Skip to content

fix: use sanitizeStringLiteral for TimescaleDB information schema columns#66

Merged
linhdmn merged 1 commit into
mainfrom
fix+timescale-string-comparison
Apr 19, 2026
Merged

fix: use sanitizeStringLiteral for TimescaleDB information schema columns#66
linhdmn merged 1 commit into
mainfrom
fix+timescale-string-comparison

Conversation

@linhdmn
Copy link
Copy Markdown
Member

@linhdmn linhdmn commented Apr 19, 2026

Summary

  • Fix SQL injection vulnerability in TimescaleDB hypertable queries
  • Use sanitizeStringLiteral() for information schema column comparisons instead of sanitizeIdentifier()
  • TimescaleDB information schema columns (timescaledb_information.*, _timescaledb_catalog.*) are TEXT type and require string literal comparisons

Test plan

  • All TimescaleDB tests pass

🤖 Generated with Claude Code

@linhdmn @claude
fix: use sanitizeStringLiteral for TimescaleDB information schema col…
11aa717 
…umns

The hypertable_name and table_name columns in TimescaleDB
information schema views (timescaledb_information.*) are TEXT type
and require String literal comparisons with single quotes.

This fixes TestGetHypertable, TestCheckIfHypertable, and
TestRecentChunks which were failing after the SQL injection
sanitization changes.

Changes:
- GetHypertable: h.table_name comparison now uses sanitizeStringLiteral
- CheckIfHypertable: table_name comparison now uses sanitizeStringLiteral
- ListHypertables: compression/retention queries now use sanitizeStringLiteral
- RecentChunks: hypertable_name comparison now uses sanitizeStringLiteral

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@linhdmn linhdmn merged commit ada55d1 into main Apr 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@linhdmn