Skip to content

fix(worker): validate property names in AlertStore to prevent ClickHouse injection#5668

Open
hobostay wants to merge 1 commit into
Helicone:mainfrom
hobostay:fix/alertstore-clickhouse-injection
Open

fix(worker): validate property names in AlertStore to prevent ClickHouse injection#5668
hobostay wants to merge 1 commit into
Helicone:mainfrom
hobostay:fix/alertstore-clickhouse-injection

Conversation

@hobostay
Copy link
Copy Markdown

@hobostay hobostay commented May 10, 2026

Summary

  • Validate property names in AlertStore.buildGroupByColumn() against the SAFE_IDENTIFIER regex instead of only escaping single quotes
  • The previous sanitization (replace single quotes with escaped quotes) was insufficient. Special characters like ], backslash, or newlines in property names could break the ClickHouse properties[...] syntax

Test plan

  • Verify that valid property names (alphanumeric + underscore) continue to work
  • Verify that property names with special characters are rejected with an error
  • Existing alert grouping tests should still pass

Generated with Claude Code (https://claude.com/claude-code)

@claude
fix(worker): validate property names in AlertStore groupBy to prevent…
5ad5b27 
… ClickHouse injection

The previous sanitization only escaped single quotes, which could allow
injection through other special characters. Now property names are validated
against the same SAFE_IDENTIFIER regex used for standard grouping columns.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 10, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Actions Updated (UTC)
helicone Skipped Skipped May 10, 2026 10:22am
helicone-bifrost Skipped Skipped May 10, 2026 10:22am
helicone-eu Skipped Skipped May 10, 2026 10:22am

Request Review

@vercel vercel Bot temporarily deployed to Preview – helicone-eu May 10, 2026 10:22 Inactive
@vercel vercel Bot temporarily deployed to Preview – helicone May 10, 2026 10:22 Inactive
greptile-apps[bot]
greptile-apps Bot reviewed May 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

@vercel vercel Bot temporarily deployed to Preview – helicone-bifrost May 10, 2026 10:22 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hobostay