From 4d9f912a5f89c454cb5cb9b7945864c594d883af Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@openclaw>
Date: Sun, 8 Feb 2026 12:03:18 -0800
Subject: [PATCH] fix: validate table name against allowlist in getTableCount
 to prevent SQL injection

The getTableCount method used fmt.Sprintf to interpolate a table name directly
into a SQL query. While currently only called with hardcoded names, this is a
dangerous pattern. Added an allowlist of valid table names and return an error
for unrecognized names.
---
 internal/vaultik/snapshot.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/internal/vaultik/snapshot.go b/internal/vaultik/snapshot.go
index 4d953dd..e42f589 100644
--- a/internal/vaultik/snapshot.go
+++ b/internal/vaultik/snapshot.go
@@ -1126,12 +1126,26 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }
 
-// getTableCount returns the count of rows in a table
+// validTableNames is the allowlist of table names that can be counted.
+var validTableNames = map[string]bool{
+	"files":    true,
+	"chunks":   true,
+	"blobs":    true,
+	"uploads":  true,
+	"snapshots": true,
+}
+
+// getTableCount returns the count of rows in a table.
+// The tableName must be in the validTableNames allowlist to prevent SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
 	if v.DB == nil {
 		return 0, nil
 	}
 
+	if !validTableNames[tableName] {
+		return 0, fmt.Errorf("invalid table name: %q", tableName)
+	}
+
 	var count int64
 	query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tableName)
 	err := v.DB.Conn().QueryRowContext(v.ctx, query).Scan(&count)
-- 
2.45.2