fix: sanitize SQL strings to prevent injection

2026-04-13 14:21:03 -04:00
parent 8d2762268b
commit ec69aa6f8d
1 changed files with 8 additions and 3 deletions
--- a/src/companion/rag/vector_store.py
+++ b/src/companion/rag/vector_store.py
@@ -93,13 +93,17 @@ class VectorStore:
            "id"
        ).when_matched_update_all().when_not_matched_insert_all().execute(data)

+    def _escape_sql_string(self, value: str) -> str:
+        return value.replace("'", "''")
+
    def delete_by_source_file(self, source_file: str) -> None:
        """Delete all chunks from a source file.

        Args:
            source_file: Path of source file to delete chunks for
        """
-        self.table.delete(f"source_file = '{source_file}'")
+        escaped = self._escape_sql_string(source_file)
+        self.table.delete(f"source_file = '{escaped}'")

    def search(
        self,
@@ -128,7 +132,8 @@ class VectorStore:
            filter_parts = []
            for key, value in filters.items():
                if isinstance(value, str):
-                    filter_parts.append(f"{key} = '{value}'")
+                    escaped = self._escape_sql_string(value)
+                    filter_parts.append(f"{key} = '{escaped}'")
                else:
                    filter_parts.append(f"{key} = {value}")
            if filter_parts:
@@ -140,4 +145,4 @@ class VectorStore:

    def count(self) -> int:
        """Return total number of chunks."""
-        return len(self.table)
+        return self.table.count_rows()