fix: use parameterized queries in workflow search

[ColeMurray]

Summary

This PR addresses a SQL injection vulnerability in the workflow search functionality by replacing string concatenation with parameterized queries.

Changes

Refactored database query construction in `src/ai_assistant.py` to use proper parameterized queries instead of string concatenation when building SQL statements.

Modified:

• `WorkflowAssistant.search_workflows()` in `src/ai_assistant.py:42-70`
  • Replaced direct string interpolation of user-supplied keywords with `?` placeholders
  • Added params list to safely pass values to `cursor.execute()`
  • Parameterized trigger_type filtering conditions
  • Parameterized LIMIT clause

Security Fix

The previous implementation used string concatenation to build SQL queries with user-supplied keywords, which could allow SQL injection attacks. This change uses parameterized queries to ensure user input is properly escaped and treated as data rather than executable SQL code.

[hayden3456]

PR Documentation Suggestions

Category	Suggestion	Impact
Security	Update SQL injection prevention documentation Update the SQL Injection Prevention section to include details about the recent changes in the search_workflows_intelligent function, emphasizing the use of parameterized queries for user-supplied input. File: docs/security.md --- a/docs/security.md +++ b/docs/security.md @@ -1,3 +1,3 @@ ## SQL Injection Prevention -Ensure that all SQL queries are constructed using parameterized queries to prevent SQL injection attacks. +Ensure that all SQL queries are constructed using parameterized queries to prevent SQL injection attacks. In the `search_workflows_intelligent` function, user-supplied keywords and other parameters are now safely passed using `?` placeholders and a `params` list. This change prevents potential SQL injection vulnerabilities by ensuring that user input is properly escaped and treated as data rather than executable SQL code. Actions: Accept | Reject Suggestion importance[1-10]: 9 __ Why: This update enhances existing documentation by detailing the use of parameterized queries in the search_workflows_intelligent function, which is crucial for preventing SQL injection vulnerabilities. It directly aligns with the code changes and improves security guidance.	High
Api change	Document parameterized queries in search function Update the search_workflows_intelligent function documentation to reflect the use of parameterized queries for improved security. File: docs/api-reference.md --- a/docs/api-reference.md +++ b/docs/api-reference.md @@ -1,9 +1,11 @@ ### search_workflows_intelligent(query, limit=5) -Performs an intelligent search on workflows based on a natural language query. +Performs an intelligent search on workflows based on a natural language query using parameterized queries for enhanced security. **Parameters:** - query (str): The search query in natural language. - limit (int): Maximum number of results to return. **Returns:** List of matching workflows. + +**Security Note:** This function now uses parameterized queries to prevent SQL injection attacks by safely handling user-supplied input. Actions: Accept | Reject Suggestion importance[1-10]: 8 __ Why: The suggestion updates existing API documentation to include a security note about parameterized queries, reflecting the code changes. This is important for users to understand the enhanced security measures in the function.	Medium

---

Any Thoughts on My New Idea?

I'm experimenting with automatically updating documentation as code changes. I won't post this anymore on this project without permission. I'm looking for some honest feedback about if this is useful or not. I know the logic could give better suggestions, but I want to check if I'm barking up the right tree.

[Zie619]

seem to have some conflicts,please solve them so i can merge 🙏