Audit remediation: SQL-literal injection escaping (lockstep with DID-python)#146
Audit remediation: SQL-literal injection escaping (lockstep with DID-python)#1464 commits merged into
Conversation
…rals (audit 6.1-3)
Several sqlitedb queries interpolate branch_id / doc_id / document_id /
filename directly into SQL string literals delimited by double quotes, e.g.
['... WHERE doc_id="' document_id '"']. run_sql_query() does not forward bind
parameters to mksqlite (it calls do_run_sql_query without varargin), so these
values cannot be passed as '?' placeholders; a value containing a double quote
could break out of the literal and inject SQL (e.g. a crafted branch name or
document id).
Add a private escapeSqlLiteral helper that doubles embedded double quotes
(inside a double-quoted token SQLite reads "" as an escaped "), mirroring the
DID-python _sql_escape (which doubles single quotes for its single-quoted
literals), and apply it at all 15 value-interpolation sites
(do_add_branch / do_delete_branch / do_get_branch_parent / do_get_sub_branches
/ do_get_doc_ids / read / remove_doc / open_doc / file path lookups). The
existing parameterized run_sql_noOpen('... =?', val) call sites are unchanged.
Lockstep with the DID-python field-name validation (same audit item 6.1-3).
Authored without a local MATLAB runtime; needs MATLAB to validate/run.
Maps the §6.1 finding addressed here (SQL-literal escaping, 6.1-3) to its commit, notes that isa (6.1-1) and the sqlite indexes (6.1-4) needed no MATLAB change (MATLAB is the correct reference / already has them; Python caught up), and records the timestamp-format DECISION (§6.1-2/§7.3-13: datenum vs epoch seconds in the same column) as a cross-client choice deliberately NOT changed here, pending joint sign-off. Reiterates author-not-run + the lockstep merge with audit/did-python-2026-06.
Adversarial review counted 14 escapeSqlLiteral call sites in sqlitedb.m, not 15 (the earlier count of 15 included a docstring-example occurrence that was later reverted). All vulnerable double-quoted interpolations are still covered.
…6 ecosystem audit; lockstep + deferrals)
2fae8ac
|
Superseded by #148, which has been merged into #148 carries this PR's SQL-literal injection escaping (audit §6.1-3) verbatim, brought onto a The deferred Closing this one as superseded; thanks @audriB. The Python half of the lockstep (DID-python#23) is next. Generated by Claude Code |
MATLAB half of the DID lockstep (audit §6.1). Merge together with VH-Lab/DID-python#23. For review — please do not merge without sign-off.
Changes
sqlitedbqueries interpolatebranch_id/doc_id/document_id/filenameinto double-quoted SQL string literals;run_sql_query()doesn't forward bind params to mksqlite, so those values can't be?placeholders and a value containing"could inject. Added a privateescapeSqlLiteral(doubles", since SQLite reads""as an escaped"inside a double-quoted token), mirroring DID-python's_sql_escape, applied at all 14 value-interpolation sites. The already-parameterizedrun_sql_noOpen('... =?', val)calls are unchanged.Deferred — DECISION required (not changed)
timestampcolumn format (§6.1-2 / §7.3-13): datenum-days (MATLAB) vs epoch-seconds (Python) in the same column → cross-client comparisons break. Cross-client decision for DID-matlab/DID-python/cloud backend jointly. Seedocs/Audit_Remediation_Results_2026-06-12.md.