fix: parameterize CQL/N1QL queries to prevent injection (#500)

* fix: parameterize CQL/N1QL queries to prevent injection (CWE-943, CWE-209)

Replace all fmt.Sprintf string interpolation of user-controlled values
with parameterized queries across Cassandra (10 files, 66+ queries)
and Couchbase (2 files, 3 queries) backends.

Cassandra: use gocql ? placeholders with values passed to Query().
Couchbase: use $param named parameters with NamedParameters option.

* fix: convert json.Number to native types before passing to gocql

The JSON decoder with UseNumber() produces json.Number values which
gocql cannot marshal into CQL bigint columns. Add convertMapValues()
helper to convert json.Number to int64/float64, called after every
JSON map decode in dynamic INSERT/UPDATE queries.

Author: lakhansamani

internal/storage/db/cassandradb/authenticator.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"reflect"
 	"strings"
 	"time"
 
@@ -40,31 +39,28 @@ func (p *provider) AddAuthenticator(ctx context.Context, authenticators *schemas
 	if err != nil {
 		return nil, err
 	}
+	convertMapValues(authenticatorsMap)
 
 	fields := "("
-	values := "("
+	placeholders := "("
+	var insertValues []interface{}
 	for key, value := range authenticatorsMap {
 		if value != nil {
 			if key == "_id" {
 				fields += "id,"
 			} else {
 				fields += key + ","
 			}
-
-			valueType := reflect.TypeOf(value)
-			if valueType.Name() == "string" {
-				values += fmt.Sprintf("'%s',", value.(string))
-			} else {
-				values += fmt.Sprintf("%v,", value)
-			}
+			placeholders += "?,"
+			insertValues = append(insertValues, value)
 		}
 	}
 
 	fields = fields[:len(fields)-1] + ")"
-	values = values[:len(values)-1] + ")"
+	placeholders = placeholders[:len(placeholders)-1] + ")"
 
-	query := fmt.Sprintf("INSERT INTO %s %s VALUES %s IF NOT EXISTS", KeySpace+"."+schemas.Collections.Authenticators, fields, values)
-	err = p.db.Query(query).Exec()
+	query := fmt.Sprintf("INSERT INTO %s %s VALUES %s IF NOT EXISTS", KeySpace+"."+schemas.Collections.Authenticators, fields, placeholders)
+	err = p.db.Query(query, insertValues...).Exec()
 	if err != nil {
 		return nil, err
 	}
@@ -87,8 +83,10 @@ func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *sche
 	if err != nil {
 		return nil, err
 	}
+	convertMapValues(authenticatorsMap)
 
 	updateFields := ""
+	var updateValues []interface{}
 	for key, value := range authenticatorsMap {
 		if key == "_id" {
 			continue
@@ -103,18 +101,15 @@ func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *sche
 			continue
 		}
 
-		valueType := reflect.TypeOf(value)
-		if valueType.Name() == "string" {
-			updateFields += fmt.Sprintf("%s = '%s', ", key, value.(string))
-		} else {
-			updateFields += fmt.Sprintf("%s = %v, ", key, value)
-		}
+		updateFields += fmt.Sprintf("%s = ?, ", key)
+		updateValues = append(updateValues, value)
 	}
 	updateFields = strings.Trim(updateFields, " ")
 	updateFields = strings.TrimSuffix(updateFields, ",")
 
-	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = '%s'", KeySpace+"."+schemas.Collections.Authenticators, updateFields, authenticators.ID)
-	err = p.db.Query(query).Exec()
+	updateValues = append(updateValues, authenticators.ID)
+	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Authenticators, updateFields)
+	err = p.db.Query(query, updateValues...).Exec()
 	if err != nil {
 		return nil, err
 	}
@@ -124,8 +119,8 @@ func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *sche
 
