[High] Potential SQL Injection in internal/config/sqlite_storage.go #21

Closed
opened 2026-02-11 18:50:24 +00:00 by thabeta · 1 comment
Owner

Issue

While most queries use parameterized statements, some helper functions in internal/config/sqlite_storage.go manually concatenate string patterns for unique constraint checks. The isUniqueConstraintError helper also relies on brittle error string parsing.

Impact

  • Potential for SQL injection if input sanitization is bypassed
  • Fragile error handling that may break with driver updates or different locales

Remediation

  1. Use strictly parameterized queries for all database interactions.
  2. Leverage Go-SQLite3 specific error codes (e.g., sqlite3.ErrConstraint) instead of matching error strings.

Files Affected

  • internal/config/sqlite_storage.go
## Issue While most queries use parameterized statements, some helper functions in `internal/config/sqlite_storage.go` manually concatenate string patterns for unique constraint checks. The `isUniqueConstraintError` helper also relies on brittle error string parsing. ## Impact - Potential for SQL injection if input sanitization is bypassed - Fragile error handling that may break with driver updates or different locales ## Remediation 1. Use strictly parameterized queries for all database interactions. 2. Leverage Go-SQLite3 specific error codes (e.g., `sqlite3.ErrConstraint`) instead of matching error strings. ## Files Affected - `internal/config/sqlite_storage.go`
eslamnawara removed their assignment 2026-02-17 11:14:39 +00:00
Member

fixed error handling, but I don't see database interactions with string concatenations

fixed error handling, but I don't see database interactions with string concatenations
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
geomind_code/webgateway#21
No description provided.