Skip to content

feat: add input sanitization to subscription JSONB filters#20

Merged
allisson merged 4 commits intomainfrom
copilot/add-sanitization-for-sql-xss
Dec 30, 2025
Merged

feat: add input sanitization to subscription JSONB filters#20
allisson merged 4 commits intomainfrom
copilot/add-sanitization-for-sql-xss

Conversation

Copy link
Contributor

Copilot AI commented Dec 30, 2025
edited
Loading

Subscription filters are stored as JSONB and could contain malicious content (XSS payloads, SQL injection patterns) that may be exploited if displayed in UIs or logs without proper escaping.

Changes

New sanitizer module (fastpubsub/sanitizer.py)

  • sanitize_filter() - validates structure and sanitizes all keys/values
  • HTML entity encodes special characters (<>&"')
  • Strips control characters (null bytes, etc.)
  • Enforces strict schema: dict[str, list[str|int|float|bool]]

Model integration (fastpubsub/models.py)

  • Added Pydantic field validator to CreateSubscription.filter
  • Sanitization applied automatically on subscription creation

Test coverage (tests/test_sanitizer.py, tests/test_api.py)

  • Unit tests for sanitizer functions (XSS, SQL patterns, control chars, structure validation)
  • Integration tests for API endpoints with malicious payloads

Example

# Before: XSS payload stored as-is
CreateSubscription(
    id="sub", 
    topic_id="topic",
    filter={"field": ["<script>alert('xss')</script>"]}
)

# After: Sanitized automatically
# filter becomes {"field": ["&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;"]}

Invalid structures now raise ValueError:

# Rejected: values must be arrays
filter={"field": "string"}  # ❌

# Rejected: only primitives allowed
filter={"field": [{"nested": "object"}]}  # ❌

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • astral.sh
    • Triggering command: /usr/bin/curl curl -LsSf REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Add sanitization against SQL and XSS injections in the JSONB filter of the subscription to increase project security.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits December 30, 2025 21:09
@allisson
Add sanitization for JSONB filters to prevent SQL and XSS injections
54771f6 
Co-authored-by: allisson <5202+allisson@users.noreply.github.com>
@allisson
Apply ruff formatting to sanitizer and tests
6ce20b6 
Co-authored-by: allisson <5202+allisson@users.noreply.github.com>
Copilot AI changed the title [WIP] Add sanitization against SQL and XSS injections in JSONB filter Add input sanitization to subscription JSONB filters Dec 30, 2025
Copilot AI requested a review from allisson December 30, 2025 21:14
@allisson allisson marked this pull request as ready for review December 30, 2025 21:21
@allisson allisson changed the title Add input sanitization to subscription JSONB filters feat: add input sanitization to subscription JSONB filters Dec 30, 2025
@allisson allisson merged commit 968393e into main Dec 30, 2025
1 check passed
@allisson allisson deleted the copilot/add-sanitization-for-sql-xss branch December 30, 2025 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@allisson allisson allisson approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@allisson allisson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@allisson