From bfd7334221a46692888a420cf18fef74df9cc021 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@openclaw>
Date: Sun, 15 Feb 2026 21:17:24 -0800
Subject: [PATCH] fix: replace table name allowlist with regex sanitization

Replace the hardcoded validTableNames allowlist with a regexp that
only allows [a-z0-9_] characters. This prevents SQL injection without
requiring maintenance of a separate allowlist when new tables are added.

Addresses review feedback from @sneak on PR #32.
---
 internal/vaultik/snapshot.go | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/internal/vaultik/snapshot.go b/internal/vaultik/snapshot.go
index 0a8f7c7..39f4cc8 100644
--- a/internal/vaultik/snapshot.go
+++ b/internal/vaultik/snapshot.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"regexp"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -1126,23 +1127,17 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }
 
-// validTableNames is the allowlist of table names that can be counted.
-var validTableNames = map[string]bool{
-	"files":    true,
-	"chunks":   true,
-	"blobs":    true,
-	"uploads":  true,
-	"snapshots": true,
-}
+// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
+var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
 
 // getTableCount returns the count of rows in a table.
-// The tableName must be in the validTableNames allowlist to prevent SQL injection.
+// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
 	if v.DB == nil {
 		return 0, nil
 	}
 
-	if !validTableNames[tableName] {
+	if !validTableNameRe.MatchString(tableName) {
 		return 0, fmt.Errorf("invalid table name: %q", tableName)
 	}