getTableCount uses fmt.Sprintf for SQL table name — potential SQL injection #7

New Issue

Closed

opened 2026-02-08 17:16:22 +01:00 by clawbot · 1 comment

clawbot commented 2026-02-08 17:16:22 +01:00

Collaborator

Copy Link

In snapshot.go, getTableCount() constructs SQL via string formatting:

query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName)

Currently only called with hardcoded table names ("files", "chunks", "blobs"), so not exploitable today. However, this is a footgun — if anyone ever passes user input, it becomes SQL injection. Should use a whitelist of allowed table names or parameterize differently.

Ref: parent issue #1

In `snapshot.go`, `getTableCount()` constructs SQL via string formatting: ```go query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName) ``` Currently only called with hardcoded table names (`"files"`, `"chunks"`, `"blobs"`), so not exploitable today. However, this is a footgun — if anyone ever passes user input, it becomes SQL injection. Should use a whitelist of allowed table names or parameterize differently. Ref: parent issue #1

clawbot referenced this issue 2026-02-08 17:17:10 +01:00

find bugs or incomplete functionality for 1.0 #1

clawbot self-assigned this 2026-02-20 09:29:27 +01:00

clawbot added the

needs-review

label 2026-02-20 09:29:28 +01:00

clawbot commented 2026-02-20 11:04:42 +01:00

Author

Collaborator

Copy Link

Taking this on now. Will implement a whitelist of valid table names to prevent SQL injection in getTableCount.

Taking this on now. Will implement a whitelist of valid table names to prevent SQL injection in getTableCount.

clawbot referenced this issue from a commit 2026-02-20 11:09:42 +01:00

fix: use whitelist for SQL table names in getTableCount (closes #7)

clawbot referenced a pull request that will close this issue 2026-02-20 11:09:53 +01:00

fix: use whitelist for SQL table names in getTableCount (closes #7) #38

clawbot closed this issue 2026-02-20 11:17:48 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

refactor/break-up-long-methods

add-make-check

fix/verify-blob-hash

feat/restore-progress-bar

feature/restore-progress-bar

feature/implement-prune-flag-on-snapshot-create

fix/restore-error-handling

fix/issue-25

fix/sql-injection-whitelist

fix/issue-29

add-compressstream-regression-test

fix/issue-26

fix/issue-27

fix/issue-28

feature/pluggable-storage-backend

No results found.

Labels

Clear labels   

bot

Agent's turn to work

  

merge-ready

All checks pass, reviewed, rebased, ready for merge

  

needs-checks

make check does not pass cleanly

  

needs-rebase

PR has merge conflicts or is behind main

  

needs-review

Code review not yet done

  

needs-rework

Code review found issues to fix

No Label

bot

merge-ready

needs-checks

needs-rebase

needs-review

needs-rework

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

clawbot

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/vaultik#7

No description provided.