mapleleaflatte03 · mapleleaflatte03 · May 19, 2026 · May 19, 2026
@@ -0,0 +1,4 @@
+## 2024-05-19 - PRAGMA SQL Injection Risk
+**Vulnerability:** SQL injection vulnerability via unvalidated environment variable used in `PRAGMA journal_mode` string formatting.
+**Learning:** `PRAGMA` commands in SQLite do not support parameterized queries (`?`), so dynamic values must use string formatting, which introduces injection risks if not strictly allowlisted.
+**Prevention:** Always validate dynamic values for `PRAGMA` statements against a strict allowlist before formatting them into the query.
@@ -26,6 +26,8 @@ def _connect(db_path: str) -> sqlite3.Connection:
     configured_journal_mode = (
         os.environ.get('MERIDIAN_OBSERVABILITY_SQLITE_JOURNAL_MODE', 'WAL') or 'WAL'
     ).strip().upper()
+    if configured_journal_mode not in {'DELETE', 'TRUNCATE', 'PERSIST', 'MEMORY', 'WAL', 'OFF', 'DEFAULT'}:
+        configured_journal_mode = 'WAL'
     if configured_journal_mode not in {'', 'DEFAULT', 'OFF'}:
         needs_init = configured_journal_mode != 'WAL' or db_path not in _JOURNAL_MODE_INITIALIZED
         if needs_init:

@@ -175,7 +175,7 @@ BANNED_COMMERCIAL = (
 
 def fetch(path: str, allow_error: bool = False):
     try:
-        req = urllib.request.Request(BASE + path)
+        req = urllib.request.Request(BASE + path, headers={'User-Agent': 'Mozilla/5.0'})
         with urllib.request.urlopen(req, timeout=20) as response:
             return response.status, response.read().decode("utf-8", "ignore")
     except urllib.error.HTTPError as e:
@@ -188,7 +188,7 @@ def fetch_post(path: str, payload: dict, allow_error: bool = False):
     req = urllib.request.Request(
         BASE + path,
         data=body,
-        headers={"Content-Type": "application/json", "Origin": BASE},
+        headers={"Content-Type": "application/json", "Origin": BASE, "User-Agent": "Mozilla/5.0"},
         method="POST",
     )
     try: