Skip to content

sqlite: allow setting defensive flag #60217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 27, 2025
Merged

sqlite: allow setting defensive flag #60217

merged 6 commits into from
Oct 27, 2025
+130 −0

Conversation

@louwers
Copy link
Contributor

@louwers louwers commented Oct 11, 2025
edited
Loading

Adds support for setting the defensive flag. See SQLITE_DBCONFIG_DEFENSIVE.

This is one of the APIs needed for Defense Against The Dark Arts when dealing with untrusted SQL queries. Another being the sqlite3_limit() interface, which may be a neat future addition.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/sqlite

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Oct 11, 2025
@Renegade334
Copy link
Contributor

IMO it'd be worth considering setting this to enabled by default, either here or in a future semver-major change. >99% of users will have no need to alter engine-level internals.

@louwers
Copy link
Contributor Author

louwers commented Oct 11, 2025

@Renegade334 Good point. I think it makes sense to just set defensive as the default here since the SQLite API is experimental and you almost never want to mess with those indeed.

better-sqlite3 does the same. https://github.com/WiseLibs/better-sqlite3/blob/ea0d8c73615ce2b6133df67da10c7e6452115d73/docs/unsafe.md?plain=1#L5

@louwers
Copy link
Contributor Author

louwers commented Oct 11, 2025

@Renegade334 Enabled it by default.

This PR should have a notable-change label.

@codecov
Copy link

codecov bot commented Oct 12, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 68.57143% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.55%. Comparing base (f9fcc74) to head (af87669).
⚠️ Report is 109 commits behind head on main.

Files with missing lines Patch % Lines
src/node_sqlite.cc 65.62% 4 Missing and 7 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #60217      +/-   ##
==========================================
- Coverage   88.56%   88.55%   -0.02%     
==========================================
  Files         704      704              
  Lines      208125   208158      +33     
  Branches    40003    40010       +7     
==========================================
- Hits       184332   184329       -3     
- Misses      15809    15858      +49     
+ Partials     7984     7971      -13
Files with missing lines Coverage Δ
src/node_sqlite.h 81.48% <100.00%> (+1.08%) ⬆️
src/node_sqlite.cc 79.94% <65.62%> (-0.21%) ⬇️

... and 43 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@aduh95 aduh95 added the notable-change PRs with changes that should be highlighted in changelogs. label Oct 12, 2025
@github-actions

This comment was marked as outdated.

Sign in to view
cjihrig
cjihrig reviewed Oct 12, 2025
View reviewed changes
@louwers louwers requested a review from cjihrig October 12, 2025 19:12
@rmgavana1223-commits

This comment was marked as spam.

Sign in to view
@aduh95 aduh95 added semver-minor PRs that contain new features and should be released in the next minor version. and removed notable-change PRs with changes that should be highlighted in changelogs. labels Oct 12, 2025
aduh95
aduh95 reviewed Oct 12, 2025
View reviewed changes
@louwers louwers requested a review from aduh95 October 12, 2025 20:10
@louwers
Copy link
Contributor Author

louwers commented Oct 12, 2025

How do I add a comment for the Notable Changes section?

@aduh95
Copy link
Contributor

aduh95 commented Oct 12, 2025

How do I add a comment for the Notable Changes section?

Wouldn't the notable change be the follow-up PR rather than this one?

@aduh95 aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Oct 12, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 12, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/69701/

@louwers
Copy link
Contributor Author

louwers commented Oct 12, 2025

@aduh95 That works too!

@louwers
Copy link
Contributor Author

louwers commented Oct 13, 2025

Could someone restart CI? Looks like a fluke.

@UlisesGascon UlisesGascon added the request-ci Add this label to start a Jenkins CI on a PR. label Oct 14, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 14, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/69720/

tpoisseau
tpoisseau approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@tpoisseau tpoisseau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good addition

@ovflowd ovflowd added the request-ci Add this label to start a Jenkins CI on a PR. label Oct 16, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 16, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/69766/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/69840/

@louwers
Copy link
Contributor Author

louwers commented Oct 21, 2025

@nodejs/sqlite CI passed now.

@louwers
Copy link
Contributor Author

louwers commented Oct 22, 2025

Could someone merge this?

@aduh95 aduh95 added commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. labels Oct 27, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 27, 2025
@nodejs-github-bot nodejs-github-bot merged commit fd7b33e into nodejs:main Oct 27, 2025
76 of 78 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in fd7b33e

aduh95 pushed a commit that referenced this pull request Oct 27, 2025
@louwers @aduh95
sqlite: allow setting defensive flag
2e55c6a 
PR-URL: #60217
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
@github-actions github-actions bot mentioned this pull request Oct 27, 2025
Merged
nodejs-github-bot added a commit that referenced this pull request Oct 27, 2025
@nodejs-github-bot
2025-10-28, Version 25.1.0 (Current)
be4db98 
Notable changes:

http:
  * (SEMVER-MINOR) add optimizeEmptyRequests server option (Rafael Gonzaga) #59778
sqlite:
  * (SEMVER-MINOR) allow setting defensive flag (Bart Louwers) #60217
src:
  * (SEMVER-MINOR) add watch config namespace (Marco Ippolito) #60178

PR-URL: #60436
aduh95 added a commit that referenced this pull request Oct 28, 2025
@aduh95
2025-10-28, Version 25.1.0 (Current)
1da054d 
Notable changes:

http:
  * (SEMVER-MINOR) add optimizeEmptyRequests server option (Rafael Gonzaga) #59778
sqlite:
  * (SEMVER-MINOR) allow setting defensive flag (Bart Louwers) #60217
src:
  * (SEMVER-MINOR) add watch config namespace (Marco Ippolito) #60178

PR-URL: #60436
aduh95 added a commit that referenced this pull request Oct 28, 2025
@aduh95
2025-10-28, Version 25.1.0 (Current)
f1d8634 
Notable changes:

http:
  * (SEMVER-MINOR) add optimizeEmptyRequests server option (Rafael Gonzaga) #59778
sqlite:
  * (SEMVER-MINOR) allow setting defensive flag (Bart Louwers) #60217
src:
  * (SEMVER-MINOR) add watch config namespace (Marco Ippolito) #60178

PR-URL: #60436
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cjihrig cjihrig cjihrig approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@aduh95 aduh95 aduh95 approved these changes

+1 more reviewer

@tpoisseau tpoisseau tpoisseau approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. semver-minor PRs that contain new features and should be released in the next minor version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@louwers @nodejs-github-bot @Renegade334 @rmgavana1223-commits @aduh95 @cjihrig @UlisesGascon @tpoisseau @ovflowd