fix: use whitelist for SQL table names in getTableCount (closes #7)

Replace regex-based validation with a strict whitelist of allowed table
names (files, chunks, blobs). The whitelist check now runs before the
nil-DB early return so invalid names are always rejected.

Removes unused regexp import.

internal/vaultik/restore.go

@@ -473,6 +473,53 @@ func (v *Vaultik) restoreRegularFile(
 	return nil
 }
 
+// BlobFetchResult holds the result of fetching and decrypting a blob.
+type BlobFetchResult struct {
+	Data           []byte
+	CompressedSize int64
+}
+
+// FetchAndDecryptBlob downloads a blob from storage, decrypts and decompresses it.
+func (v *Vaultik) FetchAndDecryptBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) (*BlobFetchResult, error) {
+	// Construct blob path with sharding
+	blobPath := fmt.Sprintf("blobs/%s/%s/%s", blobHash[:2], blobHash[2:4], blobHash)
+
+	reader, err := v.Storage.Get(ctx, blobPath)
+	if err != nil {
+		return nil, fmt.Errorf("downloading blob: %w", err)
+	}
+	defer func() { _ = reader.Close() }()
+
+	// Read encrypted data
+	encryptedData, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, fmt.Errorf("reading blob data: %w", err)
+	}
+
+	// Decrypt and decompress
+	blobReader, err := blobgen.NewReader(bytes.NewReader(encryptedData), identity)
+	if err != nil {
+		return nil, fmt.Errorf("creating decryption reader: %w", err)
+	}
+	defer func() { _ = blobReader.Close() }()
+
+	data, err := io.ReadAll(blobReader)
+	if err != nil {
+		return nil, fmt.Errorf("decrypting blob: %w", err)
+	}
+
+	log.Debug("Downloaded and decrypted blob",
+		"hash", blobHash[:16],
+		"encrypted_size", humanize.Bytes(uint64(len(encryptedData))),
+		"decrypted_size", humanize.Bytes(uint64(len(data))),
+	)
+
+	return &BlobFetchResult{
+		Data:           data,
+		CompressedSize: int64(len(encryptedData)),
+	}, nil
+}
+
 // downloadBlob downloads and decrypts a blob
 func (v *Vaultik) downloadBlob(ctx context.Context, blobHash string, expectedSize int64, identity age.Identity) ([]byte, error) {
 	result, err := v.FetchAndDecryptBlob(ctx, blobHash, expectedSize, identity)

internal/vaultik/snapshot.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"regexp"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -1127,18 +1126,25 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }
 
-// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
+// allowedTableNames is the exhaustive whitelist of table names that may be
-var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
+// passed to getTableCount. Any name not in this set is rejected, preventing
-
+// SQL injection even if caller-controlled input is accidentally supplied.
-// getTableCount returns the count of rows in a table.
+var allowedTableNames = map[string]struct{}{
-// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
+	"files":  {},
-func (v *Vaultik) getTableCount(tableName string) (int64, error) {
+	"chunks": {},
-	if v.DB == nil {
+	"blobs":  {},
-		return 0, nil
 }
 
-	if !validTableNameRe.MatchString(tableName) {
+// getTableCount returns the number of rows in the given table.
-		return 0, fmt.Errorf("invalid table name: %q", tableName)
+// tableName must appear in the allowedTableNames whitelist; all other values
+// are rejected with an error, preventing SQL injection.
+func (v *Vaultik) getTableCount(tableName string) (int64, error) {
+	if _, ok := allowedTableNames[tableName]; !ok {
+		return 0, fmt.Errorf("table name not allowed: %q", tableName)
+	}
+
+	if v.DB == nil {
+		return 0, nil
 	}
 
 	var count int64

internal/vaultik/table_count_test.go

@@ -0,0 +1,51 @@
+package vaultik
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllowedTableNames(t *testing.T) {
+	// Verify the whitelist contains exactly the expected tables
+	expected := []string{"files", "chunks", "blobs"}
+	assert.Len(t, allowedTableNames, len(expected))
+	for _, name := range expected {
+		_, ok := allowedTableNames[name]
+		assert.True(t, ok, "expected %q in allowedTableNames", name)
+	}
+}
+
+func TestGetTableCount_RejectsInvalidNames(t *testing.T) {
+	v := &Vaultik{} // DB is nil, but rejection happens before DB access
+	v.DB = nil      // explicit
+
+	tests := []struct {
+		name      string
+		tableName string
+		wantErr   bool
+	}{
+		{"allowed files", "files", false},
+		{"allowed chunks", "chunks", false},
+		{"allowed blobs", "blobs", false},
+		{"sql injection attempt", "files; DROP TABLE files--", true},
+		{"unknown table", "users", true},
+		{"empty string", "", true},
+		{"uppercase", "FILES", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			count, err := v.getTableCount(tt.tableName)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "not allowed")
+				assert.Equal(t, int64(0), count)
+			} else {
+				// DB is nil so returns 0, nil for allowed names
+				assert.NoError(t, err)
+				assert.Equal(t, int64(0), count)
+			}
+		})
+	}
+}

internal/vaultik/vaultik.go

@@ -135,6 +135,34 @@ func (v *Vaultik) Outputf(format string, args ...any) {
 	_, _ = fmt.Fprintf(v.Stdout, format, args...)
 }
 
+// printfStdout writes formatted output to stdout.
+func (v *Vaultik) printfStdout(format string, args ...any) {
+	_, _ = fmt.Fprintf(v.Stdout, format, args...)
+}
+
+// printlnStdout writes a line to stdout.
+func (v *Vaultik) printlnStdout(args ...any) {
+	_, _ = fmt.Fprintln(v.Stdout, args...)
+}
+
+// scanlnStdin reads a line from stdin into the provided string pointer.
+func (v *Vaultik) scanlnStdin(s *string) error {
+	_, err := fmt.Fscanln(v.Stdin, s)
+	return err
+}
+
+// FetchBlob downloads a blob from storage and returns a reader for the encrypted data.
+func (v *Vaultik) FetchBlob(ctx context.Context, blobHash string, expectedSize int64) (io.ReadCloser, int64, error) {
+	blobPath := fmt.Sprintf("blobs/%s/%s/%s", blobHash[:2], blobHash[2:4], blobHash)
+
+	reader, err := v.Storage.Get(ctx, blobPath)
+	if err != nil {
+		return nil, 0, fmt.Errorf("downloading blob: %w", err)
+	}
+
+	return reader, expectedSize, nil
+}
+
 // TestVaultik wraps a Vaultik with captured stdout/stderr for testing
 type TestVaultik struct {
 	*Vaultik