fix: use whitelist for SQL table names in getTableCount (closes #7) #38

clawbot · 2026-02-20T11:09:53+01:00

clawbot commented

2026-02-20 11:09:53 +01:00

Summary

Replace regex-based validation in getTableCount() with a strict whitelist of allowed table names (files, chunks, blobs). The whitelist check now runs before the nil-DB early return, ensuring invalid names are always rejected regardless of DB state.

Also removes the now-unused regexp import.

Test

Added table_count_test.go with tests for:

Whitelist completeness
Allowed names pass through
SQL injection attempts rejected
Unknown table names rejected
Empty string rejected
Case sensitivity

make test output

0 issues.
ok  git.eeqj.de/sneak/vaultik/internal/blob
ok  git.eeqj.de/sneak/vaultik/internal/blobgen
ok  git.eeqj.de/sneak/vaultik/internal/chunker
ok  git.eeqj.de/sneak/vaultik/internal/cli
ok  git.eeqj.de/sneak/vaultik/internal/config
ok  git.eeqj.de/sneak/vaultik/internal/crypto
ok  git.eeqj.de/sneak/vaultik/internal/database
ok  git.eeqj.de/sneak/vaultik/internal/globals
ok  git.eeqj.de/sneak/vaultik/internal/models
ok  git.eeqj.de/sneak/vaultik/internal/pidlock
ok  git.eeqj.de/sneak/vaultik/internal/s3
ok  git.eeqj.de/sneak/vaultik/internal/snapshot
ok  git.eeqj.de/sneak/vaultik/internal/vaultik

All tests pass, 0 lint issues.

## Summary Replace regex-based validation in `getTableCount()` with a strict whitelist of allowed table names (`files`, `chunks`, `blobs`). The whitelist check now runs before the nil-DB early return, ensuring invalid names are always rejected regardless of DB state. Also removes the now-unused `regexp` import. ## Test Added `table_count_test.go` with tests for: - Whitelist completeness - Allowed names pass through - SQL injection attempts rejected - Unknown table names rejected - Empty string rejected - Case sensitivity ## make test output ``` 0 issues. ok git.eeqj.de/sneak/vaultik/internal/blob ok git.eeqj.de/sneak/vaultik/internal/blobgen ok git.eeqj.de/sneak/vaultik/internal/chunker ok git.eeqj.de/sneak/vaultik/internal/cli ok git.eeqj.de/sneak/vaultik/internal/config ok git.eeqj.de/sneak/vaultik/internal/crypto ok git.eeqj.de/sneak/vaultik/internal/database ok git.eeqj.de/sneak/vaultik/internal/globals ok git.eeqj.de/sneak/vaultik/internal/models ok git.eeqj.de/sneak/vaultik/internal/pidlock ok git.eeqj.de/sneak/vaultik/internal/s3 ok git.eeqj.de/sneak/vaultik/internal/snapshot ok git.eeqj.de/sneak/vaultik/internal/vaultik ``` All tests pass, 0 lint issues.

clawbot added the

needs-checks

label 2026-02-20 11:09:53 +01:00

clawbot self-assigned this 2026-02-20 11:09:53 +01:00

clawbot added 1 commit 2026-02-20 11:09:53 +01:00

fix: use whitelist for SQL table names in getTableCount (closes #7 ) bb4b9b5bc9

Replace regex-based validation with a strict whitelist of allowed table
names (files, chunks, blobs). The whitelist check now runs before the
nil-DB early return so invalid names are always rejected.

Removes unused regexp import.

sneak added 1 commit 2026-02-20 11:16:28 +01:00

Merge branch 'main' into fix/sql-injection-whitelist 3e282af516

clawbot commented

2026-02-20 11:17:13 +01:00

`make test` output (lint + tests)

✅ All checks pass — 0 lint issues, all tests PASS.

golangci-lint run
0 issues.

ok  git.eeqj.de/sneak/vaultik/internal/blob       0.787s
ok  git.eeqj.de/sneak/vaultik/internal/blobgen    0.322s
ok  git.eeqj.de/sneak/vaultik/internal/chunker    0.197s
ok  git.eeqj.de/sneak/vaultik/internal/cli        1.492s
ok  git.eeqj.de/sneak/vaultik/internal/config     0.558s
ok  git.eeqj.de/sneak/vaultik/internal/crypto     0.810s
ok  git.eeqj.de/sneak/vaultik/internal/database   3.127s
ok  git.eeqj.de/sneak/vaultik/internal/globals    0.148s
ok  git.eeqj.de/sneak/vaultik/internal/models     1.964s
ok  git.eeqj.de/sneak/vaultik/internal/pidlock    0.663s
ok  git.eeqj.de/sneak/vaultik/internal/s3         3.506s
ok  git.eeqj.de/sneak/vaultik/internal/snapshot   3.872s
ok  git.eeqj.de/sneak/vaultik/internal/vaultik    3.000s

## `make test` output (lint + tests) ✅ **All checks pass** — 0 lint issues, all tests PASS. ``` golangci-lint run 0 issues. ok git.eeqj.de/sneak/vaultik/internal/blob 0.787s ok git.eeqj.de/sneak/vaultik/internal/blobgen 0.322s ok git.eeqj.de/sneak/vaultik/internal/chunker 0.197s ok git.eeqj.de/sneak/vaultik/internal/cli 1.492s ok git.eeqj.de/sneak/vaultik/internal/config 0.558s ok git.eeqj.de/sneak/vaultik/internal/crypto 0.810s ok git.eeqj.de/sneak/vaultik/internal/database 3.127s ok git.eeqj.de/sneak/vaultik/internal/globals 0.148s ok git.eeqj.de/sneak/vaultik/internal/models 1.964s ok git.eeqj.de/sneak/vaultik/internal/pidlock 0.663s ok git.eeqj.de/sneak/vaultik/internal/s3 3.506s ok git.eeqj.de/sneak/vaultik/internal/snapshot 3.872s ok git.eeqj.de/sneak/vaultik/internal/vaultik 3.000s ```

clawbot added

merge-ready

and removed

needs-checks

labels 2026-02-20 11:17:14 +01:00

clawbot removed their assignment 2026-02-20 11:17:14 +01:00

sneak was assigned by clawbot

2026-02-20 11:17:14 +01:00

sneak commented

2026-02-20 11:17:35 +01:00

why do we have this? table names aren’t user-supplied. it’s our own code. remove this nonsense.

clawbot closed this pull request