🛡️ Sentinel: [CRITICAL] Fix SQL injection in PRAGMA table_info usage

[mattjoyce]

🚨 Severity: CRITICAL
💡 Vulnerability: Found a potential SQL injection vulnerability in sqliteColumnExists where fmt.Sprintf("PRAGMA table_info(%s);", table) was used to dynamically construct a SQL query using string interpolation instead of parameterized queries.
🎯 Impact: If sqliteColumnExists is ever used with a table name coming from an untrusted source, it could lead to SQL injection attacks against the application's underlying database.
🔧 Fix: Changed the function to use the table-valued function pragma_table_info(?) which natively supports query parameterization instead of direct string formatting, removing the SQL injection vector. Also documented this pattern in .jules/sentinel.md.
✅ Verification: Verified changes visually and ensured storage tests (go test -v ./internal/storage/...) pass without issue.

---

PR created automatically by Jules for task 1189187947129556733 started by @mattjoyce

Summary by CodeRabbit

• Bug Fixes
  • Fixed a potential SQL injection vulnerability in database operations by implementing safer query parameterization methods.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b12455a5-90ff-4882-b88a-22ef890c6848

📥 Commits

Reviewing files that changed from the base of the PR and between b4d00cc and 65ddcd6.

📒 Files selected for processing (2)

• .jules/sentinel.md
• internal/storage/sqlite.go

---

📝 Walkthrough

Walkthrough

sqliteColumnExists now queries SQLite column metadata using parameterized pragma_table_info(?) instead of string interpolation via fmt.Sprintf. A new security sentinel entry documents the SQL injection vulnerability and the remediation approach, including handling of the reserved "notnull" keyword.

Changes

SQL Injection Fix

Layer / File(s)	Summary
Parameterized PRAGMA table_info Query internal/storage/sqlite.go, .jules/sentinel.md	sqliteColumnExists switches from interpolated PRAGMA table_info(%s) to parameterized pragma_table_info(?), eliminating SQL injection risk via malformed table identifiers. A security sentinel entry documents the vulnerability, the parameterization fix, and the requirement to quote the reserved "notnull" column name.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A table's name once roamed so free,
In SQL strings for all to see!
Now safe it hops through parameterized grace,
No injection shadows in this place.
Quoted keywords keep their ground,
Security wins the day around! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing a SQL injection vulnerability in PRAGMA table_info usage by parameterizing the query.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sqlite-sql-injection-1189187947129556733

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}