🔒 [security fix] Fix SQL injection in getAllMappings#166
🔒 [security fix] Fix SQL injection in getAllMappings#166
Conversation
…list The `getAllMappings` function in `cmd/neko/neko.go` was vulnerable to SQL injection because it concatenated a table name directly into a query string. Since table names cannot be parameterized in SQL, this commit introduces a switch statement to validate the `table` argument against a whitelist of allowed constants from the `internal` package. This follows the security pattern established in `cmd/calculate/helpers.go`. A new test case was added to `cmd/neko/neko_test.go` to verify that invalid table names cause the application to fail fast. Co-authored-by: nonproto <2092019+nonproto@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements table name validation in the getAllMappings function to prevent SQL injection and adds a test case to ensure the application crashes on invalid input. The reviewer suggested refactoring the validation logic to use a single source of truth for valid table names to improve maintainability and security.
| switch table { | ||
| case internal.TableAnilist, internal.TableAnimePlanet, internal.TableBookWalker, internal.TableKitsu, internal.TableMyanimelist, internal.TableMangaupdates, internal.TableMangaupdatesNewId, internal.TableNovelUpdates: | ||
| // OK | ||
| default: | ||
| log.Fatalf("getAllMappings: invalid table name %s", table) | ||
| } |
There was a problem hiding this comment.
The switch statement duplicates the list of tables from the mappingTables slice defined on line 23. This creates two sources of truth and can lead to maintainability issues. If a new table is added to mappingTables but forgotten here, the security check will be bypassed for that table, re-introducing the vulnerability.
To make this more robust and maintainable, you should validate the table parameter by checking for its presence in the mappingTables slice. This ensures there is a single source of truth for valid table names.
| switch table { | |
| case internal.TableAnilist, internal.TableAnimePlanet, internal.TableBookWalker, internal.TableKitsu, internal.TableMyanimelist, internal.TableMangaupdates, internal.TableMangaupdatesNewId, internal.TableNovelUpdates: | |
| // OK | |
| default: | |
| log.Fatalf("getAllMappings: invalid table name %s", table) | |
| } | |
| isValid := false | |
| for _, validTable := range mappingTables { | |
| if table == validTable { | |
| isValid = true | |
| break | |
| } | |
| } | |
| if !isValid { | |
| log.Fatalf("getAllMappings: invalid table name %s", table) | |
| } |
There was a problem hiding this comment.
The
switchstatement duplicates the list of tables from themappingTablesslice defined on line 23. This creates two sources of truth and can lead to maintainability issues. If a new table is added tomappingTablesbut forgotten here, the security check will be bypassed for that table, re-introducing the vulnerability.To make this more robust and maintainable, you should validate the
tableparameter by checking for its presence in themappingTablesslice. This ensures there is a single source of truth for valid table names.
1 participant
🎯 What: The vulnerability fixed is a SQL injection in the
⚠️ Risk: If left unfixed, an attacker could potentially execute arbitrary SQL commands by manipulating the
getAllMappingsfunction withincmd/neko/neko.go.tableparameter, leading to unauthorized data access or database modification.🛡️ Solution: The fix implements a strict whitelist validation for the
tablename against known allowed constants before it is used in the SQL query.PR created automatically by Jules for task 5523406989861435868 started by @nonproto