feat: add user search helpers

[Vacbo]

Adds search_users_by_name and count_users_by_status for the user-admin search feature.

[mas-ops-bot]

❌ [ERROR]

SQL Injection Vulnerability: Direct string concatenation of user input into SQL query.

The name parameter is concatenated directly into the LIKE clause without parameterization. An attacker can inject arbitrary SQL by crafting a malicious search term.

Fix: Use SQLAlchemy's parameter binding instead:

query = text("SELECT id, email, full_name FROM \"user\" WHERE full_name LIKE :name")
return session.exec(query, {"name": f"%{name}%"}).all()

Target: backend/app/crud_search.py:12

[mas-ops-bot]

❌ [ERROR]

SQL Injection Vulnerability: String formatting of user-controlled statuses into SQL IN clause.

The statuses list is formatted directly into the query using string interpolation. Malicious status values can break out of the IN clause and inject arbitrary SQL.

Fix: Use parameterized queries with dynamic binding:

placeholders = ",".join([f":status_{i}" for i in range(len(statuses))])
params = {f"status_{i}": s for i, s in enumerate(statuses)}
result = session.exec(
    text(f"SELECT count(*) FROM \"user\" WHERE status IN ({placeholders})"),
    params
)

Also: the bare except: clause on line 24 masks SQL errors. Replace with specific exception handling.

Target: backend/app/crud_search.py:21

[mas-ops-bot]

---

Summary

This PR introduces two critical SQL injection vulnerabilities in backend/app/crud_search.py:

1. Line 11–12: Unsanitized user input concatenated directly into a LIKE clause
2. Line 18–21: String-formatted statuses list inserted into an IN clause without parameterization

The proposed fix plan references unrelated files (api/pipeline/runner.py, graph/pipeline.py) that do not contain these vulnerable functions. Manual intervention is required to implement proper parameterized query fixes using SQLAlchemy's parameter binding mechanism. Detailed corrections have been posted as inline comments.