Conversation
read() in pkg/metrics/store/sqlite built the WHERE ... IN (...) clause by quoting and concatenating component names directly into the SQL string. A caller able to control a component name could break out of the quoted literal and append arbitrary SQL, including UNION queries against other tables such as gpud_metadata. Bind component names as query parameters instead. Add a regression test that inserts and reads back a metric whose Component field is a UNION payload targeting gpud_metadata, verifying the input is treated as data rather than SQL. Signed-off-by: Rodrigo Sampaio Vaz <rvaz@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe pull request updates the SQLite metrics store to use parameterized SQL queries instead of string concatenation when filtering by component names, shifting from embedded single-quoted values to SQL placeholders. A new test validates that component filters correctly handle SQL metacharacters as literal data. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~15 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Description
read() in pkg/metrics/store/sqlite built the WHERE ... IN (...) clause by quoting and concatenating component names directly into the SQL string. A caller able to control a component name could break out of the quoted literal and append arbitrary SQL, including UNION queries against other tables such as gpud_metadata.
Bind component names as query parameters instead. Add a regression test that inserts and reads back a metric whose Component field is a UNION payload targeting gpud_metadata, verifying the input is treated as data rather than SQL.
Checklist
Summary by CodeRabbit