 func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*schemas.Authenticator, error) {
 	var authenticators schemas.Authenticator
-	query := fmt.Sprintf("SELECT id, user_id, method, secret, recovery_codes, verified_at, created_at, updated_at FROM %s WHERE user_id = '%s' AND method = '%s' LIMIT 1 ALLOW FILTERING", KeySpace+"."+schemas.Collections.Authenticators, userId, authenticatorType)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&authenticators.ID, &authenticators.UserID, &authenticators.Method, &authenticators.Secret, &authenticators.RecoveryCodes, &authenticators.VerifiedAt, &authenticators.CreatedAt, &authenticators.UpdatedAt)
+	query := fmt.Sprintf("SELECT id, user_id, method, secret, recovery_codes, verified_at, created_at, updated_at FROM %s WHERE user_id = ? AND method = ? LIMIT 1 ALLOW FILTERING", KeySpace+"."+schemas.Collections.Authenticators)
+	err := p.db.Query(query, userId, authenticatorType).Consistency(gocql.One).Scan(&authenticators.ID, &authenticators.UserID, &authenticators.Method, &authenticators.Secret, &authenticators.RecoveryCodes, &authenticators.VerifiedAt, &authenticators.CreatedAt, &authenticators.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}

internal/storage/db/cassandradb/email_template.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"reflect"
 	"strings"
 	"time"
 
@@ -27,8 +26,8 @@ func (p *provider) AddEmailTemplate(ctx context.Context, emailTemplate *schemas.
 	if existingEmailTemplate != nil {
 		return nil, fmt.Errorf("email template with %s event_name already exists", emailTemplate.EventName)
 	}
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, event_name, subject, design, template,  created_at, updated_at) VALUES ('%s', '%s', '%s','%s','%s', %d, %d)", KeySpace+"."+schemas.Collections.EmailTemplate, emailTemplate.ID, emailTemplate.EventName, emailTemplate.Subject, emailTemplate.Design, emailTemplate.Template, emailTemplate.CreatedAt, emailTemplate.UpdatedAt)
-	err := p.db.Query(insertQuery).Exec()
+	insertQuery := fmt.Sprintf("INSERT INTO %s (id, event_name, subject, design, template, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)", KeySpace+"."+schemas.Collections.EmailTemplate)
+	err := p.db.Query(insertQuery, emailTemplate.ID, emailTemplate.EventName, emailTemplate.Subject, emailTemplate.Design, emailTemplate.Template, emailTemplate.CreatedAt, emailTemplate.UpdatedAt).Exec()
 	if err != nil {
 		return nil, err
 	}
@@ -50,7 +49,9 @@ func (p *provider) UpdateEmailTemplate(ctx context.Context, emailTemplate *schem
 	if err != nil {
 		return nil, err
 	}
+	convertMapValues(emailTemplateMap)
 	updateFields := ""
+	var updateValues []interface{}
 	for key, value := range emailTemplateMap {
 		if key == "_id" {
 			continue
@@ -62,18 +63,15 @@ func (p *provider) UpdateEmailTemplate(ctx context.Context, emailTemplate *schem
 			updateFields += fmt.Sprintf("%s = null,", key)
 			continue
 		}
-		valueType := reflect.TypeOf(value)
-		if valueType.Name() == "string" {
-			updateFields += fmt.Sprintf("%s = '%s', ", key, value.(string))
-		} else {
-			updateFields += fmt.Sprintf("%s = %v, ", key, value)
-		}
+		updateFields += fmt.Sprintf("%s = ?, ", key)
+		updateValues = append(updateValues, value)
 	}
 	updateFields = strings.Trim(updateFields, " ")
 	updateFields = strings.TrimSuffix(updateFields, ",")
 
