🛡️ Sentinel: [CRITICAL] Fix SQL injection in sqliteColumnExists#86
Open
mattjoyce wants to merge 1 commit into
Open
🛡️ Sentinel: [CRITICAL] Fix SQL injection in sqliteColumnExists#86mattjoyce wants to merge 1 commit into
mattjoyce wants to merge 1 commit into
Conversation
…terized pragma_table_info
- Migrates from string interpolation (`fmt.Sprintf("PRAGMA table_info(%s);", table)`) to parameterized table-valued function (`SELECT ... FROM pragma_table_info(?)`).
- Adds Sentinel journal entry.
- Updates query explain golden tests.
Co-authored-by: mattjoyce <278869+mattjoyce@users.noreply.github.com>
mattjoyce
added a commit
that referenced
this pull request
Jun 6, 2026
…te_dir, no duplicate uid (#84) Open map (any number of rows); two tiers are the documented posture, not a cap. uid<=0 rejected so a worker can never be root; duplicate uid rejected as false isolation (#87 would chown both state_dirs to one owner). Adds workers + WorkerConf to config.schema.json (authoring aid, ADR §11). Absent/empty map is valid here — the capability/refuse boot gate is #86.
mattjoyce
added a commit
that referenced
this pull request
Jun 6, 2026
mattjoyce
added a commit
that referenced
this pull request
Jun 6, 2026
Boot gate (cmd/ductile/runtime.go): capability-to-drop x workers-configured must agree or the daemon refuses to start; service.unconfined is the explicit, loud override. Pure decision (evaluateBootGate) + a platform capability probe (root, or Linux CAP_SETUID/SETGID via /proc/self/status). The dispatcher drops only when the gate says enforce (WithPrivsepEnforce), so dev/override paths skip resolution. A refused drop is now a typed ErrWorkerDropFailed with its own plugin.drop_failed event, distinct from a missing binary, and classified TERMINAL (never retried). Verified on macOS; wall + refuse paths to re-verify on the Dell.
mattjoyce
added a commit
that referenced
this pull request
Jun 6, 2026
TestHasDropCapabilityAsRoot asserts hasDropCapability()==true under root (Dell / privileged container); skips on non-root dev. Full #86 enforce half now proven on privileged Linux: wall still bites under the enforce gate, capability probe reads true, drop-failed is typed + terminal.
mattjoyce
added a commit
that referenced
this pull request
Jun 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚨 Severity: CRITICAL
💡 Vulnerability: The
sqliteColumnExistsfunction ininternal/storage/sqlite.gowas constructing a SQLitePRAGMA table_info(%s)query usingfmt.Sprintfdirectly with the table name. Since the table name is essentially a parameter, this poses a SQL injection risk if the table name originates from user or external input.🎯 Impact: Exploitation could allow arbitrary SQL execution depending on how the PRAGMA query parses injected statements.
🔧 Fix: Replaced the
PRAGMAstatement with the safer table-valued function equivalent:SELECT ... FROM pragma_table_info(?), passing the table name securely as a parameter.✅ Verification: Ran
go test -v ./internal/storage/...(updating golden outputs as necessary) and ran the full suite viago test -v ./... -shortto ensure everything functions properly without regressions. Also verified.jules/sentinel.mdentry was added.PR created automatically by Jules for task 14103200951403298888 started by @mattjoyce