feat(sql): SQL Injection

2025-11-06 11:16:01 +01:00
parent 1f5f07e624
commit 10110071eb
7 changed files with 206 additions and 26 deletions
--- a/build/truncate.go
+++ b/build/truncate.go
@@ -8,12 +8,19 @@ import (
 )

 func TruncateSQL(s *schema.Table, cascade bool, restartIdentity bool) (string, error) {
-	query := fmt.Sprintf("TRUNCATE TABLE %s", utils.SQLQuoteIdent(s.Name))
-	if cascade {
-		query += " CASCADE"
+	if s == nil {
+		return "", fmt.Errorf("nil table provided")
 	}
+	if s.Name == "" || !utils.IsValidIdentifier(s.Name) {
+		return "", fmt.Errorf("invalid table name: %q", s.Name)
+	}
+
+	query := fmt.Sprintf("TRUNCATE TABLE %s", utils.SQLQuoteIdent(s.Name))
 	if restartIdentity {
 		query += " RESTART IDENTITY"
 	}
+	if cascade {
+		query += " CASCADE"
+	}
 	return query, nil
 }