Merge pull request #6861 from devtron-labs/dep-bot-sec-12nov-1

kartik-579 · web-flow · commit 5b148d8aadc6 · 2025-11-13T10:49:16.000+05:30
fix: sql injection
diff --git a/pkg/policyGovernance/security/imageScanning/repository/ImageScanDeployInfoRepository.go b/pkg/policyGovernance/security/imageScanning/repository/ImageScanDeployInfoRepository.go
@@ -241,7 +241,9 @@ func (impl ImageScanDeployInfoRepositoryImpl) scanListQueryWithObject(request *r
 	query = query + ` INNER JOIN environment env on env.id=info.env_id 
 	 				  INNER JOIN cluster c on c.id=env.cluster_id 
 					  WHERE info.scan_object_meta_id > 0 and env.active=true and info.image_scan_execution_history_id[1] != -1 
- 					  AND a.app_name like '%` + request.AppName + `%' `
+ 					  AND a.app_name like ? `
+
+	queryParams = append(queryParams, util.GetLIKEClauseQueryParam(request.AppName))
 
 	if len(deployInfoIds) > 0 {
 		query += " AND info.id IN (?) "
