internal/vaultik/snapshot.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"regexp"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -1126,23 +1127,17 @@ func (v *Vaultik) PruneDatabase() (*PruneResult, error) {
 	return result, nil
 }
 
-// validTableNames is the allowlist of table names that can be counted.
-var validTableNames = map[string]bool{
-	"files":    true,
-	"chunks":   true,
-	"blobs":    true,
-	"uploads":  true,
-	"snapshots": true,
-}
+// validTableNameRe matches table names containing only lowercase alphanumeric characters and underscores.
+var validTableNameRe = regexp.MustCompile(`^[a-z0-9_]+$`)
 
 // getTableCount returns the count of rows in a table.
-// The tableName must be in the validTableNames allowlist to prevent SQL injection.
+// The tableName is sanitized to only allow [a-z0-9_] characters to prevent SQL injection.
 func (v *Vaultik) getTableCount(tableName string) (int64, error) {
 	if v.DB == nil {
 		return 0, nil
 	}
 
-	if !validTableNames[tableName] {
+	if !validTableNameRe.MatchString(tableName) {
 		return 0, fmt.Errorf("invalid table name: %q", tableName)
 	}