fix(message-db): prevent SQL injection via condition keys (GHSA-x2hq-rfpg-3xr5)

The Legacy API message lookup endpoints parsed the request body as JSON and passed the `id` parameter straight through to the message database. A JSON object supplied for `id` arrived as a Ruby Hash and was used as a raw set of SQL `WHERE` conditions. `hash_to_sql` interpolated each Hash key directly inside backtick identifier quoting while escaping only the value, so a key containing a backtick could break out of the identifier and inject arbitrary SQL into the SELECT (blind, time-based) against the message database. Fixes: - Escape all identifiers (columns, tables, database names) through a new `escape_identifier` helper that wraps in backticks and doubles embedded backticks. Applied across hash_to_sql, select, insert, insert_multi, update and delete so no caller can inject via an identifier. - Validate the Legacy API `id` parameter at the controller boundary: reject any non-scalar value before it reaches the database and coerce it to an integer. Internal Hash-based lookups (e.g. tracking middleware) are unaffected. Adds regression tests at the unit (hash_to_sql / escape_identifier) and request (legacy messages/deliveries) levels.
2026-06-03 21:45:48 +00:00 · 2026-06-03 14:35:17 +01:00
--- a/spec/apis/legacy_api/messages/deliveries_spec.rb
+++ b/spec/apis/legacy_api/messages/deliveries_spec.rb
@@ -64,6 +64,23 @@ RSpec.describe "Legacy Messages API", type: :request do
        end
      end

+      # Regression test for GHSA-x2hq-rfpg-3xr5 (see message_spec.rb). A JSON
+      # object supplied for `id` must be rejected before reaching the database
+      # rather than being interpreted as a raw set of SQL conditions.
+      context "when the message ID is a JSON object (SQL injection attempt)" do
+        it "rejects it with a parameter error and never reaches the database" do
+          expect_any_instance_of(Server).not_to receive(:message)
+          post "/api/v1/messages/deliveries",
+               headers: { "x-server-api-key" => credential.key,
+                          "content-type" => "application/json" },
+               params: { id: { "id`=0 OR SLEEP(5)#" => "x" } }.to_json
+          expect(response.status).to eq 200
+          parsed_body = JSON.parse(response.body)
+          expect(parsed_body["status"]).to eq "parameter-error"
+          expect(parsed_body["data"]["message"]).to match(/must be a string or integer/)
+        end
+      end
+
      context "when the message ID exists" do
        let(:server) { create(:server) }
        let(:credential) { create(:credential, server: server) }