-	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = '%s'", KeySpace+"."+schemas.Collections.EmailTemplate, updateFields, emailTemplate.ID)
-	err = p.db.Query(query).Exec()
+	updateValues = append(updateValues, emailTemplate.ID)
+	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.EmailTemplate, updateFields)
+	err = p.db.Query(query, updateValues...).Exec()
 	if err != nil {
 		return nil, err
 	}
@@ -116,8 +114,8 @@ func (p *provider) ListEmailTemplate(ctx context.Context, pagination *model.Pagi
 // GetEmailTemplateByID to get EmailTemplate by id
 func (p *provider) GetEmailTemplateByID(ctx context.Context, emailTemplateID string) (*schemas.EmailTemplate, error) {
 	var emailTemplate schemas.EmailTemplate
-	query := fmt.Sprintf(`SELECT id, event_name, subject, design, template, created_at, updated_at FROM %s WHERE id = '%s' LIMIT 1`, KeySpace+"."+schemas.Collections.EmailTemplate, emailTemplateID)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&emailTemplate.ID, &emailTemplate.EventName, &emailTemplate.Subject, &emailTemplate.Design, &emailTemplate.Template, &emailTemplate.CreatedAt, &emailTemplate.UpdatedAt)
+	query := fmt.Sprintf(`SELECT id, event_name, subject, design, template, created_at, updated_at FROM %s WHERE id = ? LIMIT 1`, KeySpace+"."+schemas.Collections.EmailTemplate)
+	err := p.db.Query(query, emailTemplateID).Consistency(gocql.One).Scan(&emailTemplate.ID, &emailTemplate.EventName, &emailTemplate.Subject, &emailTemplate.Design, &emailTemplate.Template, &emailTemplate.CreatedAt, &emailTemplate.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}
@@ -127,8 +125,8 @@ func (p *provider) GetEmailTemplateByID(ctx context.Context, emailTemplateID str
 // GetEmailTemplateByEventName to get EmailTemplate by event_name
 func (p *provider) GetEmailTemplateByEventName(ctx context.Context, eventName string) (*schemas.EmailTemplate, error) {
 	var emailTemplate schemas.EmailTemplate
-	query := fmt.Sprintf(`SELECT id, event_name, subject, design, template, created_at, updated_at FROM %s WHERE event_name = '%s' LIMIT 1 ALLOW FILTERING`, KeySpace+"."+schemas.Collections.EmailTemplate, eventName)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&emailTemplate.ID, &emailTemplate.EventName, &emailTemplate.Subject, &emailTemplate.Design, &emailTemplate.Template, &emailTemplate.CreatedAt, &emailTemplate.UpdatedAt)
+	query := fmt.Sprintf(`SELECT id, event_name, subject, design, template, created_at, updated_at FROM %s WHERE event_name = ? LIMIT 1 ALLOW FILTERING`, KeySpace+"."+schemas.Collections.EmailTemplate)
+	err := p.db.Query(query, eventName).Consistency(gocql.One).Scan(&emailTemplate.ID, &emailTemplate.EventName, &emailTemplate.Subject, &emailTemplate.Design, &emailTemplate.Template, &emailTemplate.CreatedAt, &emailTemplate.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}
@@ -137,8 +135,8 @@ func (p *provider) GetEmailTemplateByEventName(ctx context.Context, eventName st
 
 // DeleteEmailTemplate to delete EmailTemplate
 func (p *provider) DeleteEmailTemplate(ctx context.Context, emailTemplate *schemas.EmailTemplate) error {
-	query := fmt.Sprintf("DELETE FROM %s WHERE id = '%s'", KeySpace+"."+schemas.Collections.EmailTemplate, emailTemplate.ID)
-	err := p.db.Query(query).Exec()
+	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.EmailTemplate)
+	err := p.db.Query(query, emailTemplate.ID).Exec()
 	if err != nil {
 		return err
 	}

