CalvinBackup/openproxy
1
0
Fork 0
mirror of https://github.com/praveentcom/openproxy.git synced 2026-02-12 14:02:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from praveentcom/copilot/sub-pr-1

Browse Source 
Fix SQL injection vulnerabilities in metrics API route
This commit is contained in:
Praveen Thirumurugan
2025-11-19 07:35:53 +05:30
committed by GitHub
parent 90c7325213 6bd62cae27
commit ab15d9e001
2 changed files with 1043 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
dashboard/app/api/metrics/route.ts
View File

@@ -7,6 +7,10 @@ const pool = new Pool({
const TABLE_NAME = process.env.DATABASE_TABLE || 'llm_proxy';
// Validate table name against whitelist to prevent SQL injection
const ALLOWED_TABLES = ['llm_proxy', 'llm_proxy_dev', 'llm_proxy_test'];
const validatedTableName = ALLOWED_TABLES.includes(TABLE_NAME) ? TABLE_NAME : 'llm_proxy';
export async function GET(request: NextRequest) {
const { searchParams } = new URL(request.url);
const hours = parseInt(searchParams.get('hours') || '24', 10);
@@ -25,10 +29,10 @@ export async function GET(request: NextRequest) {
AVG(response_time) as avg_response_time,
COUNT(DISTINCT model) as unique_models,
COUNT(DISTINCT client_ip) as unique_clients
FROM ${TABLE_NAME}
WHERE timestamp >= NOW() - INTERVAL '${hours} hours'
FROM ${validatedTableName}
WHERE timestamp >= NOW() - INTERVAL '$1 hours'
`;
const summaryResult = await client.query(summaryQuery);
const summaryResult = await client.query(summaryQuery, [hours]);
const summary = summaryResult.rows[0];
// Get recent requests
@@ -45,7 +49,7 @@ export async function GET(request: NextRequest) {
response_status,
client_ip,
stream
FROM ${TABLE_NAME}
FROM ${validatedTableName}
WHERE timestamp >= NOW() - INTERVAL '$1 hours'
ORDER BY timestamp DESC
LIMIT $2
@@ -61,12 +65,12 @@ export async function GET(request: NextRequest) {
SUM(total_tokens) as total_tokens,
SUM(total_cost) as total_cost,
AVG(response_time) as avg_response_time
FROM ${TABLE_NAME}
WHERE timestamp >= NOW() - INTERVAL '${hours} hours'
FROM ${validatedTableName}
WHERE timestamp >= NOW() - INTERVAL '$1 hours'
GROUP BY model
ORDER BY request_count DESC
`;
const modelResult = await client.query(modelQuery);
const modelResult = await client.query(modelQuery, [hours]);
const modelBreakdown = modelResult.rows;
// Get hourly trends
@@ -77,12 +81,12 @@ export async function GET(request: NextRequest) {
SUM(total_tokens) as tokens,
SUM(total_cost) as cost,
AVG(response_time) as avg_response_time
FROM ${TABLE_NAME}
WHERE timestamp >= NOW() - INTERVAL '${hours} hours'
FROM ${validatedTableName}
WHERE timestamp >= NOW() - INTERVAL '$1 hours'
GROUP BY hour
ORDER BY hour ASC
`;
const trendsResult = await client.query(trendsQuery);
const trendsResult = await client.query(trendsQuery, [hours]);
const hourlyTrends = trendsResult.rows;
return NextResponse.json({

1029
dashboard/package-lock.json generated Normal file
View File

File diff suppressed because it is too large Load Diff