{"title":"SQL Injection via f-string Query Construction","language":"Python","severity":"Critical","cwe":"CWE-89","source_lines":[1],"flow_lines":[1,4,5],"sink_lines":[4],"vulnerable_code":"def fetch_iot_sensor_metrics(device_mac, metric_type):\n    conn = psycopg2.connect(database=\"iot_telemetry\", user=\"admin\")\n    cursor = conn.cursor()\n    query = f\"SELECT timestamp, value, unit FROM sensor_data WHERE device_id = '{device_mac}' AND metric = '{metric_type}' ORDER BY timestamp DESC LIMIT 100\"\n    cursor.execute(query)\n    results = cursor.fetchall()\n    return [{\"ts\": r[0], \"val\": r[1], \"unit\": r[2]} for r in results]","explanation":"The function accepts user-controlled parameters device_mac and metric_type which are directly interpolated into an SQL query using f-strings on line 4. This unsanitized input is then executed via cursor.execute() on line 5, allowing attackers to inject arbitrary SQL commands that can bypass query logic, extract sensitive data, or manipulate the database.","remediation":"The fix replaces the dangerous f-string interpolation with psycopg2's parameterized query mechanism using %s placeholders. The user-controlled values device_mac and metric_type are passed as a tuple in the second argument to cursor.execute(), which ensures they are properly escaped and treated as literal values rather than executable SQL code.","secure_code":"def fetch_iot_sensor_metrics(device_mac, metric_type):\n    conn = psycopg2.connect(database=\"iot_telemetry\", user=\"admin\")\n    cursor = conn.cursor()\n    query = \"SELECT timestamp, value, unit FROM sensor_data WHERE device_id = %s AND metric = %s ORDER BY timestamp DESC LIMIT 100\"\n    cursor.execute(query, (device_mac, metric_type))\n    results = cursor.fetchall()\n    return [{\"ts\": r[0], \"val\": r[1], \"unit\": r[2]} for r in results]"}