internal/storage/db/cassandradb/env.go

@@ -18,8 +18,8 @@ func (p *provider) AddEnv(ctx context.Context, env *schemas.Env) (*schemas.Env,
 	}
 	env.CreatedAt = time.Now().Unix()
 	env.UpdatedAt = time.Now().Unix()
-	insertEnvQuery := fmt.Sprintf("INSERT INTO %s (id, env, hash, created_at, updated_at) VALUES ('%s', '%s', '%s', %d, %d)", KeySpace+"."+schemas.Collections.Env, env.ID, env.EnvData, env.Hash, env.CreatedAt, env.UpdatedAt)
-	err := p.db.Query(insertEnvQuery).Exec()
+	insertEnvQuery := fmt.Sprintf("INSERT INTO %s (id, env, hash, created_at, updated_at) VALUES (?, ?, ?, ?, ?)", KeySpace+"."+schemas.Collections.Env)
+	err := p.db.Query(insertEnvQuery, env.ID, env.EnvData, env.Hash, env.CreatedAt, env.UpdatedAt).Exec()
 	if err != nil {
 		return nil, err
 	}
@@ -30,8 +30,8 @@ func (p *provider) AddEnv(ctx context.Context, env *schemas.Env) (*schemas.Env,
 // UpdateEnv to update environment information in database
 func (p *provider) UpdateEnv(ctx context.Context, env *schemas.Env) (*schemas.Env, error) {
 	env.UpdatedAt = time.Now().Unix()
-	updateEnvQuery := fmt.Sprintf("UPDATE %s SET env = '%s', updated_at = %d WHERE id = '%s'", KeySpace+"."+schemas.Collections.Env, env.EnvData, env.UpdatedAt, env.ID)
-	err := p.db.Query(updateEnvQuery).Exec()
+	updateEnvQuery := fmt.Sprintf("UPDATE %s SET env = ?, updated_at = ? WHERE id = ?", KeySpace+"."+schemas.Collections.Env)
+	err := p.db.Query(updateEnvQuery, env.EnvData, env.UpdatedAt, env.ID).Exec()
 	if err != nil {
 		return nil, err
 	}

internal/storage/db/cassandradb/otp.go

@@ -48,14 +48,17 @@ func (p *provider) UpsertOTP(ctx context.Context, otpParam *schemas.OTP) (*schem
 	otp.UpdatedAt = time.Now().Unix()
 	query := ""
 	if shouldCreate {
-		query = fmt.Sprintf(`INSERT INTO %s (id, email, phone_number, otp, expires_at, created_at, updated_at) VALUES ('%s', '%s', '%s', '%s', %d, %d, %d)`, KeySpace+"."+schemas.Collections.OTP, otp.ID, otp.Email, otp.PhoneNumber, otp.Otp, otp.ExpiresAt, otp.CreatedAt, otp.UpdatedAt)
+		query = fmt.Sprintf(`INSERT INTO %s (id, email, phone_number, otp, expires_at, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)`, KeySpace+"."+schemas.Collections.OTP)
+		err := p.db.Query(query, otp.ID, otp.Email, otp.PhoneNumber, otp.Otp, otp.ExpiresAt, otp.CreatedAt, otp.UpdatedAt).Exec()
+		if err != nil {
+			return nil, err
+		}
 	} else {
-		query = fmt.Sprintf(`UPDATE %s SET otp = '%s', expires_at = %d, updated_at = %d WHERE id = '%s'`, KeySpace+"."+schemas.Collections.OTP, otp.Otp, otp.ExpiresAt, otp.UpdatedAt, otp.ID)
-	}
-
-	err := p.db.Query(query).Exec()
-	if err != nil {
-		return nil, err
+		query = fmt.Sprintf(`UPDATE %s SET otp = ?, expires_at = ?, updated_at = ? WHERE id = ?`, KeySpace+"."+schemas.Collections.OTP)
+		err := p.db.Query(query, otp.Otp, otp.ExpiresAt, otp.UpdatedAt, otp.ID).Exec()
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	return otp, nil
@@ -64,8 +67,8 @@ func (p *provider) UpsertOTP(ctx context.Context, otpParam *schemas.OTP) (*schem
 // GetOTPByEmail to get otp for a given email address
 func (p *provider) GetOTPByEmail(ctx context.Context, emailAddress string) (*schemas.OTP, error) {
 	var otp schemas.OTP
-	query := fmt.Sprintf(`SELECT id, email, phone_number, otp, expires_at, created_at, updated_at FROM %s WHERE email = '%s' LIMIT 1 ALLOW FILTERING`, KeySpace+"."+schemas.Collections.OTP, emailAddress)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&otp.ID, &otp.Email, &otp.PhoneNumber, &otp.Otp, &otp.ExpiresAt, &otp.CreatedAt, &otp.UpdatedAt)
+	query := fmt.Sprintf(`SELECT id, email, phone_number, otp, expires_at, created_at, updated_at FROM %s WHERE email = ? LIMIT 1 ALLOW FILTERING`, KeySpace+"."+schemas.Collections.OTP)
+	err := p.db.Query(query, emailAddress).Consistency(gocql.One).Scan(&otp.ID, &otp.Email, &otp.PhoneNumber, &otp.Otp, &otp.ExpiresAt, &otp.CreatedAt, &otp.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}
@@ -75,8 +78,8 @@ func (p *provider) GetOTPByEmail(ctx context.Context, emailAddress string) (*sch
 // GetOTPByPhoneNumber to get otp for a given phone number
 func (p *provider) GetOTPByPhoneNumber(ctx context.Context, phoneNumber string) (*schemas.OTP, error) {
 	var otp schemas.OTP
-	query := fmt.Sprintf(`SELECT id, email, phone_number, otp, expires_at, created_at, updated_at FROM %s WHERE phone_number = '%s' LIMIT 1 ALLOW FILTERING`, KeySpace+"."+schemas.Collections.OTP, phoneNumber)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&otp.ID, &otp.Email, &otp.PhoneNumber, &otp.Otp, &otp.ExpiresAt, &otp.CreatedAt, &otp.UpdatedAt)
+	query := fmt.Sprintf(`SELECT id, email, phone_number, otp, expires_at, created_at, updated_at FROM %s WHERE phone_number = ? LIMIT 1 ALLOW FILTERING`, KeySpace+"."+schemas.Collections.OTP)
+	err := p.db.Query(query, phoneNumber).Consistency(gocql.One).Scan(&otp.ID, &otp.Email, &otp.PhoneNumber, &otp.Otp, &otp.ExpiresAt, &otp.CreatedAt, &otp.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}
@@ -85,8 +88,8 @@ func (p *provider) GetOTPByPhoneNumber(ctx context.Context, phoneNumber string)
 
