🔒 Security Release
This is a critical security release addressing multiple SQL injection vulnerabilities in the backend. All users should upgrade immediately.
Multiple SQL injection vulnerabilities were discovered in backend SQL query construction affecting:
- Project and task management controllers
- Reporting and financial data endpoints
- Real-time socket.io handlers
- Resource allocation and scheduling features
What's Fixed
This release addresses all identified SQL injection vulnerabilities through:
- ✅ New SqlHelper Utility Class - Provides secure parameterized query construction methods
- ✅ Parameterized Query Refactoring - Converted all 10 affected files to use PostgreSQL parameterized queries
- ✅ Comprehensive Input Validation - Added UUID format validation, color code whitelisting, and sort field whitelisting
- ✅ Eliminated Unsafe Patterns - Replaced
flatString()helper and direct string interpolation - ✅ Defense-in-Depth - Multiple validation layers to prevent exploitation
Affected Components (Fixed in v2.1.7)
| Component | File | Vulnerability Type | Status |
|---|---|---|---|
| Project Categories | project-categories-controller.ts
| IN clause injection | ✅ Fixed |
| Projects | projects-controller.ts
| String interpolation | ✅ Fixed |
| Tasks V2 | tasks-controller-v2.ts
| IN clause injection | ✅ Fixed |
| Project Templates | pt-tasks-controller.ts
| IN clause injection | ✅ Fixed |
| Workload/Gantt | workload-gannt-controller.ts
| String interpolation | ✅ Fixed |
| Schedule | schedule-controller.ts
| Unsafe DELETE, IN clause | ✅ Fixed |
| Reporting - Projects | reporting-projects-controller.ts
| IN clause injection | ✅ Fixed |
| Reporting - Members | reporting-members-controller.ts
| Date interpolation | ✅ Fixed |
| Socket.io Timer | on-task-timer-stop.ts
| String interpolation | ✅ Fixed |