Greptile Summary

This PR fixes a critical SQL injection vulnerability in the dashboard variables search functionality. The issue was in theVariablesValueSelector.vue component where user-provided search text was being directly interpolated into SQL queries without proper quoting.

The vulnerability existed in the dynamic query construction for dashboard variable searches. When users search for values in dashboard variables, the system constructs a SQL query using thestr_match function. The original code was passing the escaped search text directly without surrounding quotes:

// Vulnerable codeWHEREstr_match(${field},${escapeSingleQuotes(searchText)})

This meant that even thoughescapeSingleQuotes was being used, the search text was being treated as a SQL identifier or expression rather than a string literal, potentially allowing attackers to inject malicious SQL code.

The fix adds single quotes around the escaped search text:

// Fixed codeWHEREstr_match(${field},'${escapeSingleQuotes(searchText)}')

This ensures the search text is properly treated as a string parameter to thestr_match function, preventing SQL injection while maintaining the intended search functionality. The change integrates seamlessly with the existing dashboard variable system and doesn't affect the user experience - it simply makes the SQL query construction secure.

Confidence score: 5/5

• This PR is extremely safe to merge and fixes a critical security vulnerability with minimal risk
• Score reflects a straightforward security fix with clear benefits and no breaking changes to functionality
• No files require special attention beyond the single line change in VariablesValueSelector.vue

Context used:

Context - Avoid directly interpolating values into SQL queries; instead, generate parameter placeholders and bind them safely to prevent SQL injection and enable plan caching. (link)

_{1 file reviewed, no comments}

_{Edit Code Review Bot Settings |Greptile}