 // DeleteOTP to delete otp
 func (p *provider) DeleteOTP(ctx context.Context, otp *schemas.OTP) error {
-	query := fmt.Sprintf("DELETE FROM %s WHERE id = '%s'", KeySpace+"."+schemas.Collections.OTP, otp.ID)
-	err := p.db.Query(query).Exec()
+	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.OTP)
+	err := p.db.Query(query, otp.ID).Exec()
 	if err != nil {
 		return err
 	}

internal/storage/db/cassandradb/provider.go

@@ -3,6 +3,7 @@ package cassandradb
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -350,3 +351,17 @@ func NewProvider(cfg *config.Config, deps *Dependencies) (*provider, error) {
 		db:           session,
 	}, err
 }
+
+// convertMapValues converts json.Number values in a map to native Go types
+// (int64 or float64) so gocql can marshal them into CQL bigint/double columns.
+func convertMapValues(m map[string]interface{}) {
+	for key, value := range m {
+		if num, ok := value.(json.Number); ok {
+			if i, err := num.Int64(); err == nil {
+				m[key] = i
+			} else if f, err := num.Float64(); err == nil {
+				m[key] = f
+			}
+		}
+	}
+}

internal/storage/db/cassandradb/session.go

@@ -17,8 +17,8 @@ func (p *provider) AddSession(ctx context.Context, session *schemas.Session) err
 	}
 	session.CreatedAt = time.Now().Unix()
 	session.UpdatedAt = time.Now().Unix()
-	insertSessionQuery := fmt.Sprintf("INSERT INTO %s (id, user_id, user_agent, ip, created_at, updated_at) VALUES ('%s', '%s', '%s', '%s', %d, %d)", KeySpace+"."+schemas.Collections.Session, session.ID, session.UserID, session.UserAgent, session.IP, session.CreatedAt, session.UpdatedAt)
-	err := p.db.Query(insertSessionQuery).Exec()
+	insertSessionQuery := fmt.Sprintf("INSERT INTO %s (id, user_id, user_agent, ip, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)", KeySpace+"."+schemas.Collections.Session)
+	err := p.db.Query(insertSessionQuery, session.ID, session.UserID, session.UserAgent, session.IP, session.CreatedAt, session.UpdatedAt).Exec()
 	if err != nil {
 		return err
 	}