Skip to content

fix(jsonfilter): validate column identifier before building selector#3210

Merged
migmartri merged 1 commit into
mainfrom
miguel/pfm-6378-jsonfilter-column-validation
Jun 15, 2026
Merged

fix(jsonfilter): validate column identifier before building selector#3210
migmartri merged 1 commit into
mainfrom
miguel/pfm-6378-jsonfilter-column-validation

Conversation

@migmartri

@migmartri migmartri commented Jun 15, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Member

Adds allowlist validation for the JSON filter column in BuildEntSelectorFromJSONFilter, restricting it to a bare SQL identifier before it reaches the query builder. This mirrors the existing field-path validation so input safety no longer depends on every caller hardcoding the column.

Defense-in-depth hardening: the only current caller already sets the column to a known constant.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri

Review in cubic

@migmartri
fix(jsonfilter): validate column identifier before building selector
48b4686 
Restrict the JSON filter column to a bare SQL identifier so it cannot
reach the query builder unvalidated, mirroring the existing field-path
allowlist. The sole current caller hardcodes the column, so this is
defense-in-depth that removes reliance on every caller doing so.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Chainloop-Trace-Sessions: e83297c9-6593-4d73-9315-9547d86beb70
@chainloop-platform

chainloop-platform Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟡 60% 1 ✅ 0 100% AI / 0% Human 2 +64 / -0 12m33s

🟡 60% — 100% AI — ✅ All policies passing

Jun 15, 2026 09:50 UTC · 12m33s · $7.32 · 80.0k in / 46.5k out · claude-code 2.1.177 (claude-opus-4-8)

View session details ↗

Change Summary

  • Adds Column identifier validation in pkg/jsonfilter.
  • Extends pkg/jsonfilter tests with invalid-column cases.
  • Builds, vets, lints, and package-tests the updated code before commit.

AI Session Overall Score

🟡 60% — Strong technical work, but the final commit-and-push request was only half completed.

AI Session Analysis Breakdown

🟢 94% · solution-quality

🟢 AI inspected ent SQL generation before choosing the fix. · High Impact

🟢 92% · scope-discipline

No notes.

🟢 90% · verification

🟢 AI ran go test before and after the fix and observed the outcome. · High Impact

🟢 88% · context-and-planning

🟢 AI read the linked issue context before touching code. · High Impact

🟢 85% · user-trust-signal

No notes.

🔴 35% · alignment

🔴 After the user asked to commit and push, the session shows a branch create and signed commit but no push. · High Severity

💡 When a workflow request has multiple verbs, verify each one happened before ending the session or claiming completion.

File Attribution

████████████████████ 100% AI / 0% Human

Status Attribution File Lines
modified ai pkg/jsonfilter/jsonfilter_test.go +35 / -0
modified ai pkg/jsonfilter/jsonfilter.go +29 / -0

Policies (4)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-e83297 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-e83297 -
✅ Passed ai-config-no-secrets ai-coding-session-e83297 -
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-e83297 -

Powered by Chainloop and Chainloop Trace

@migmartri migmartri requested a review from a team June 15, 2026 10:05
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 15, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@migmartri migmartri merged commit 8710052 into main Jun 15, 2026
16 checks passed
@migmartri migmartri deleted the miguel/pfm-6378-jsonfilter-column-validation branch June 15, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@matiasinsaurralde matiasinsaurralde matiasinsaurralde approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@migmartri @matiasinsaurralde