### Security Audit Summary **Scope reviewed:** Search API endpoint and database query construction. **Overall risk level:** High **Security-sensitive areas involved:** API input, database query, user-controlled search parameter. **Top concern:** The search parameter appears to be interpolated into a raw SQL string, which may allow SQL injection. ### Findings #### Finding 1: User-controlled search input is used in raw SQL **Severity:** High **Category:** SQL Injection **Affected area:** Search endpoint database query. **Why this matters:** If user input is inserted directly into a SQL string, an attacker may alter the query to read unauthorized data, bypass filters, or damage data depending on database permissions. **Exploit scenario:** An attacker submits a crafted search value that changes the WHERE clause or appends additional SQL behavior. **Recommended fix:** Use parameterized queries or the ORM query builder. If dynamic sort or filter fields are supported, use strict allowlists for column names. **Verification:** Add tests that submit malicious search payloads and confirm they are treated as data, not executable SQL. Also test that search still returns expected results for normal queries. ### Prioritized Remediation Plan 1. Replace raw string interpolation with parameterized query logic. 2. Add input length limits for search. 3. Add tests for malicious input. 4. Confirm tenant or ownership filters still apply. ### Security Regression Tests - Search with normal keyword. - Search with quote characters. - Search with SQL-like payload. - Search as user from another tenant and confirm no cross-tenant results. ### Safe-to-Ship Assessment Not safe to ship until the raw SQL issue is fixed. ### Assumptions and Unreviewed Areas Only the search endpoint was reviewed. Authentication and global API middleware were not fully reviewed.