v0.1.17 — fix(security): eliminate sql.raw() in reports router to prevent SQL injection
Release v0.1.17: SQL Injection Prevention in Reports Router
What Changed
Removed all sql.raw() usage from the reports router in both template-multi and template-enterprise, replacing it with:
sql.identifier()for table, date, and value column referencesbuildDateTrunc()helper that maps groupBy enum values to hardcoded SQL templatesbuildAggExpr()helper that constructs aggregation expressions without string interpolation- New test suite (
reports-sql-injection.test.ts) verifying injection safety
Why It Matters
Even though input validation was already in place, using sql.raw() for SQL construction violates defense-in-depth principles. If validation logic had a bypass, raw SQL could be injected. This fix ensures identifiers are always properly escaped and aggregation logic is never string-interpolated, eliminating the injection vector entirely regardless of allowlist or regex changes.
Technical Notes
No breaking changes. All endpoints remain compatible. The fix improves security without altering the public API or query behavior. Column names, table names, and aggregation types are now constructed using Drizzle's safe SQL templating instead of raw string building.
Release Notes
PR #424 was reviewed and successfully merged via squash merge (SHA: 60fc89cd2a532625add7810eba0d2146747ff108). The PR contained a critical security fix eliminating sql.raw() usage in the reports routers for template-multi and template-enterprise, replacing it with sql.identifier() and hardcoded switch-based SQL helpers to prevent SQL injection.
Attempted to create release v0.1.17 with tag v0.1.17, but the tag already exists in the repository — the release creation was blocked by GitHub. The merge itself completed successfully. Next steps: either update the existing v0.1.17 release, or create a v0.1.18 release for this security patch.