Source
Static security assessment (#840, finding S-1 — P0)
Problem
File paths are interpolated directly into read_parquet() DuckDB SQL strings without escaping single quotes. A parquet filename containing ' could break or inject into the query.
Locations:
Lite/Services/ArchiveService.cs — lines 348, 373, 404 (path lists built via $"'{p}'")Lite/Database/DuckDbInitializer.cs — lines 733, 743 (glob paths interpolated into view creation)
Example
var pathList = string.Join(", ", sourcePaths.Select(p => $"'{p}'"));
cmd.CommandText = $"COPY (SELECT ... FROM read_parquet([{pathList}], union_by_name=true)) TO '{tempPath}' ...";Fix
Escape single quotes in paths (path.Replace("'", "''")) or use DuckDB parameterized queries where possible. For array arguments to read_parquet(), escaping is likely the practical approach.
Risk
Low exploitability (paths are internally constructed from AppDataPath + table names + timestamps), but still a correctness and defensive-coding issue.
Source
Static security assessment (#840, finding S-1 — P0)
Problem
File paths are interpolated directly into
read_parquet()DuckDB SQL strings without escaping single quotes. A parquet filename containing'could break or inject into the query.Locations:
Lite/Services/ArchiveService.cs— lines 348, 373, 404 (path lists built via$"'{p}'")Lite/Database/DuckDbInitializer.cs— lines 733, 743 (glob paths interpolated into view creation)Example
Fix
Escape single quotes in paths (
path.Replace("'", "''")) or use DuckDB parameterized queries where possible. For array arguments toread_parquet(), escaping is likely the practical approach.Risk
Low exploitability (paths are internally constructed from AppDataPath + table names + timestamps), but still a correctness and defensive-coding issue.