🛡️ Sentinel: [CRITICAL] Fix SQL Injection in sqliteColumnExists

[mattjoyce]

🚨 Severity: CRITICAL
💡 Vulnerability: fmt.Sprintf was used to interpolate a table name directly into an SQLite PRAGMA query in sqliteColumnExists, allowing potential SQL injection.
🎯 Impact: An attacker could potentially manipulate table names to execute arbitrary SQL or extract sensitive data.
🔧 Fix: Replaced the interpolated PRAGMA statement with a parameterized query using the pragma_table_info(?) table-valued function. Extracted necessary columns explicitly to match the Scan logic, properly quoting the "notnull" keyword.
✅ Verification: Ran go test -v ./... to ensure no regressions and verified correct column selection and mapping.

---

PR created automatically by Jules for task 8740818745908940614 started by @mattjoyce

Summary by CodeRabbit

• Bug Fixes

  • Refactored SQLite schema metadata query execution to utilize parameterized parameter binding instead of direct string composition, improving robustness of database interactions.

• Documentation

  • Added documentation detailing security enhancements to database query mechanisms and safer approaches for parameter handling in database operations.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	ductile	b995e58	Commit Preview URL Branch Preview URL	May 31 2026, 11:51 AM

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR fixes a SQL injection vulnerability in SQLite schema metadata queries. The fix replaces unsafe string interpolation in a PRAGMA table_info call with a parameterized query using pragma_table_info(?), and documents the security issue and resolution.

Changes

SQL Injection Prevention in SQLite Schema Queries

Layer / File(s)	Summary
Parameterized pragma_table_info query with security documentation .jules/sentinel.md, internal/storage/sqlite.go	sqliteColumnExists now queries schema metadata using parameterized db.QueryContext against pragma_table_info(?) instead of string-interpolated PRAGMA table_info(%s). Security note documents the unsafe pattern and specifies the safer table-valued pragma_table_info(?) form.

🎯 2 (Simple) | ⏱️ ~8 minutes

A rabbit hops with glee,
No SQL injections shall be!
Parameterized queries bind tight,
Securing the schema in flight. 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately identifies the main change: fixing a critical SQL injection vulnerability in sqliteColumnExists using parameterized queries instead of string interpolation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-sqli-sqlite-column-exists-8740818745908940614

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.jules/sentinel.md:
- Line 1: Update the header date on the sentinel entry for "Prevent SQL
Injection via string interpolation in PRAGMA table_info" from "2024-05-18" to
the actual PR creation date "2026-05-31" so the changelog reflects the correct
timeline; locate the heading line in .jules/sentinel.md and replace only the
date portion while preserving the rest of the header text.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 090e9646-8bdb-412d-b4e5-906e5fb11d5c

📥 Commits

Reviewing files that changed from the base of the PR and between cf887ea and b995e58.

📒 Files selected for processing (2)

• .jules/sentinel.md
• internal/storage/sqlite.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Correct the date to match PR creation.

The date "2024-05-18" predates this PR by over two years. Since this is a new file created in this PR (2026-05-31), the date should reflect when this fix was actually made.

📅 Proposed fix

-## 2024-05-18 - Prevent SQL Injection via string interpolation in PRAGMA table_info
+## 2026-05-31 - Prevent SQL Injection via string interpolation in PRAGMA table_info

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2024-05-18 - Prevent SQL Injection via string interpolation in PRAGMA table_info
	## 2026-05-31 - Prevent SQL Injection via string interpolation in PRAGMA table_info

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 1-1: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 1-1: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.jules/sentinel.md at line 1, Update the header date on the sentinel entry
for "Prevent SQL Injection via string interpolation in PRAGMA table_info" from
"2024-05-18" to the actual PR creation date "2026-05-31" so the changelog
reflects the correct timeline; locate the heading line in .jules/sentinel.md and
replace only the date portion while preserving the rest of the header text.