Summary

get_shim_spans_for_sessions constructs a ClickHouse IN clause via f-string interpolation (f"'{sid}'") without escaping single quotes. Every other query in the codebase uses {name:Type} parameterized placeholders — this is the sole exception. Session IDs are user-controlled strings with no format validation at ingestion.

Severity

MEDIUM (latent — no production callers currently)

Location

• ee/observal_insights/shim_enrichment.py:48

Exploit Scenario

An attacker reports a session with session_id = "') OR 1=1 --" via the telemetry ingest endpoint. If/when this function is wired into a production code path, the malicious session ID from ClickHouse results breaks out of the IN clause, enabling data exfiltration via UNION injection.

Mitigating Factor

Currently has no production callers (only test code imports it). This is a latent vulnerability that becomes exploitable the moment it's integrated.

Recommendation

Replace with WHERE metadata['session.id'] IN {sids:Array(String)} parameterized placeholder, consistent with the rest of the codebase.

Identified via automated security audit (2026-05-12)