Merge branch 'main' into fix/sql-injection-whitelist

fix: use whitelist for SQL table names in getTableCount (closes #7 )
Replace regex-based validation with a strict whitelist of allowed table names (files, chunks, blobs). The whitelist check now runs before the nil-DB early return so invalid names are always rejected. Removes unused regexp import.
2026-02-20 11:16:27 +01:00 · 2026-02-20 02:09:40 -08:00
4 changed files with 75 additions and 67 deletions
--- a/internal/vaultik/restore.go
+++ b/internal/vaultik/restore.go
@ -122,8 +122,6 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {

 		if err := v.restoreFile(v.ctx, repos, file, opts.TargetDir, identity, chunkToBlobMap, blobCache, result); err != nil {
 			log.Error("Failed to restore file", "path", file.Path, "error", err)
-			result.FilesFailed++
-			result.FailedFiles = append(result.FailedFiles, file.Path.String())
 			// Continue with other files
 			continue
 		}
@ -153,13 +151,6 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		result.Duration.Round(time.Second),
 	)

-	if result.FilesFailed > 0 {
-		_, _ = fmt.Fprintf(v.Stdout, "\nWARNING: %d file(s) failed to restore:\n", result.FilesFailed)
-		for _, path := range result.FailedFiles {
-			_, _ = fmt.Fprintf(v.Stdout, "  - %s\n", path)
-		}
-	}
-
 	// Run verification if requested
 	if opts.Verify {
 		if err := v.verifyRestoredFiles(v.ctx, repos, files, opts.TargetDir, result); err != nil {
@ -180,10 +171,6 @@ func (v *Vaultik) Restore(opts *RestoreOptions) error {
 		)
 	}

-	if result.FilesFailed > 0 {
-		return fmt.Errorf("%d file(s) failed to restore", result.FilesFailed)
-	}
-
 	return nil
 }

--- a/internal/vaultik/snapshot.go
+++ b/internal/vaultik/snapshot.go
@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"regexp"
 	"sort"
 	"strings"
 	"text/tabwriter"
@ -90,24 +89,6 @@ func (v *Vaultik) CreateSnapshot(opts *SnapshotCreateOptions) error {
 		v.printfStdout("\nAll %d snapshots completed in %s\n", len(snapshotNames), time.Since(overallStartTime).Round(time.Second))
 	}

-	// Prune old snapshots and unreferenced blobs if --prune was specified
-	if opts.Prune {
-		log.Info("Pruning enabled - deleting old snapshots and unreferenced blobs")
-		v.printlnStdout("\nPruning old snapshots (keeping latest)...")
-
-		if err := v.PurgeSnapshots(true, "", true); err != nil {
-			return fmt.Errorf("prune: purging old snapshots: %w", err)
-		}
-
-		v.printlnStdout("Pruning unreferenced blobs...")
-
-		if err := v.PruneBlobs(&PruneOptions{Force: true}); err != nil {
-			return fmt.Errorf("prune: removing unreferenced blobs: %w", err)
-		}
-
-		log.Info("Pruning complete")
-	}
-
 	return nil
 }

@ -324,6 +305,11 @@ func (v *Vaultik) createNamedSnapshot(opts *SnapshotCreateOptions, hostname, sna
 	}
 	v.printfStdout("Duration: %s\n", formatDuration(snapshotDuration))

+	if opts.Prune {
+		log.Info("Pruning enabled - will delete old snapshots after snapshot")
+		// TODO: Implement pruning
+	}
+
 	return nil
 }

@ -1017,16 +1003,16 @@ func (v *Vaultik) deleteSnapshotFromLocalDB(snapshotID string) error {

 	// Delete related records first to avoid foreign key constraints
 	if err := v.Repositories.Snapshots.DeleteSnapshotFiles(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot files for %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot files", "snapshot_id", snapshotID, "error", err)
 	}
 	if err := v.Repositories.Snapshots.DeleteSnapshotBlobs(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot blobs for %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot blobs", "snapshot_id", snapshotID, "error", err)
 	}
 	if err := v.Repositories.Snapshots.DeleteSnapshotUploads(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot uploads for %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot uploads", "snapshot_id", snapshotID, "error", err)
 	}
 	if err := v.Repositories.Snapshots.Delete(v.ctx, snapshotID); err != nil {
-		return fmt.Errorf("deleting snapshot record %s: %w", snapshotID, err)
+		log.Error("Failed to delete snapshot record", "snapshot_id", snapshotID, "error", err)
 	}

 	return nil
@ -1140,18 +1126,25 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }

-// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
-var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
-
-// getTableCount returns the count of rows in a table.
-// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
-func (v *Vaultik) getTableCount(tableName string) (int64, error) {
-	if v.DB == nil {
-		return 0, nil
+// allowedTableNames is the exhaustive whitelist of table names that may be
+// passed to getTableCount. Any name not in this set is rejected, preventing
+// SQL injection even if caller-controlled input is accidentally supplied.
+var allowedTableNames = map[string]struct{}{
+	"files":  {},
+	"chunks": {},
+	"blobs":  {},
 }

-	if !validTableNameRe.MatchString(tableName) {
-		return 0, fmt.Errorf("invalid table name: %q", tableName)
+// getTableCount returns the number of rows in the given table.
+// tableName must appear in the allowedTableNames whitelist; all other values
+// are rejected with an error, preventing SQL injection.
+func (v *Vaultik) getTableCount(tableName string) (int64, error) {
+	if _, ok := allowedTableNames[tableName]; !ok {
+		return 0, fmt.Errorf("table name not allowed: %q", tableName)
+	}
+
+	if v.DB == nil {
+		return 0, nil
 	}

 	var count int64
--- a/internal/vaultik/snapshot_prune_test.go
+++ b/internal/vaultik/snapshot_prune_test.go
@ -1,23 +0,0 @@
-package vaultik
-
-import (
-	"testing"
-)
-
-// TestSnapshotCreateOptions_PruneFlag verifies the Prune field exists on
-// SnapshotCreateOptions and can be set.
-func TestSnapshotCreateOptions_PruneFlag(t *testing.T) {
-	opts := &SnapshotCreateOptions{
-		Prune: true,
-	}
-	if !opts.Prune {
-		t.Error("Expected Prune to be true")
-	}
-
-	opts2 := &SnapshotCreateOptions{
-		Prune: false,
-	}
-	if opts2.Prune {
-		t.Error("Expected Prune to be false")
-	}
-}
--- a/internal/vaultik/table_count_test.go
+++ b/internal/vaultik/table_count_test.go
@ -0,0 +1,51 @@
+package vaultik
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllowedTableNames(t *testing.T) {
+	// Verify the whitelist contains exactly the expected tables
+	expected := []string{"files", "chunks", "blobs"}
+	assert.Len(t, allowedTableNames, len(expected))
+	for _, name := range expected {
+		_, ok := allowedTableNames[name]
+		assert.True(t, ok, "expected %q in allowedTableNames", name)
+	}
+}
+
+func TestGetTableCount_RejectsInvalidNames(t *testing.T) {
+	v := &Vaultik{} // DB is nil, but rejection happens before DB access
+	v.DB = nil      // explicit
+
+	tests := []struct {
+		name      string
+		tableName string
+		wantErr   bool
+	}{
+		{"allowed files", "files", false},
+		{"allowed chunks", "chunks", false},
+		{"allowed blobs", "blobs", false},
+		{"sql injection attempt", "files; DROP TABLE files--", true},
+		{"unknown table", "users", true},
+		{"empty string", "", true},
+		{"uppercase", "FILES", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			count, err := v.getTableCount(tt.tableName)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "not allowed")
+				assert.Equal(t, int64(0), count)
+			} else {
+				// DB is nil so returns 0, nil for allowed names
+				assert.NoError(t, err)
+				assert.Equal(t, int64(0), count)
+			}
+		})
+	}
+}
Author	SHA1	Message	Date
Jeffrey Paul	3e282af516	Merge branch 'main' into fix/sql-injection-whitelist	2026-02-20 11:16:27 +01:00
user	bb4b9b5bc9	fix: use whitelist for SQL table names in getTableCount (closes #7 ) Replace regex-based validation with a strict whitelist of allowed table names (files, chunks, blobs). The whitelist check now runs before the nil-DB early return so invalid names are always rejected. Removes unused regexp import.	2026-02-20 02:09:40 -08:00