🛡️ Sentinel: [CRITICAL] Fix SQL injection in sqliteColumnExists

[mattjoyce]

🚨 Severity: CRITICAL
💡 Vulnerability: Potential SQL injection in sqliteColumnExists caused by using fmt.Sprintf to construct a PRAGMA table_info query.
🎯 Impact: An attacker who can control the table variable could potentially inject arbitrary SQL commands.
🔧 Fix: Used the SQLite pragma_table_info(?) table-valued function, which safely supports parameterization.
✅ Verification: Ran unit tests via go test -v ./... and make test.

---

PR created automatically by Jules for task 2485562916874580463 started by @mattjoyce

Summary by CodeRabbit

• Bug Fixes

  • Fixed SQL injection vulnerability in database operations by implementing parameterized queries for improved security.

• Documentation

  • Added security guidelines documenting SQL injection risks and recommended safer query practices.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	ductile	ce79c05	Commit Preview URL Branch Preview URL	Jun 04 2026, 12:02 PM

[qodo-code-review]

Review Summary by Qodo

Fix SQL injection in sqliteColumnExists using parameterized queries

🐞 Bug fix

Walkthroughs

Description

• Fix critical SQL injection vulnerability in sqliteColumnExists
• Replace unsafe fmt.Sprintf with parameterized pragma_table_info(?) query
• Add security documentation to .jules/sentinel.md

Diagram

flowchart LR
  A["Unsafe fmt.Sprintf<br/>PRAGMA table_info"] -->|"Replace with"| B["Parameterized query<br/>pragma_table_info function"]
  B -->|"Result"| C["SQL injection<br/>vulnerability fixed"]

Loading

File Changes

1. internal/storage/sqlite.go 🐞 Bug fix +1/-1

Replace unsafe PRAGMA with parameterized query

• Replaced fmt.Sprintf("PRAGMA table_info(%s);", table) with parameterized query
• Changed to SELECT cid, name, type, "notnull", dflt_value, pk FROM pragma_table_info(?);
• Passes table as a parameter argument instead of string interpolation
• Eliminates SQL injection risk from untrusted table names

internal/storage/sqlite.go

---

2. .jules/sentinel.md 📝 Documentation +4/-0

Add security incident documentation and prevention guidance

• Document the SQL injection vulnerability and its root cause
• Explain why standard parameterized queries don't work with PRAGMA statements
• Provide solution using pragma_table_info(?) table-valued function
• Include prevention guidance for similar vulnerabilities

.jules/sentinel.md

---

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 70597593-fb62-46dc-94b9-a12f1b7ae12b

📥 Commits

Reviewing files that changed from the base of the PR and between cf887ea and ce79c05.

📒 Files selected for processing (2)

• .jules/sentinel.md
• internal/storage/sqlite.go

---

📝 Walkthrough

Walkthrough

This PR fixes a SQL injection vulnerability in SQLite column introspection. The code change replaces unsafe string interpolation in sqliteColumnExists with a parameterized query using pragma_table_info(?). A documentation sentinel describes the risk pattern and prescribed mitigation.

Changes

SQL injection vulnerability fix

Layer / File(s)	Summary
Parameterized query fix and documentation .jules/sentinel.md, internal/storage/sqlite.go	sqliteColumnExists switches from unsafe PRAGMA table_info(%s) string formatting to parameterized pragma_table_info(?) query. Safety sentinel documents the SQL injection risk and parameterized alternatives.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 A query once fraught with unsafe string dance,
Now bound and parameterized by chance,
The sentinel marks what dangers hid,
With pragma_table_info(?) the fix is bid!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing a SQL injection vulnerability in sqliteColumnExists, which is the primary focus of this security-critical PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-sqlite-injection-2485562916874580463

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review