[PR #6328] fix(checkpoint-postgres): Replace f-string SQL formatting with parameterized queries in migration statements #4981

Closed
opened 2026-02-20 17:51:03 -05:00 by yindo · 0 comments
Owner

Original Pull Request: https://github.com/langchain-ai/langgraph/pull/6328

State: closed
Merged: Yes


Summary

Replace f-string SQL formatting with parameterized queries to prevent potential SQL injection in checkpoint migration code.

Changes

Updated the migration version tracking INSERT statements in all checkpoint saver classes to use parameterized queries instead of f-string formatting:

  • PostgresSaver (libs/checkpoint-postgres/langgraph/checkpoint/postgres/__init__.py:100)
  • AsyncPostgresSaver (libs/checkpoint-postgres/langgraph/checkpoint/postgres/aio.py:104-106)
  • ShallowPostgresSaver (libs/checkpoint-postgres/langgraph/checkpoint/postgres/shallow.py:255)
  • AsyncShallowPostgresSaver (libs/checkpoint-postgres/langgraph/checkpoint/postgres/shallow.py:617-619)

Before (vulnerable to SQL injection):

cur.execute(f"INSERT INTO checkpoint_migrations (v) VALUES ({v})")

After (using parameterized query):

cur.execute("INSERT INTO checkpoint_migrations (v) VALUES (%s)", (v,))

Risk Assessment

The practical risk is low since v is an integer loop variable controlled by the codebase. However, using string formatting in SQL queries is a well-known anti-pattern that can lead to SQL injection vulnerabilities, especially if the code is later refactored or copied to other contexts.

Testing

  • All 216 tests passing on PostgreSQL 15 and 16
  • Linting and type checking passing
  • No functional changes to behavior
**Original Pull Request:** https://github.com/langchain-ai/langgraph/pull/6328 **State:** closed **Merged:** Yes --- ## Summary Replace f-string SQL formatting with parameterized queries to prevent potential SQL injection in checkpoint migration code. ## Changes Updated the migration version tracking INSERT statements in all checkpoint saver classes to use parameterized queries instead of f-string formatting: - `PostgresSaver` (libs/checkpoint-postgres/langgraph/checkpoint/postgres/__init__.py:100) - `AsyncPostgresSaver` (libs/checkpoint-postgres/langgraph/checkpoint/postgres/aio.py:104-106) - `ShallowPostgresSaver` (libs/checkpoint-postgres/langgraph/checkpoint/postgres/shallow.py:255) - `AsyncShallowPostgresSaver` (libs/checkpoint-postgres/langgraph/checkpoint/postgres/shallow.py:617-619) **Before (vulnerable to SQL injection):** ```python cur.execute(f"INSERT INTO checkpoint_migrations (v) VALUES ({v})") ``` **After (using parameterized query):** ```python cur.execute("INSERT INTO checkpoint_migrations (v) VALUES (%s)", (v,)) ``` ## Risk Assessment The practical risk is low since `v` is an integer loop variable controlled by the codebase. However, using string formatting in SQL queries is a well-known anti-pattern that can lead to SQL injection vulnerabilities, especially if the code is later refactored or copied to other contexts. ## Testing - ✅ All 216 tests passing on PostgreSQL 15 and 16 - ✅ Linting and type checking passing - ✅ No functional changes to behavior
yindo added the pull-request label 2026-02-20 17:51:03 -05:00
yindo closed this issue 2026-02-20 17:51:03 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/langgraph#4981