[High] Potential SQL Injection in internal/config/sqlite_storage.go #21

New issue

Closed

opened 2026-02-11 18:50:24 +00:00 by thabeta · 1 comment

thabeta commented 2026-02-11 18:50:24 +00:00

Owner

Copy link

Issue

While most queries use parameterized statements, some helper functions in internal/config/sqlite_storage.go manually concatenate string patterns for unique constraint checks. The isUniqueConstraintError helper also relies on brittle error string parsing.

Impact

• Potential for SQL injection if input sanitization is bypassed
• Fragile error handling that may break with driver updates or different locales

Remediation

1. Use strictly parameterized queries for all database interactions.
2. Leverage Go-SQLite3 specific error codes (e.g., sqlite3.ErrConstraint) instead of matching error strings.

Files Affected

• internal/config/sqlite_storage.go

## Issue While most queries use parameterized statements, some helper functions in `internal/config/sqlite_storage.go` manually concatenate string patterns for unique constraint checks. The `isUniqueConstraintError` helper also relies on brittle error string parsing. ## Impact - Potential for SQL injection if input sanitization is bypassed - Fragile error handling that may break with driver updates or different locales ## Remediation 1. Use strictly parameterized queries for all database interactions. 2. Leverage Go-SQLite3 specific error codes (e.g., `sqlite3.ErrConstraint`) instead of matching error strings. ## Files Affected - `internal/config/sqlite_storage.go`

eslamnawara referenced this issue 2026-02-17 11:09:40 +00:00

use sqllite error ErrConstraintUnique #26

eslamnawara self-assigned this 2026-02-17 11:14:29 +00:00

eslamnawara removed their assignment 2026-02-17 11:14:39 +00:00

eslamnawara commented 2026-02-17 11:14:58 +00:00

Member

Copy link

fixed error handling, but I don't see database interactions with string concatenations

fixed error handling, but I don't see database interactions with string concatenations

eslamnawara self-assigned this 2026-02-17 11:15:04 +00:00

thabeta closed this issue 2026-02-18 14:00:42 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

support-socks5

development

test

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

eslamnawara

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

geomind_code/webgateway#21

No description provided.