security: parameterize metrics component filter to prevent SQL injection

[rsampaio]

Description

read() in pkg/metrics/store/sqlite built the WHERE ... IN (...) clause by quoting and concatenating component names directly into the SQL string. A caller able to control a component name could break out of the quoted literal and append arbitrary SQL, including UNION queries against other tables such as gpud_metadata.

Bind component names as query parameters instead. Add a regression test that inserts and reads back a metric whose Component field is a UNION payload targeting gpud_metadata, verifying the input is treated as data rather than SQL.

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• Bug Fixes
  • Fixed SQL injection vulnerability in metric component filtering.
  • Component names containing special characters are now properly treated as literal data rather than SQL syntax.
  • Updated query construction to use parameterized SQL parameters.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: bd57feb6-9610-45fb-8c88-a85141fb0b81

📥 Commits

Reviewing files that changed from the base of the PR and between 3e525bc and b098f2e.

📒 Files selected for processing (2)

• third_party/fleet-intelligence-sdk/pkg/metrics/store/sqlite.go
• third_party/fleet-intelligence-sdk/pkg/metrics/store/sqlite_test.go

---

📝 Walkthrough

Walkthrough

The pull request updates the SQLite metrics store to use parameterized SQL queries instead of string concatenation when filtering by component names, shifting from embedded single-quoted values to SQL placeholders. A new test validates that component filters correctly handle SQL metacharacters as literal data.

Changes

Cohort / File(s)	Summary
SQL Injection Prevention via Parameterized Queries third_party/fleet-intelligence-sdk/pkg/metrics/store/sqlite.go, third_party/fleet-intelligence-sdk/pkg/metrics/store/sqlite_test.go	Modified component filter query construction to use parameterized placeholders (IN (?, ?, ...)) instead of string concatenation. Added test case validating that SQL metacharacters in component names are treated as literal data rather than query syntax.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Hopping through code with placeholder care,
Parameterized queries dancing fair,
No more string-cat tricks or injection fright,
SQLite metrics store shining bright! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely describes the main security fix: parameterizing the metrics component filter to prevent SQL injection, which directly aligns with the primary change in the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/fix-metrics-components-sql-injection

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}