CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/input-sanitization

Sanitize and validate user input at system boundaries — prevent XSS, SQL

94

1.20x
Quality

89%

Does it follow best practices?

Impact

100%

1.20x

Average score across 6 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-1/

{
  "context": "Tests whether the agent avoids raw SQL queries with user input and instead uses ORM built-in query methods for a product search API. Covers parameterized query rules and the preference for ORM methods over escape hatches like $queryRaw or $queryRawUnsafe.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "No string interpolation in SQL",
      "description": "No SQL query uses string interpolation or concatenation with user-supplied values (no template literals like `SELECT ... ${var}`, no string concatenation in query strings)",
      "max_score": 15
    },
    {
      "name": "No $queryRawUnsafe",
      "description": "Does NOT use Prisma's $queryRawUnsafe anywhere in the codebase",
      "max_score": 10
    },
    {
      "name": "No $queryRaw for ORM-expressible queries",
      "description": "Does NOT use $queryRaw (Prisma) or sequelize.query (Sequelize) for queries that can be expressed with built-in ORM methods such as findMany/findAll with where clauses",
      "max_score": 15
    },
    {
      "name": "ORM contains/like for text search",
      "description": "Uses ORM built-in text search methods (Prisma: `contains`, Sequelize: `Op.like`, SQLAlchemy: `.like()`) instead of raw SQL LIKE clauses for filtering by name or description",
      "max_score": 15
    },
    {
      "name": "ORM where clause for filtering",
      "description": "Uses ORM where clause / filter API for category or status filtering rather than constructing a raw SQL WHERE clause",
      "max_score": 15
    },
    {
      "name": "Parameterized raw queries",
      "description": "Any raw queries that are genuinely unavoidable use bound parameters / replacements (e.g. Prisma $queryRaw tagged template, Sequelize replacements array, SQLAlchemy bound params) — NOT string formatting",
      "max_score": 10
    },
    {
      "name": "Numeric ID parsed and validated",
      "description": "When a product ID is accepted from a URL parameter, it is parsed as an integer and rejected with 400 if NaN or <= 0 before being used in any query",
      "max_score": 10
    },
    {
      "name": "No raw flag / text() for ORM-expressible",
      "description": "Does NOT use SQLAlchemy text() or Django's .raw() for queries that could be expressed with the ORM's filter/where API",
      "max_score": 10
    }
  ]
}

evals

scenario-1

criteria.json

task.md

tile.json