sneak/vaultik
1
0
Fork 0
Code Issues 20 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

getTableCount uses fmt.Sprintf for SQL table name — potential SQL injection #7

New Issue
Open
opened 2026-02-08 17:16:22 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-08 17:16:22 +01:00
Collaborator
Copy Link

In snapshot.go, getTableCount() constructs SQL via string formatting:

query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName)

Currently only called with hardcoded table names ("files", "chunks", "blobs"), so not exploitable today. However, this is a footgun — if anyone ever passes user input, it becomes SQL injection. Should use a whitelist of allowed table names or parameterize differently.

Ref: parent issue #1

In `snapshot.go`, `getTableCount()` constructs SQL via string formatting: ```go query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName) ``` Currently only called with hardcoded table names (`"files"`, `"chunks"`, `"blobs"`), so not exploitable today. However, this is a footgun — if anyone ever passes user input, it becomes SQL injection. Should use a whitelist of allowed table names or parameterize differently. Ref: parent issue #1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/vaultik#7
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?