codeant-ai-for-open-source[bot] commented on code in PR #38492:
URL: https://github.com/apache/superset/pull/38492#discussion_r2900567013
##########
docker/docker-entrypoint-initdb.d/examples-init.sh:
##########
@@ -23,7 +23,7 @@
# ------------------------------------------------------------------------
set -e
-psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" <<-EOSQL
+psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" -d "${POSTGRES_DB}"
<<-EOSQL
Review Comment:
**Suggestion:** Environment variables for database user, password, and name
are interpolated directly into SQL without proper quoting/escaping, so if they
contain quotes or special characters the SQL will break or could be leveraged
for SQL injection; instead, escape dangerous characters in the shell and use
quoted identifiers/strings in the SQL. [security]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ Examples database initialization fails with quoted EXAMPLES_* values.
- ⚠️ Docker-compose-light demo may start without examples database.
- ⚠️ SQL injection risk if environment variables externally controlled.
```
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
