fix(sqlite): escape identifiers in PRAGMA queries by rekurt · Pull Request #10 · rekurt/dbdiff

rekurt · 2026-04-07T21:21:02Z

The SQLite loader interpolated table and index names read from database metadata directly into PRAGMA SQL (e.g. PRAGMA table_info("{}")), which can be broken by crafted identifiers containing quotes or semicolons and could lead to parse errors or statement injection.
A minimal, targeted fix is needed to ensure identifiers are safely quoted before being embedded in PRAGMA statements.

Replace direct format!(...) interpolation of raw names in PRAGMA table_info, PRAGMA index_list, and PRAGMA index_info with a safe quoting helper and use quote_identifier(...) when building those statements.
Add a quote_identifier helper that wraps identifiers in double quotes and escapes embedded " by doubling them (SQL-standard identifier quoting).
Add a unit test test_quote_identifier covering normal identifiers and identifiers with embedded quotes.

Added a focused unit test sqlite::tests::test_quote_identifier and attempted to run it with cargo test --lib sqlite::tests::test_quote_identifier.
Test execution in this environment failed due to network access when fetching crates from crates.io (CONNECT tunnel failed, response 403), so automated tests could not be completed here.

fix(sqlite): escape identifiers in PRAGMA queries

7cd038a

rekurt added codex aardvark labels Apr 7, 2026 — with ChatGPT Codex Connector

rekurt merged commit 1a65036 into master Apr 7, 2026

rekurt deleted the feat/fix-sqlite-loader-identifier-injection-vulnerability branch April 7, 2026 21:33

Provide feedback