fix: use whitelist for SQL table names in getTableCount (closes #7 )

Replace regex-based validation with a strict whitelist of allowed table names (files, chunks, blobs). The whitelist check now runs before the nil-DB early return so invalid names are always rejected. Removes unused regexp import.
fix: add missing printfStdout, printlnStdout, scanlnStdin, FetchBlob, and FetchAndDecryptBlob methods
2026-02-20 02:09:40 -08:00 · 2026-02-19 23:51:53 -08:00 · 2026-02-16 06:21:41 +01:00
4 changed files with 141 additions and 9 deletions
--- a/internal/vaultik/restore.go
+++ b/internal/vaultik/restore.go
@@ -473,6 +473,53 @@ func (v *Vaultik) restoreRegularFile(
 	return nil
 }

+// BlobFetchResult holds the result of fetching and decrypting a blob.
+type BlobFetchResult struct {
+	Data           []byte
+	CompressedSize int64
+}
+
+// FetchAndDecryptBlob downloads a blob from storage, decrypts and decompresses it.
+func (v *Vaultik) FetchAndDecryptBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) (*BlobFetchResult, error) {
+	// Construct blob path with sharding
+	blobPath := fmt.Sprintf("blobs/%s/%s/%s", blobHash[:2], blobHash[2:4], blobHash)
+
+	reader, err := v.Storage.Get(ctx, blobPath)
+	if err != nil {
+		return nil, fmt.Errorf("downloading blob: %w", err)
+	}
+	defer func() { _ = reader.Close() }()
+
+	// Read encrypted data
+	encryptedData, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, fmt.Errorf("reading blob data: %w", err)
+	}
+
+	// Decrypt and decompress
+	blobReader, err := blobgen.NewReader(bytes.NewReader(encryptedData), identity)
+	if err != nil {
+		return nil, fmt.Errorf("creating decryption reader: %w", err)
+	}
+	defer func() { _ = blobReader.Close() }()
+
+	data, err := io.ReadAll(blobReader)
+	if err != nil {
+		return nil, fmt.Errorf("decrypting blob: %w", err)
+	}
+
+	log.Debug("Downloaded and decrypted blob",
+		"hash", blobHash[:16],
+		"encrypted_size", humanize.Bytes(uint64(len(encryptedData))),
+		"decrypted_size", humanize.Bytes(uint64(len(data))),
+	)
+
+	return &BlobFetchResult{
+		Data:           data,
+		CompressedSize: int64(len(encryptedData)),
+	}, nil
+}
+
 // downloadBlob downloads and decrypts a blob
 func (v *Vaultik) downloadBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) ([]byte, error) {
 	result, err := v.FetchAndDecryptBlob(ctx, blobHash, expectedSize, identity)
--- a/internal/vaultik/snapshot.go
+++ b/internal/vaultik/snapshot.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"regexp"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -1127,18 +1126,25 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }

-// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
-var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
+// allowedTableNames is the exhaustive whitelist of table names that may be
+// passed to getTableCount. Any name not in this set is rejected, preventing
+// SQL injection even if caller-controlled input is accidentally supplied.
+var allowedTableNames = map[string]struct{}{
+	"files":  {},
+	"chunks": {},
+	"blobs":  {},
+}

-// getTableCount returns the count of rows in a table.
-// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
+// getTableCount returns the number of rows in the given table.
+// tableName must appear in the allowedTableNames whitelist; all other values
+// are rejected with an error, preventing SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
-	if v.DB == nil {
-		return 0, nil
+	if _, ok := allowedTableNames[tableName]; !ok {
+		return 0, fmt.Errorf("table name not allowed: %q", tableName)
 	}

