From c6f5a58d3b7df54bbd5b7d048520e02513a803ff Mon Sep 17 00:00:00 2001
From: Tristan Partin <tristan@neon.tech>
Date: Wed, 19 Mar 2025 14:19:38 -0500
Subject: [PATCH] Remove potential for SQL injection (#11260)

Timeline IDs do not contain characters that may cause a SQL injection,
but best to always play it safe.

Signed-off-by: Tristan Partin <tristan@neon.tech>
---
 compute_tools/src/spec_apply.rs | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/compute_tools/src/spec_apply.rs b/compute_tools/src/spec_apply.rs
index 27af0e80f6..2be6458fb4 100644
--- a/compute_tools/src/spec_apply.rs
+++ b/compute_tools/src/spec_apply.rs
@@ -75,15 +75,12 @@ impl ComputeNode {
 
             if spec.drop_subscriptions_before_start {
                 let timeline_id = self.get_timeline_id().context("timeline_id must be set")?;
-                let query = format!("select 1 from neon.drop_subscriptions_done where timeline_id = '{}'", timeline_id);
 
                 info!("Checking if drop subscription operation was already performed for timeline_id: {}", timeline_id);
 
-                drop_subscriptions_done =  match
-                    client.simple_query(&query).await {
-                    Ok(result) => {
-                        matches!(&result[0], postgres::SimpleQueryMessage::Row(_))
-                    },
+                drop_subscriptions_done = match
+                    client.query("select 1 from neon.drop_subscriptions_done where timeline_id = $1", &[&timeline_id.to_string()]).await {
+                    Ok(result) => !result.is_empty(),
                     Err(e) =>
                     {
                         match e.code() {