openclaw/wacli
openclaw/wacli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

security: validate SQLite URI path against '?' and '#' injection (#141)

Browse Source 
The --store path is embedded in a SQLite URI via fmt.Sprintf. A path
containing '?' could inject additional connection parameters. Reject
paths with '?' or '#' before constructing the URI.
This commit is contained in:
Martín Alcalá Rubí 2026-04-15 05:07:18 +08:00 committed by GitHub
parent 59a2c6cdc6
commit 77c38d3a19
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/store/db.go
View File

@ -20,6 +20,10 @@ func Open(path string) (*DB, error) {
if strings.TrimSpace(path) == "" {
return nil, fmt.Errorf("db path is required")
}
// Reject paths that could inject SQLite URI parameters (#59).
if strings.ContainsAny(path, "?#") {
return nil, fmt.Errorf("db path must not contain '?' or '#'")
}
if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
return nil, fmt.Errorf("create db directory: %w", err)
}