v1.5.2: escape LIKE wildcards in short id prefix resolution

guo-yu · claude · guo-yu · commit ea950655b23d · 2026-03-20T23:51:36.000+09:00
Follow-up to #6 — the LIKE queries for short id prefix matching did not escape % and _ wildcards in user input, which could cause unexpected matches. Use escLike() in db9 and add ESCAPE clause for sqlite/worker parameterized queries. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "mails",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "description": "Email infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",
diff --git a/src/providers/storage/db9.ts b/src/providers/storage/db9.ts
@@ -229,7 +229,7 @@ export function createDb9Provider(token: string, databaseId: string): StoragePro
       let emails = rowsToEmails(result)
       let email = emails[0] ?? null
       if (!email) {
-        result = await sql(`SELECT ${EMAIL_COLUMNS} FROM emails WHERE id LIKE '${esc(id)}%' ORDER BY received_at DESC LIMIT 2`)
+        result = await sql(`SELECT ${EMAIL_COLUMNS} FROM emails WHERE id LIKE '${escLike(id)}%' ORDER BY received_at DESC LIMIT 2`)
         emails = rowsToEmails(result)
         if (emails.length > 1) {
           throw new Error(`Ambiguous email id: ${id}`)
diff --git a/src/providers/storage/sqlite.ts b/src/providers/storage/sqlite.ts
@@ -149,7 +149,8 @@ export function createSqliteProvider(dbPath?: string): StorageProvider {
     async getEmail(id) {
       let row = db.prepare('SELECT * FROM emails WHERE id = ?').get(id) as Record<string, unknown> | null
       if (!row) {
-        const matches = db.prepare('SELECT * FROM emails WHERE id LIKE ? ORDER BY received_at DESC LIMIT 2').all(`${id}%`) as Record<string, unknown>[]
+        const safeId = id.replace(/%/g, '\\%').replace(/_/g, '\\_')
+        const matches = db.prepare("SELECT * FROM emails WHERE id LIKE ? ESCAPE '\\' ORDER BY received_at DESC LIMIT 2").all(`${safeId}%`) as Record<string, unknown>[]
         if (matches.length > 1) {
           throw new Error(`Ambiguous email id: ${id}`)
         }
diff --git a/worker/src/index.ts b/worker/src/index.ts
@@ -245,7 +245,8 @@ async function handleGetEmail(url: URL, env: Env): Promise<Response> {
   }>()
 
   if (!row) {
-    const matches = await env.DB.prepare('SELECT * FROM emails WHERE id LIKE ? ORDER BY received_at DESC LIMIT 2').bind(`${id}%`).all<{
+    const safeId = id.replace(/%/g, '\\%').replace(/_/g, '\\_')
+    const matches = await env.DB.prepare("SELECT * FROM emails WHERE id LIKE ? ESCAPE '\\' ORDER BY received_at DESC LIMIT 2").bind(`${safeId}%`).all<{
       id: string
       mailbox: string
       from_address: string

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "mails",`
`3`		`- "version": "1.5.1",`
	`3`	`+ "version": "1.5.2",`
`4`	`4`	`"description": "Email infrastructure for AI agents",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"main": "dist/index.js",`