Fix FTS5 injection vulnerability with proper escaping and comprehensive tests
Co-authored-by: thedotmack <683968+thedotmack@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
@@ -69,7 +69,7 @@ var Sl=Object.create;var Ia=Object.defineProperty;var xl=Object.getOwnPropertyDe
|
||||
INSERT INTO session_summaries_fts(rowid, request, investigated, learned, completed, next_steps, notes)
|
||||
VALUES (new.id, new.request, new.investigated, new.learned, new.completed, new.next_steps, new.notes);
|
||||
END;
|
||||
`),console.error("[SessionSearch] FTS5 tables created successfully")}catch(e){console.error("[SessionSearch] FTS migration error:",e.message)}}escapeFTS5(e){return e}buildFilterClause(e,t,s="o"){let r=[];if(e.project&&(r.push(`${s}.project = ?`),t.push(e.project)),e.type)if(Array.isArray(e.type)){let n=e.type.map(()=>"?").join(",");r.push(`${s}.type IN (${n})`),t.push(...e.type)}else r.push(`${s}.type = ?`),t.push(e.type);if(e.dateRange){let{start:n,end:i}=e.dateRange;if(n){let o=typeof n=="number"?n:new Date(n).getTime();r.push(`${s}.created_at_epoch >= ?`),t.push(o)}if(i){let o=typeof i=="number"?i:new Date(i).getTime();r.push(`${s}.created_at_epoch <= ?`),t.push(o)}}if(e.concepts){let n=Array.isArray(e.concepts)?e.concepts:[e.concepts],i=n.map(()=>`EXISTS (SELECT 1 FROM json_each(${s}.concepts) WHERE value = ?)`);i.length>0&&(r.push(`(${i.join(" OR ")})`),t.push(...n))}if(e.files){let n=Array.isArray(e.files)?e.files:[e.files],i=n.map(()=>`(
|
||||
`),console.error("[SessionSearch] FTS5 tables created successfully")}catch(e){console.error("[SessionSearch] FTS migration error:",e.message)}}escapeFTS5(e){return`"${e.replace(/"/g,'""')}"`}buildFilterClause(e,t,s="o"){let r=[];if(e.project&&(r.push(`${s}.project = ?`),t.push(e.project)),e.type)if(Array.isArray(e.type)){let n=e.type.map(()=>"?").join(",");r.push(`${s}.type IN (${n})`),t.push(...e.type)}else r.push(`${s}.type = ?`),t.push(e.type);if(e.dateRange){let{start:n,end:i}=e.dateRange;if(n){let o=typeof n=="number"?n:new Date(n).getTime();r.push(`${s}.created_at_epoch >= ?`),t.push(o)}if(i){let o=typeof i=="number"?i:new Date(i).getTime();r.push(`${s}.created_at_epoch <= ?`),t.push(o)}}if(e.concepts){let n=Array.isArray(e.concepts)?e.concepts:[e.concepts],i=n.map(()=>`EXISTS (SELECT 1 FROM json_each(${s}.concepts) WHERE value = ?)`);i.length>0&&(r.push(`(${i.join(" OR ")})`),t.push(...n))}if(e.files){let n=Array.isArray(e.files)?e.files:[e.files],i=n.map(()=>`(
|
||||
EXISTS (SELECT 1 FROM json_each(${s}.files_read) WHERE value LIKE ?)
|
||||
OR EXISTS (SELECT 1 FROM json_each(${s}.files_modified) WHERE value LIKE ?)
|
||||
)`);i.length>0&&(r.push(`(${i.join(" OR ")})`),n.forEach(o=>{t.push(`%${o}%`,`%${o}%`)}))}return r.length>0?r.join(" AND "):""}buildOrderClause(e="relevance",t=!0,s="observations_fts"){switch(e){case"relevance":return t?`ORDER BY ${s}.rank ASC`:"ORDER BY o.created_at_epoch DESC";case"date_desc":return"ORDER BY o.created_at_epoch DESC";case"date_asc":return"ORDER BY o.created_at_epoch ASC";default:return"ORDER BY o.created_at_epoch DESC"}}searchObservations(e,t={}){let s=[],{limit:r=50,offset:n=0,orderBy:i="relevance",...o}=t,c=this.escapeFTS5(e);s.push(c);let u=this.buildFilterClause(o,s,"o"),p=u?`AND ${u}`:"",m=this.buildOrderClause(i,!0),E=`
|
||||
|
||||
Reference in New Issue
Block a user