🛡️ Sentinel: [CRITICAL] Fix SQL Injection in sqliteColumnExists

[mattjoyce]

🚨 Severity: CRITICAL
💡 Vulnerability: SQL Injection vector found in sqliteColumnExists (internal/storage/sqlite.go). The function sqliteColumnExists dynamically interpolated a string argument directly into a SQLite query using fmt.Sprintf("PRAGMA table_info(%s);", table).
🎯 Impact: If an attacker could control the table input parameter, they might be able to append additional SQL commands to be executed on the database or alter the scope of the original check (e.g., executing ); DROP TABLE ...).
🔧 Fix: Refactored the function to utilize SQLite's safer table-valued function alternative. By querying SELECT cid, name, type, "notnull", dflt_value, pk FROM pragma_table_info(?) with a bound parameter, SQL syntax structure is strictly enforced, and string inputs are correctly escaped by the database driver. The "notnull" column was appropriately quoted because it is a SQL reserved keyword.
✅ Verification: The codebase test suite successfully passes after applying this fix.

This commit fulfills Sentinel's daily security fix process.

---

PR created automatically by Jules for task 3263817608207373134 started by @mattjoyce

Summary by CodeRabbit

• Bug Fixes
  • Patched a SQL injection vulnerability in database schema query handling by implementing parameterized query execution instead of string concatenation, enhancing overall database security.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR addresses a SQL injection vulnerability in schema inspection. The sqliteColumnExists function in the storage layer now uses a parameterized pragma_table_info(?) query instead of string interpolation to safely bind table names. The security incident is documented in the Sentinel log with the fix and recommended query syntax.

Changes

SQL Injection Fix in Schema Inspection

Layer / File(s)	Summary
Parameterized schema inspection query and security documentation internal/storage/sqlite.go, .jules/sentinel.md	sqliteColumnExists switches from fmt.Sprintf("PRAGMA table_info(%s)") to parameterized pragma_table_info(?) to prevent SQL injection via table name. Sentinel entry documents the vulnerability, affected code, and parameterized mitigation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A query once framed with mere string and spray,
Now safely parameterized on its way!
No injection lurks where the question mark stands—
Schema introspection flows through safer hands. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing a critical SQL injection vulnerability in sqliteColumnExists, which matches the core objective and file modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-sql-injection-fix-3263817608207373134

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-2: Change the first line to a top-level heading and add a blank
line after it: update the heading "2026-05-24 - [SQL Injection via String
Formatting in PRAGMA table_info]" to be a H1 (prefix with a single "#") and
ensure there is an empty line between that heading and the following paragraph
so the file conforms to markdownlint rules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f0e5dfba-feeb-4cd4-ad93-6b4eb2194652

📥 Commits

Reviewing files that changed from the base of the PR and between 5824d90 and 4ed986d.

📒 Files selected for processing (2)

• .jules/sentinel.md
• internal/storage/sqlite.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix heading level and blank-line spacing to satisfy markdownlint.

Line 1 should be a top-level heading, and it should be followed by a blank line before the paragraph text.

Suggested diff

-## 2026-05-24 - [SQL Injection via String Formatting in PRAGMA table_info]
+# 2026-05-24 - [SQL Injection via String Formatting in PRAGMA table_info]
+
 **Vulnerability:** Found a SQL injection risk in `internal/storage/sqlite.go` where `fmt.Sprintf("PRAGMA table_info(%s);", table)` was used to dynamically construct a schema inspection query.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2026-05-24 - [SQL Injection via String Formatting in PRAGMA table_info]
	**Vulnerability:** Found a SQL injection risk in `internal/storage/sqlite.go` where `fmt.Sprintf("PRAGMA table_info(%s);", table)` was used to dynamically construct a schema inspection query.
	# 2026-05-24 - [SQL Injection via String Formatting in PRAGMA table_info]
	**Vulnerability:** Found a SQL injection risk in `internal/storage/sqlite.go` where `fmt.Sprintf("PRAGMA table_info(%s);", table)` was used to dynamically construct a schema inspection query.

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 1-1: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 1-1: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.jules/sentinel.md around lines 1 - 2, Change the first line to a top-level
heading and add a blank line after it: update the heading "2026-05-24 - [SQL
Injection via String Formatting in PRAGMA table_info]" to be a H1 (prefix with a
single "#") and ensure there is an empty line between that heading and the
following paragraph so the file conforms to markdownlint rules.