Validate table name against allowlist in getTableCount (closes #27) #32

Open

clawbot wants to merge 1 commits from fix/issue-27 into main

pull from: fix/issue-27

merge into: sneak:main

sneak:main

sneak:fix/issue-29

sneak:fix/issue-28

sneak:fix/issue-26

sneak:fix/issue-25

sneak:feature/restore-progress-bar

sneak:feat/restore-progress-bar

sneak:fix/restore-error-handling

sneak:feature/pluggable-storage-backend

Conversation 0 Commits 1 Files Changed 1 +15 -1

clawbot commented 2026-02-08 21:05:05 +01:00

Collaborator

Copy Link

No description provided.

sneak was assigned by clawbot 2026-02-08 21:05:05 +01:00

clawbot added 1 commit 2026-02-08 21:05:05 +01:00

fix: validate table name against allowlist in getTableCount to prevent SQL injection ... 4d9f912a5f

The getTableCount method used fmt.Sprintf to interpolate a table name directly
into a SQL query. While currently only called with hardcoded names, this is a
dangerous pattern. Added an allowlist of valid table names and return an error
for unrecognized names.

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin fix/issue-27:fix/issue-27

git checkout fix/issue-27

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

sneak

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/vaultik#32

No description provided.