fix(arangodb): parameterize AQL query in UpdateUsers [H6] by lakhansamani · Pull Request #554 · authorizerdev/authorizer

lakhansamani · 2026-04-03T16:07:03Z

Summary

H6 (High): User IDs were string-interpolated into AQL queries — AQL injection
Now uses bindVars (@ids, @DaTa) for parameterized queries

Test plan

Package compiles
Test UpdateUsers with ArangoDB backend

@DaTa

User IDs were spliced directly into AQL with fmt.Sprintf, enabling AQL injection. Now uses bindVars (@ids, @DaTa) for parameterized queries, consistent with all other ArangoDB queries in the codebase. Fixes: H6 (High)

fix(arangodb): parameterize AQL query in UpdateUsers

cf652d8

User IDs were spliced directly into AQL with fmt.Sprintf, enabling AQL injection. Now uses bindVars (@ids, @DaTa) for parameterized queries, consistent with all other ArangoDB queries in the codebase. Fixes: H6 (High)

lakhansamani merged commit d2d9431 into main Apr 4, 2026

lakhansamani deleted the fix/h6-aql-injection branch April 4, 2026 05:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(arangodb): parameterize AQL query in UpdateUsers [H6]#554

fix(arangodb): parameterize AQL query in UpdateUsers [H6]#554
lakhansamani merged 1 commit into
mainfrom
fix/h6-aql-injection

lakhansamani commented Apr 3, 2026

Labels

1 participant