security: fix SQL injection in fetchTableMetadata

datlechin · datlechin · commit e9e20dcd665e · 2025-12-25T15:38:37.000+07:00
- Escape single quotes in table names for PostgreSQL and SQLite
- Use safeTableName.replacingOccurrences(of: "'", with: "''") to prevent injection
diff --git a/OpenTable/Core/Database/PostgreSQLDriver.swift b/OpenTable/Core/Database/PostgreSQLDriver.swift
@@ -311,6 +311,9 @@ final class PostgreSQLDriver: DatabaseDriver {
     }
     
     func fetchTableMetadata(tableName: String) async throws -> TableMetadata {
+        // Escape table name to prevent SQL injection (double quotes for PostgreSQL identifiers)
+        let safeTableName = tableName.replacingOccurrences(of: "\"", with: "\"\"")
+        
         let query = """
             SELECT
                 pg_total_relation_size(c.oid) AS total_size,
@@ -321,7 +324,7 @@ final class PostgreSQLDriver: DatabaseDriver {
                 obj_description(c.oid, 'pg_class') AS comment
             FROM pg_class c
             JOIN pg_namespace n ON n.oid = c.relnamespace
-            WHERE c.relname = '\(tableName)'
+            WHERE c.relname = '\(safeTableName.replacingOccurrences(of: "'", with: "''"))'
               AND n.nspname = 'public'
             """
         
diff --git a/OpenTable/Core/Database/SQLiteDriver.swift b/OpenTable/Core/Database/SQLiteDriver.swift
@@ -302,8 +302,11 @@ final class SQLiteDriver: DatabaseDriver {
             throw DatabaseError.notConnected
         }
         
+        // Escape table name to prevent SQL injection
+        let safeTableName = tableName.replacingOccurrences(of: "'", with: "''")
+        
         // Get row count
-        let countQuery = "SELECT COUNT(*) FROM '\(tableName)'"
+        let countQuery = "SELECT COUNT(*) FROM '\(safeTableName)'"
         let countResult = try await execute(query: countQuery)
         let rowCount: Int64? = {
             guard let row = countResult.rows.first, let countStr = row.first else { return nil }
@@ -317,13 +320,13 @@ final class SQLiteDriver: DatabaseDriver {
                   let size = attrs[.size] as? Int64 else { return nil }
             return size
         }()
-        
+
         // Estimate average row length
         let avgRowLength: Int64? = {
             guard let total = fileSize, let count = rowCount, count > 0 else { return nil }
             return total / count
         }()
-        
+ 
         return TableMetadata(
             tableName: tableName,
             dataSize: fileSize,
