SQL injection risk in getTableCount via fmt.Sprintf table name interpolation #27

New Issue

clawbot · 2026-02-08T21:01:09+01:00

clawbot commented

2026-02-08 21:01:09 +01:00

Bug

getTableCount in internal/vaultik/snapshot.go uses fmt.Sprintf to interpolate a table name directly into a SQL query:

func (v *Vaultik) getTableCount(tableName string) (int64, error) {
    query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName)
    err := v.DB.Conn().QueryRowContext(v.ctx, query).Scan(&count)
}

While currently only called with hardcoded table names (files, chunks, blobs), this is a dangerous pattern. If the function is ever called with user-provided input, it becomes a SQL injection vulnerability.

Fix

Validate the table name against an allowlist of known tables before interpolation.

## Bug `getTableCount` in `internal/vaultik/snapshot.go` uses `fmt.Sprintf` to interpolate a table name directly into a SQL query: ```go func (v *Vaultik) getTableCount(tableName string) (int64, error) { query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName) err := v.DB.Conn().QueryRowContext(v.ctx, query).Scan(&count) } ``` While currently only called with hardcoded table names (`files`, `chunks`, `blobs`), this is a dangerous pattern. If the function is ever called with user-provided input, it becomes a SQL injection vulnerability. ## Fix Validate the table name against an allowlist of known tables before interpolation.

clawbot self-assigned this 2026-02-08 21:01:09 +01:00

clawbot referenced a pull request that will close this issue

2026-02-08 21:05:05 +01:00

Validate table name against allowlist in getTableCount (closes #27) #32

Sign in to join this conversation.

No Label

No Milestone

No project

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/vaultik#27