#384 CRITICAL: SQL injection via dynamic table names in absurd_client
Description
Editabsurd_client.py uses f-strings for table names in multiple locations (e.g., line 657-664). While queue_name has regex validation at init, should use psycopg.sql.Identifier for all dynamic table/schema names for defense in depth.
Comments
Loading comments...
Context
Loading context...
Audit History
View AllLoading audit history...