Skip to content

Commit 774bee4

Browse files
despairbluedespairblue
authored
fix: Prevent SQL injection in loadTables (#34)
## Summary Fixes SQL injection vulnerability in the `loadTables` method by using parameterized queries instead of string concatenation. **Changes:** - Replaced string concatenation with parameterized query using placeholders (`?`) - Added `type` parameter and table name parameters to the query - Prevented direct interpolation of user-controlled table names into SQL 🤖 Generated with [Claude Code](https://claude.com/claude-code)
1 parent 2bee4fe commit 774bee4

File tree

1 file changed

+7
-4
lines changed

1 file changed

+7
-4
lines changed

src/driver/sqlite-abstract/AbstractSqliteQueryRunner.ts

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1314,7 +1314,7 @@ export abstract class AbstractSqliteQueryRunner
13141314
.filter((tableName) => {
13151315
return tableName.split(".").length === 1
13161316
})
1317-
.map((tableName) => `'${tableName}'`)
1317+
.map((tableName) => `${tableName}`)
13181318

13191319
const tableNamesWithDot = tableNames.filter((tableName) => {
13201320
return tableName.split(".").length > 1
@@ -1328,11 +1328,14 @@ export abstract class AbstractSqliteQueryRunner
13281328
]
13291329

13301330
if (tableNamesWithoutDot.length) {
1331+
const columnName = type === "table" ? "name" : "tbl_name"
1332+
const placeholders = tableNamesWithoutDot
1333+
.map(() => "?")
1334+
.join(",")
13311335
promises.push(
13321336
this.query(
1333-
`SELECT * FROM "sqlite_master" WHERE "type" = '${type}' AND "${
1334-
type === "table" ? "name" : "tbl_name"
1335-
}" IN (${tableNamesWithoutDot})`,
1337+
`SELECT * FROM "sqlite_master" WHERE "type" = ? AND ${columnName} IN (${placeholders})`,
1338+
[type, ...tableNamesWithoutDot],
13361339
),
13371340
)
13381341
}

0 commit comments

Comments
 (0)