## Rust Database Module 'update_status' Contains SQL Injection Pattern — Public Function Exposes Core Risk
A critical SQL injection pattern has been identified in the public `update_status` function within a Rust database module. The vulnerability stems from the direct interpolation of a `field: &str` parameter into an SQL string, creating a textbook injection pathway. While current callers use hardcoded literals, the function's public visibility and the dangerous coding pattern set a precedent for future, exploitable misuse if any caller passes user-influenced data.

The flaw is located in `core/src/db.rs` at lines 95-99, where the UPDATE query is constructed using `format!`. The code concatenates the `field` parameter directly into the SQL command string without validation or sanitization. This design flaw means the function's safety is entirely dependent on the trustworthiness of its callers, a fragile security model for a public API.

The immediate recommendation is to replace the string parameter with a closed-set enum (`StatusField`), mapping variants like `Download`, `Stems`, and `Analysis` to static column names. This change would eliminate the injection vector at its source by ensuring only predefined, safe column identifiers are used. The fix requires updating all existing call sites in the pipeline, but it permanently seals the architectural vulnerability, preventing the pattern from being copied into new, unsafe code.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: rust, sql-injection, security-vulnerability, code-review, database
- **Credibility**: unverified
- **Published**: 2026-04-02 08:27:08
- **ID**: 46899
- **URL**: https://whisperx.ai/en/intel/46899