-	if !validTableNameRe.MatchString(tableName) {
-		return 0, fmt.Errorf("invalid table name: %q", tableName)
+	if v.DB == nil {
+		return 0, nil
 	}

 	var count int64
--- a/internal/vaultik/table_count_test.go
+++ b/internal/vaultik/table_count_test.go
@@ -0,0 +1,51 @@
+package vaultik
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllowedTableNames(t *testing.T) {
+	// Verify the whitelist contains exactly the expected tables
+	expected := []string{"files", "chunks", "blobs"}
+	assert.Len(t, allowedTableNames, len(expected))
+	for _, name := range expected {
+		_, ok := allowedTableNames[name]
+		assert.True(t, ok, "expected %q in allowedTableNames", name)
+	}
+}
+
+func TestGetTableCount_RejectsInvalidNames(t *testing.T) {
+	v := &Vaultik{} // DB is nil, but rejection happens before DB access
+	v.DB = nil      // explicit
+
+	tests := []struct {
+		name      string
+		tableName string
+		wantErr   bool
+	}{
+		{"allowed files", "files", false},
+		{"allowed chunks", "chunks", false},
+		{"allowed blobs", "blobs", false},
+		{"sql injection attempt", "files; DROP TABLE files--", true},
+		{"unknown table", "users", true},
+		{"empty string", "", true},
+		{"uppercase", "FILES", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			count, err := v.getTableCount(tt.tableName)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "not allowed")
+				assert.Equal(t, int64(0), count)
+			} else {
+				// DB is nil so returns 0, nil for allowed names
+				assert.NoError(t, err)
+				assert.Equal(t, int64(0), count)
+			}
+		})
+	}
+}
--- a/internal/vaultik/vaultik.go
+++ b/internal/vaultik/vaultik.go
@@ -135,6 +135,34 @@ func (v *Vaultik) Outputf(format string, args ...any) {
 	_, _ = fmt.Fprintf(v.Stdout, format, args...)
 }

+// printfStdout writes formatted output to stdout.
+func (v *Vaultik) printfStdout(format string, args ...any) {
+	_, _ = fmt.Fprintf(v.Stdout, format, args...)
+}
+
+// printlnStdout writes a line to stdout.
+func (v *Vaultik) printlnStdout(args ...any) {
+	_, _ = fmt.Fprintln(v.Stdout, args...)
+}
+
+// scanlnStdin reads a line from stdin into the provided string pointer.
+func (v *Vaultik) scanlnStdin(s *string) error {
+	_, err := fmt.Fscanln(v.Stdin, s)
+	return err
+}
+
+// FetchBlob downloads a blob from storage and returns a reader for the encrypted data.
+func (v *Vaultik) FetchBlob(ctx context.Context, blobHash string, expectedSize int64) (io.ReadCloser, int64, error) {
+	blobPath := fmt.Sprintf("blobs/%s/%s/%s", blobHash[:2], blobHash[2:4], blobHash)
+
+	reader, err := v.Storage.Get(ctx, blobPath)
+	if err != nil {
+		return nil, 0, fmt.Errorf("downloading blob: %w", err)
+	}
+
+	return reader, expectedSize, nil
+}
+
 // TestVaultik wraps a Vaultik with captured stdout/stderr for testing
 type TestVaultik struct {
 	*Vaultik
Author	SHA1	Message	Date
user	bb4b9b5bc9	fix: use whitelist for SQL table names in getTableCount (closes #7 ) Replace regex-based validation with a strict whitelist of allowed table names (files, chunks, blobs). The whitelist check now runs before the nil-DB early return so invalid names are always rejected. Removes unused regexp import.	2026-02-20 02:09:40 -08:00
clawbot	d77ac18aaa	fix: add missing printfStdout, printlnStdout, scanlnStdin, FetchBlob, and FetchAndDecryptBlob methods These methods were referenced in main but never defined, causing compilation failures. They were introduced by merges that assumed dependent PRs were already merged.	2026-02-19 23:51:53 -08:00
Jeffrey Paul	825f25da58	Merge pull request 'Validate table name against allowlist in getTableCount (closes #27 )' (#32 ) from fix/issue-27 into main Reviewed-on: #32	2026-02-16 06:21:41 +01:00