🛡️ Sentinel: [CRITICAL] Fix SQL injection in schema validation

[mattjoyce]

🚨 Severity: CRITICAL
💡 Vulnerability: SQL injection vulnerability in internal database schema validation (sqliteColumnExists).
🎯 Impact: The table name parameter string was dynamically concatenated directly into a SQLite PRAGMA statement.
🔧 Fix: Swapped the PRAGMA statement string interpolation for a secure, parameterized pragma_table_info(?) table-valued function check.
✅ Verification: Unit tests in internal/storage passed. Recorded journal entry.

---

PR created automatically by Jules for task 4672944732904434489 started by @mattjoyce

Summary by CodeRabbit

• Bug Fixes
  • Fixed a SQL injection vulnerability in database schema validation that could occur during metadata queries
  • Enhanced security of database query handling through improved parameter handling

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	ductile	20c70f1	Commit Preview URL Branch Preview URL	Jun 01 2026, 11:58 AM

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d12d5bd4-f49f-4adb-9b69-bf1f25116f8e

📥 Commits

Reviewing files that changed from the base of the PR and between cf887ea and 20c70f1.

📒 Files selected for processing (2)

• .jules/sentinel.md
• internal/storage/sqlite.go

---

📝 Walkthrough

Walkthrough

This PR patches a SQL injection vulnerability in SQLite schema validation. The sqliteColumnExists function previously embedded table names directly into PRAGMA table_info(...) queries via string formatting. The fix switches to SQLite's parameterized pragma_table_info(?) form, accepting the table name as a query parameter. A security note documents the issue and mitigation.

Changes

SQL Injection Fix in SQLite Schema Validation

Layer / File(s)	Summary
Parameterized pragma_table_info query and security documentation .jules/sentinel.md, internal/storage/sqlite.go	Security note documents the SQL injection risk in PRAGMA table_info(...) string formatting and records the parameterized pragma_table_info(?) mitigation. sqliteColumnExists is updated to pass the table name as a query parameter instead of embedding it in the SQL string, preserving the same column-lookup behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A query once prone to injection's dark art,
Now safely parameterized, SQL's smart heart.
From formatted strings to placeholders true,
The rabbit hops onward—vulnerabilities through! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references the main change (SQL injection fix) but uses emoji and a '[CRITICAL]' tag that add unnecessary noise to an otherwise clear summary.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sqlite-injection-4672944732904434489

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}