fix(node-core): sql injection in dynamic datasource appending via unescaped json serialization

## Description

The `APPEND_DS_QUERY` function constructs a raw SQL query by directly interpolating `JSON.stringify(item)` into a single-quoted SQL string literal (`'${JSON.stringify(item)}'::jsonb`). Because `JSON.stringify` does not escape single quotes, any single quote within the `item` payload (which represents dynamic datasource parameters, often derived from untrusted on-chain events) will break out of the SQL string literal. This allows an attacker to inject arbitrary SQL commands into the indexer's database by emitting crafted events on-chain.

**Severity**: `high`
**File**: `packages/node-core/src/indexer/storeModelProvider/metadata/utils.ts`

## Expected Behavior

The code should handle this case properly to avoid unexpected errors or degraded quality.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(node-core): sql injection in dynamic datasource appending via unescaped json serialization #3030

Description

Expected Behavior

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

fix(node-core): sql injection in dynamic datasource appending via unescaped json serialization #3030

Description

Description

Expected Behavior

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions