Problem
The SQL executor in base-sql-executor/utils.ts uses a regex-based blocklist (3 patterns) after stripping quoted content. This approach has known limitations with SQL dialects supporting alternative quoting, comments, and multi-statement syntax. Execution uses $queryRawUnsafe().
Suggested Improvement
- Replace regex blocklist with parser-based allowlist (you already have
node-sql-parser)
- Set
statement_timeout on read-only roles
- Restrict available PostgreSQL functions via
REVOKE EXECUTE
- Add query complexity limits
Found during source code review. v1.10.0.
Problem
The SQL executor in
base-sql-executor/utils.tsuses a regex-based blocklist (3 patterns) after stripping quoted content. This approach has known limitations with SQL dialects supporting alternative quoting, comments, and multi-statement syntax. Execution uses$queryRawUnsafe().Suggested Improvement
node-sql-parser)statement_timeouton read-only rolesREVOKE EXECUTEFound during source code review. v1.10.0.