Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix SQL Injection in sqliteColumnExists #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mattjoyce wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix SQL Injection in sqliteColumnExists #110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-18 - Prevent SQL Injection via string interpolation in PRAGMA table_info
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor | ⚑ Quick win

Correct the date to match PR creation.

The date "2024-05-18" predates this PR by over two years. Since this is a new file created in this PR (2026-05-31), the date should reflect when this fix was actually made.

πŸ“… Proposed fix 
-## 2024-05-18 - Prevent SQL Injection via string interpolation in PRAGMA table_info
+## 2026-05-31 - Prevent SQL Injection via string interpolation in PRAGMA table_info
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2024-05-18 - Prevent SQL Injection via string interpolation in PRAGMA table_info
## 2026-05-31 - Prevent SQL Injection via string interpolation in PRAGMA table_info
🧰 Tools
πŸͺ› markdownlint-cli2 (0.22.1)

[warning] 1-1: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

[warning] 1-1: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)

πŸ€– Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.jules/sentinel.md at line 1, Update the header date on the sentinel entry
for "Prevent SQL Injection via string interpolation in PRAGMA table_info" from
"2024-05-18" to the actual PR creation date "2026-05-31" so the changelog
reflects the correct timeline; locate the heading line in .jules/sentinel.md and
replace only the date portion while preserving the rest of the header text.

**Vulnerability:** Found `fmt.Sprintf("PRAGMA table_info(%s);", table)` which uses unsafe string interpolation to inject a table name directly into an SQLite schema query in `sqliteColumnExists`.
**Learning:** PRAGMA statements typically do not support parameterized arguments in many SQLite driver implementations. This led developers to incorrectly fallback to unsafe string interpolation `fmt.Sprintf` for dynamically querying schema information based on variables.
**Prevention:** Use SQLite's safe table-valued function equivalent for pragmas, specifically `pragma_table_info(?)`. This alternative syntax `SELECT ... FROM pragma_table_info(?)` safely accepts parameterized arguments, thereby eliminating SQL injection risks while retrieving schema metadata. Note that columns like `notnull` must be quoted as `"notnull"` because it is a reserved keyword in SQL.
2 changes: 1 addition & 1 deletion internal/storage/sqlite.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ LIMIT 1;
}

func sqliteColumnExists(ctx context.Context, db *sql.DB, table, column string) (bool, error) {
cols, err := db.QueryContext(ctx, fmt.Sprintf("PRAGMA table_info(%s);", table))
cols, err := db.QueryContext(ctx, "SELECT cid, name, type, \"notnull\", dflt_value, pk FROM pragma_table_info(?);", table)
if err != nil {
return false, err
}
Expand Down
Loading