π‘οΈ Sentinel: [CRITICAL] Fix SQL injection in sqliteColumnExists#91
π‘οΈ Sentinel: [CRITICAL] Fix SQL injection in sqliteColumnExists#91mattjoyce wants to merge 1 commit into
Conversation
In internal/storage/sqlite.go, PRAGMA statements using string interpolation with fmt.Sprintf for table names allow potential SQL injection if inputs are not validated. This patch replaces the fmt.Sprintf PRAGMA call with a parameterized table-valued function `pragma_table_info(?)` which safely supports parameter binding. This also adds a sentinel learning log in .jules/sentinel.md. Co-authored-by: mattjoyce <278869+mattjoyce@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the βοΈ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
β¨ Finishing Touchesπ§ͺ Generate unit tests (beta)
Comment |
1 participant
π¨ Severity: CRITICAL
π‘ Vulnerability: SQL injection vulnerability in
internal/storage/sqlite.godue to formattingPRAGMA table_info(%s)with user input.π― Impact: If
tableoriginates from user input, attackers could execute arbitrary SQL commands to manipulate schema metadata or potentially the database itself.π§ Fix: Replaced the string interpolation of PRAGMA statements with parameterized SQLite table-valued functions (
SELECT ... FROM pragma_table_info(?)), eliminating the SQL injection vulnerability while retaining the exact same return format.β Verification: Verified that
make testruns smoothly andgo test -v ./internal/storage/...passes all storage and schema test validations successfully without introducing any regressions. Recorded the learning in.jules/sentinel.md.PR created automatically by Jules for task 7112173381231930987 started by @mattjoyce