConfig,
   username: string
 ): Promise<string | null> {
+  // Validate projectRef format to prevent SSRF via crafted project references
+  if (!isValidProjectRef(config.projectRef)) {
+    throw new Error(`Invalid Supabase project reference format: "${config.projectRef}". Expected 10-30 alphanumeric characters.`);
+  }
   const url = `${SUPABASE_API_BASE}/v1/projects/${encodeURIComponent(config.projectRef)}/config/database/pooler`;
 
   // For Supabase pooler connections, the username must include the project ref:

cli/scripts/embed-checkup-dictionary.ts

@@ -51,7 +51,16 @@ function generateTypeScript(data: CheckupDictionaryEntry[], sourceUrl: string):
   return lines.join("\n");
 }
 
+// Allowed hosts for fetch requests to prevent SSRF
+const ALLOWED_HOSTS = ["postgres.ai"];
+
 async function fetchWithTimeout(url: string, timeoutMs: number): Promise<Response> {
+  // Validate URL against allowlist to prevent SSRF
+  const parsed = new URL(url);
+  if (!ALLOWED_HOSTS.includes(parsed.hostname)) {
+    throw new Error(`Fetch blocked: host "${parsed.hostname}" is not in the allowlist`);
+  }
+
   const controller = new AbortController();
   const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
 

monitoring_flask_backend/app.py

@@ -1394,4 +1394,4 @@ def get_query_info_metrics():
 
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=5000, debug=True)
+    app.run(host='0.0.0.0', port=5000, debug=False)

reporter/postgres_reports.py

@@ -368,7 +368,7 @@ def query_instant(self, query: str) -> Dict[str, Any]:
         params = {'query': query}
 
         try:
-            response = requests.get(f"{self.base_url}/query", params=params, auth=self.auth)
+            response = requests.get(f"{self.base_url}/query", params=params, auth=self.auth, timeout=30)
             if response.status_code == 200:
                 return response.json()
             else:
@@ -3115,7 +3115,7 @@ def query_range(self, query: str, start_time: datetime, end_time: datetime, step
         }
 
         try:
-            response = requests.get(f"{self.base_url}/query_range", params=params, auth=self.auth)
+            response = requests.get(f"{self.base_url}/query_range", params=params, auth=self.auth, timeout=30)
             if response.status_code == 200:
                 result = response.json()
                 if result.get('status') == 'success':
@@ -4890,7 +4890,7 @@ def upload_report_file(self, api_url, token, report_id, path):
 
 
 def make_request(api_url, endpoint, request_data):
-    response = requests.post(api_url + endpoint, json=request_data)
+    response = requests.post(api_url + endpoint, json=request_data, timeout=30)
     response.raise_for_status()
     return response.json()
 

tests/reporter/test_generators_unit.py

@@ -1360,7 +1360,7 @@ def raise_for_status(self):
         def json(self):
             return {}
 
-    def fake_post(url: str, json: dict[str, Any] | None = None):
+    def fake_post(url: str, json: dict[str, Any] | None = None, **kwargs):
         return MockResponse()
 
     monkeypatch.setattr("requests.post", fake_post)
@@ -1375,7 +1375,7 @@ def test_make_request_raises_on_connection_error(monkeypatch: pytest.MonkeyPatch
     """Test that make_request raises exception on connection error."""
     import requests
 
-    def fake_post(url: str, json: dict[str, Any] | None = None):
+    def fake_post(url: str, json: dict[str, Any] | None = None, **kwargs):
         raise requests.ConnectionError("Connection failed")
 
     monkeypatch.setattr("requests.post", fake_post)