feat: implement security, error resilience, and query optimization proposals

Security Validation (enhance-security-validation): - JWT secret validation with entropy checking and pattern detection - CSRF protection middleware with token generation/validation - Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests - MIME type validation with magic bytes detection for file uploads Error Resilience (add-error-resilience): - React ErrorBoundary component with fallback UI and retry functionality - ErrorBoundaryWithI18n wrapper for internationalization support - Page-level and section-level error boundaries in App.tsx Query Performance (optimize-query-performance): - Query monitoring utility with threshold warnings - N+1 query fixes using joinedload/selectinload - Optimized project members, tasks, and subtasks endpoints Bug Fixes: - WebSocket session management (P0): Return primitives instead of ORM objects - LIKE query injection (P1): Escape special characters in search queries Tests: 543 backend tests, 56 frontend tests passing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-11 18:41:19 +08:00
parent 2cb591ef23
commit 679b89ae4c
41 changed files with 3673 additions and 153 deletions
--- a/backend/app/core/database.py
+++ b/backend/app/core/database.py
@@ -104,6 +104,10 @@ def _on_invalidate(dbapi_conn, connection_record, exception):
 # Start pool statistics logging on module load
 _start_pool_stats_logging()

+# Set up query logging if enabled
+from app.core.query_monitor import setup_query_logging
+setup_query_logging(engine)
+

 def get_db():
    """Dependency for getting database session."""
@@ -127,3 +131,25 @@ def get_pool_status() -> dict:
            "total_checkins": _pool_stats["checkins"],
            "invalidated_connections": _pool_stats["invalidated_connections"],
        }
+
+
+def escape_like(value: str) -> str:
+    """
+    Escape special characters for SQL LIKE queries.
+
+    Escapes '%' and '_' characters which have special meaning in LIKE patterns.
+    This prevents LIKE injection attacks where user input could match unintended patterns.
+
+    Args:
+        value: The user input string to escape
+
+    Returns:
+        Escaped string safe for use in LIKE patterns
+
+    Example:
+        >>> escape_like("test%value")
+        'test\\%value'
+        >>> escape_like("user_name")
+        'user\\_name'
+    """
+    return value.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_")