fix: replace table name allowlist with regex sanitization

Replace the hardcoded validTableNames allowlist with a regexp that only allows [a-z0-9_] characters. This prevents SQL injection without requiring maintenance of a separate allowlist when new tables are added. Addresses review feedback from @sneak on PR #32.
2026-02-15 21:17:24 -08:00 · 2026-02-15 21:17:24 -08:00 · bfd7334221
commit bfd7334221
parent 9b32bf0846
1 changed files with 5 additions and 10 deletions
--- a/internal/vaultik/snapshot.go
+++ b/internal/vaultik/snapshot.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"regexp"
 	"path/filepath"
 	"sort"
 	"strings"
@ -1126,23 +1127,17 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }

-// validTableNames is the allowlist of table names that can be counted.
-var validTableNames = map[string]bool{
-	"files":    true,
-	"chunks":   true,
-	"blobs":    true,
-	"uploads":  true,
-	"snapshots": true,
-}
+// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
+var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)

 // getTableCount returns the count of rows in a table.
-// The tableName must be in the validTableNames allowlist to prevent SQL injection.
+// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
 	if v.DB == nil {
 		return 0, nil
 	}

-	if !validTableNames[tableName] {
+	if !validTableNameRe.MatchString(tableName) {
 		return 0, fmt.Errorf("invalid table name: %q", tableName)
 	}