Skip to content

MSSQL QuoteIdentifier does not escape ] characters, enabling SQL injection in all MSSQL operations #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shanecodezzz wants to merge 1 commit into
base: master
Choose a base branch
from
+1 −1
Open

MSSQL QuoteIdentifier does not escape ] characters, enabling SQL injection in all MSSQL operations #324

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pkg/clients/mssql/mssql.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ func (c mssqlDB) GetConnectionDetails(username, password string) managed.Connect

// QuoteIdentifier for mssql queries
func QuoteIdentifier(id string) string {
return "[" + id + "]"
return "[" + strings.ReplaceAll(id, "]", "]]") + "]"
Copy link

@paragon-review paragon-review Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: No unit tests exist for QuoteIdentifier or QuoteValue

No unit tests exist for QuoteIdentifier or QuoteValue. Regressions to this SQL injection fix would go undetected. Add table-driven tests covering ], ]], empty string, and embedded [ inputs.

View Details

Location: pkg/clients/mssql/mssql.go (lines 124)

Analysis

No unit tests exist for QuoteIdentifier or QuoteValue
What fails There are no tests for QuoteIdentifier or QuoteValue in the mssql package, so regressions to this critical SQL injection fix would not be caught.
Result No test files found — zero coverage for quoting functions.
Expected Table-driven unit tests should cover edge cases: input containing ], input containing ]], empty string, embedded [ characters, and normal identifiers.
Impact Without tests, future changes could silently reintroduce the SQL injection vulnerability this PR fixes.
How to reproduce 
ls pkg/clients/mssql/*_test.go  # No test files exist
AI Fix Prompt 
Fix this issue: No unit tests exist for QuoteIdentifier or QuoteValue. Regressions to this SQL injection fix would go undetected. Add table-driven tests covering ], ]], empty string, and embedded [ inputs.

Location: pkg/clients/mssql/mssql.go (lines 124)
Problem: There are no tests for QuoteIdentifier or QuoteValue in the mssql package, so regressions to this critical SQL injection fix would not be caught.
Current behavior: No test files found — zero coverage for quoting functions.
Expected: Table-driven unit tests should cover edge cases: input containing ], input containing ]], empty string, embedded [ characters, and normal identifiers.
Steps to reproduce: ls pkg/clients/mssql/*_test.go  # No test files exist

Provide a code fix.

Tip: Reply with @paragon-run to automatically fix this issue

}

// QuoteValue for mssql queries
Expand Down