From 2262af88868858a50a8252d36b80bae1075848a2 Mon Sep 17 00:00:00 2001
From: vedantsahai18 <vedantsahai18@gmail.com>
Date: Mon, 27 Jan 2025 23:02:29 -0500
Subject: [PATCH] chore: sql injection fix

---
 agents-api/agents_api/queries/docs/list_docs.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/agents-api/agents_api/queries/docs/list_docs.py b/agents-api/agents_api/queries/docs/list_docs.py
index 6b1f14723..852149934 100644
--- a/agents-api/agents_api/queries/docs/list_docs.py
+++ b/agents-api/agents_api/queries/docs/list_docs.py
@@ -100,8 +100,8 @@ async def list_docs(
     # Add metadata filtering before GROUP BY
     if metadata_filter:
         for key, value in metadata_filter.items():
-            query += f" AND d.metadata->>'{key}' = ${len(params) + 1}"
-            params.append(value)
+            query += f" AND d.metadata->>${len(params) + 1} = ${len(params) + 2}"
+            params.extend([key, value])
 
     # Add GROUP BY clause
     query += """