fix sql injection

[betegon]

Summary

Removes a SQL injection vulnerability in the local SQLite layer by replacing string-concatenated SQL with parameterized queries.

The previous pattern interpolated user input straight into the statement text:

db.prepare(`SELECT * FROM users WHERE name LIKE '%${term}%'`).all();

An input like '; DROP TABLE users; -- could alter the query structure. All dynamic values are now bound as ? parameters and identifiers are validated against a strict allow-list.

Changes (5 files)

• src/lib/db/secure-query/query-builder.ts — fluent builder emitting bound ? placeholders; validates table/column identifiers.
• src/lib/db/secure-query/user-repository.ts — data-access layer using bound params for lookup, search, and insert.
• src/lib/db/secure-query/sanitize.ts — escapeLike, stripControlChars, safeIdentifier for values that cannot be bound.
• src/lib/db/secure-query/README.md — documents the vulnerability and the parameterization rules.
• test/lib/db/secure-query.test.ts — regression tests asserting injection payloads are treated as data, not SQL.

Note: opened as a test fixture for the PR risk analyzer.

🤖 Generated with Claude Code

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-1134/
Built to branch gh-pages at 2026-06-23 20:20 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f75635d. Configure here.}

[cursor]

Repository uses wrong DB API

High Severity

UserRepository calls this.#db.prepare(...) and is typed against node:sqlite's Database, but every other SQLite access in this repo goes through src/lib/db/sqlite.ts, whose Database wrapper only exposes query, not prepare. Passing getRawDatabase() or getDatabase() here would throw at runtime because prepare is not on that wrapper.

 

^{Reviewed by Cursor Bugbot for commit f75635d. Configure here.}

[cursor]

Prepare drops bound parameters

Medium Severity

QueryBuilder.prepare calls build() to produce SQL with ? placeholders, but only passes build().sql to db.prepare and discards build().params. Any execution through this helper runs an unprepared statement unless the caller separately re-builds and binds parameters, which the method does not expose.

 

^{Reviewed by Cursor Bugbot for commit f75635d. Configure here.}

[github-actions]

Codecov Results 📊

✅ Patch coverage is 96.88%. Project has 5053 uncovered lines.
✅ Project coverage is 81.36%. Comparing base (base) to head (head).

Files with missing lines (1)

File	Patch %	Lines
src/lib/db/secure-query/query-builder.ts	96.30%	⚠️ 1 Missing

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    81.35%    81.36%    +0.01%
==========================================
  Files          392       394        +2
  Lines        27070     27102       +32
  Branches     17566     17578       +12
==========================================
+ Hits         22019     22049       +30
- Misses        5051      5053        +2
- Partials      1832      1833        +1

---

Generated by Codecov Action

[sentry]

Bug: The QueryBuilder.prepare() method discards query parameters, causing prepared statements to execute with NULL for all placeholders and return incorrect results.
_{Severity: HIGH}

Suggested Fix

Update the prepare method in query-builder.ts to pass the parameters to the database. Change db.prepare(this.build().sql) to db.prepare(this.build().sql).bind(...this.build().params) or a similar method that correctly binds the parameters from the build() result.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: src/lib/db/secure-query/query-builder.ts#L76-L78

Potential issue: The `QueryBuilder.prepare()` method builds a SQL string with `?`
placeholders but silently discards the corresponding `params` array. It returns a
`Statement` with no bound parameters. Any caller using this method will execute the
query with `NULL` for every placeholder, which will produce incorrect or empty results
instead of the intended parameterized query. For example, a query like
`QueryBuilder.from("users").where("id", 42).prepare(db).get()` would execute `SELECT *
FROM users WHERE id = ?` with the placeholder incorrectly treated as `NULL`.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The UserRepository class calls a .prepare() method that does not exist on the project's standard Database wrapper, which will cause a runtime crash.
_{Severity: CRITICAL}

Suggested Fix

Refactor UserRepository to use the available methods on the project's Database wrapper from src/lib/db/sqlite.ts, such as .query(). Alternatively, add a .prepare() method to the project's Database wrapper to align its interface with the raw node:sqlite database object.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: src/lib/db/secure-query/user-repository.ts#L1

Potential issue: The `UserRepository` class imports the `Database` type from
`node:sqlite` and its methods call `this.#db.prepare(...)`. However, the project's
actual `Database` wrapper class, defined in `src/lib/db/sqlite.ts` and used throughout
the application, does not have a `.prepare()` method. If an instance of the project's
`Database` wrapper is passed to `UserRepository`, all of its methods (`findById`,
`searchByName`, `insert`) will throw a `TypeError: this.#db.prepare is not a function`
at runtime.

_{Did we get this right? 👍 / 👎 to inform future reviews.}