From 391d826abe26c8646e6e95f0ecdb87d0f5095bec Mon Sep 17 00:00:00 2001 From: Sebastion Date: Sat, 25 Apr 2026 17:35:52 +0100 Subject: [PATCH] fix: escape user inputs in get_children_with_embeddings to prevent Cypher injection (CWE-89) --- src/memos/graph_dbs/polardb.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/memos/graph_dbs/polardb.py b/src/memos/graph_dbs/polardb.py index 856f94f2a..f2346f588 100644 --- a/src/memos/graph_dbs/polardb.py +++ b/src/memos/graph_dbs/polardb.py @@ -1173,14 +1173,16 @@ def get_children_with_embeddings( ) -> list[dict[str, Any]]: """Get children nodes with their embeddings.""" user_name = user_name if user_name else self._get_config_value("user_name") - where_user = f"AND p.user_name = '{user_name}' AND c.user_name = '{user_name}'" + safe_id = escape_sql_string(id) + safe_user = escape_sql_string(user_name) if user_name else user_name + where_user = f"AND p.user_name = '{safe_user}' AND c.user_name = '{safe_user}'" query = f""" WITH t as ( SELECT * FROM cypher('{self.db_name}_graph', $$ MATCH (p:Memory)-[r:PARENT]->(c:Memory) - WHERE p.id = '{id}' {where_user} + WHERE p.id = '{safe_id}' {where_user} RETURN id(c) as cid, c.id AS id, c.memory AS memory $$) as (cid agtype, id agtype, memory agtype) )