There are two things making the current repository at least somewhat safe:
We are using the pg-promise package to build queries most of the time, this should be safe against attacks. However, depending on a library is not as safe as using parameterised queries.
Many input parameters like node id's are validated to conform to the LionWeb format, so they cannot be used in SQL attacks.
Things are fine for now, and developing is easier and more flexible this way.
However, when someone wants to use the repository in production, we need to do an analysis and might need to change some or all SQL to using prepared statements or parameterized queries.
We have not done a proper analysis whether the repository is resistent for SQL injection.
The safest way to achieve this is to use PreparedStatement or ParameterizedQuery instead of string concatenation for queries. Strings are virtually guaranteed to attract Bobby Tables.
There are two things making the current repository at least somewhat safe:
pg-promisepackage to build queries most of the time, this should be safe against attacks. However, depending on a library is not as safe as using parameterised queries.Things are fine for now, and developing is easier and more flexible this way.
However, when someone wants to use the repository in production, we need to do an analysis and might need to change some or all SQL to using prepared statements or parameterized queries.