Skip to content

Comments

fix: SQL injection vulnerability in Neon cache provider table names#214

Merged
mfeltscher merged 5 commits intonextfrom
copilot/sub-pr-211
Feb 16, 2026
Merged

fix: SQL injection vulnerability in Neon cache provider table names#214
mfeltscher merged 5 commits intonextfrom
copilot/sub-pr-211

Conversation

Copy link
Contributor

Copilot AI commented Feb 15, 2026
edited
Loading

Table names were being directly interpolated into SQL queries without sanitization, creating an SQL injection vector if table names come from untrusted sources.

Changes

  • Added quoteIdentifier function to validate and quote PostgreSQL identifiers:

    • Validates against whitelist pattern: [a-zA-Z_$][a-zA-Z0-9_$]*
    • Supports schema-qualified names (schema.table)
    • Quotes using PostgreSQL double-quote syntax with proper escape handling

  • Updated NeonCacheTagsProvider to pre-validate and quote table names in constructor, using quoted names in all SQL queries

Example

Before:

await this.sql.query(`INSERT INTO ${this.table} VALUES ...`);
// Vulnerable if table = "users; DROP TABLE sensitive_data;"

After:

this.quotedTable = quoteIdentifier(table); // Validates and quotes
await this.sql.query(`INSERT INTO ${this.quotedTable} VALUES ...`);
// Rejects invalid names, quotes valid ones: "users" or "schema"."table"

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Feb 15, 2026
Merged
Copilot AI and others added 3 commits February 15, 2026 20:07
@mfeltscher
Fix SQL injection vulnerability in Neon provider table name
14ee286 
Co-authored-by: mfeltscher <1352744+mfeltscher@users.noreply.github.com>
@mfeltscher
Improve identifier validation and escape double quotes
8540848 
Co-authored-by: mfeltscher <1352744+mfeltscher@users.noreply.github.com>
@mfeltscher
Improve error message to clarify schema-qualified names
0a628ea 
Co-authored-by: mfeltscher <1352744+mfeltscher@users.noreply.github.com>
Copilot AI changed the title [WIP] WIP Address feedback on pull request #211 for Release v3 Fix SQL injection vulnerability in Neon cache provider table names Feb 15, 2026
Copilot AI requested a review from mfeltscher February 15, 2026 20:11
@mfeltscher mfeltscher changed the title Fix SQL injection vulnerability in Neon cache provider table names fix: SQL injection vulnerability in Neon cache provider table names Feb 16, 2026
@mfeltscher mfeltscher marked this pull request as ready for review February 16, 2026 08:15
@mfeltscher mfeltscher merged commit 7cfb647 into next Feb 16, 2026
1 check passed
@mfeltscher mfeltscher deleted the copilot/sub-pr-211 branch February 16, 2026 08:15
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🎉 This PR is included in version 3.0.0-next.11 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🎉 This PR is included in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mfeltscher mfeltscher Awaiting requested review from mfeltscher

Assignees

@mfeltscher mfeltscher

Copilot code review Copilot

Labels

released on @next released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mfeltscher