sneak/vaultik
1
0
Fork 0
Code Issues 25 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

fix: validate table name against allowlist in getTableCount to prevent SQL injection

Browse Source 
The getTableCount method used fmt.Sprintf to interpolate a table name directly
into a SQL query. While currently only called with hardcoded names, this is a
dangerous pattern. Added an allowlist of valid table names and return an error
for unrecognized names.
This commit is contained in:
clawbot 2026-02-08 12:03:18 -08:00
parent 46c2ea3079
commit 4d9f912a5f
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
internal/vaultik/snapshot.go
View File

@ -1126,12 +1126,26 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
return result, nil return result, nil
} }
// getTableCount returns the count of rows in a table // validTableNames is the allowlist of table names that can be counted.
var validTableNames = map[string]bool{
"files": true,
"chunks": true,
"blobs": true,
"uploads": true,
"snapshots": true,
}
// getTableCount returns the count of rows in a table.
// The tableName must be in the validTableNames allowlist to prevent SQL injection.
func (v *Vaultik) getTableCount(tableName string) (int64, error) { func (v *Vaultik) getTableCount(tableName string) (int64, error) {
if v.DB == nil { if v.DB == nil {
return 0, nil return 0, nil
} }
if !validTableNames[tableName] {
return 0, fmt.Errorf("invalid table name: %q", tableName)
}
var count int64 var count int64
query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName) query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName)
err := v.DB.Conn().QueryRowContext(v.ctx, query).Scan(&count) err := v.DB.Conn().QueryRowContext(v.ctx, query).Scan(&count)