Sentinel: Fix SQL injection bypass in read-only query validation

[Dexploarer]

🛡️ Sentinel: Fix SQL injection bypass in read-only query validation

🚨 Severity: HIGH
💡 Vulnerability: SQL injection bypass in read-only query validation. The previous implementation stripped comments by replacing them with empty strings, allowing attackers to split keywords (e.g., DELETE/**/FROM -> DELETEFROM) which bypassed the keyword blocklist while still being valid SQL.
🎯 Impact: An attacker with read-only database access could execute mutation commands (DELETE, DROP, INSERT, etc.) by obfuscating the query.
🔧 Fix: Changed comment stripping logic to replace comments with spaces, ensuring keywords remain separated and detectable. Extracted validation logic into a reusable validateReadOnlyQuery function.
✅ Verification: Added a new test suite that verifies the validator blocks obfuscated attacks (block comments, line comments, casing, CTEs) while allowing valid read-only queries.

---

PR created automatically by Jules for task 17574086292071621154 started by @Dexploarer

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/fix-sql-injection-bypass-17574086292071621154

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security of read-only SQL query validation by patching a critical SQL injection vulnerability. The changes prevent malicious users from executing mutation commands by cleverly obfuscating their queries with comments. By refining the comment stripping mechanism and consolidating the validation rules into a dedicated function, the system is now more robust against various forms of SQL attacks, ensuring that read-only database access remains strictly read-only.

Highlights

• SQL Injection Fix: Addressed a high-severity SQL injection bypass vulnerability in read-only query validation by changing how comments are stripped. Previously, comments were replaced with empty strings, allowing attackers to concatenate keywords (e.g., DELETE/**/FROM -> DELETEFROM) and bypass the blocklist. Now, comments are replaced with spaces, ensuring keywords remain separated and detectable.
• Refactored Validation Logic: Extracted the complex read-only query validation logic into a new, reusable function named validateReadOnlyQuery. This centralizes the security checks and improves maintainability.
• Enhanced Security Checks: The new validation function includes comprehensive lists of mutation keywords (DML, DDL, admin, maintenance, procedural, async notifications, prepared statements, locking) and dangerous PostgreSQL built-in functions (file I/O, state mutation, denial of service, session control, advisory locks) to prevent a wider range of malicious operations.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/api/database.ts
  • Introduced validateReadOnlyQuery function to centralize and improve read-only SQL query validation.
  • Updated comment stripping logic within the validator to replace comments with spaces instead of empty strings, preventing SQL injection bypasses.
  • Expanded the lists of mutation keywords and dangerous PostgreSQL functions checked during validation.
  • Refactored handleQuery to utilize the new validateReadOnlyQuery function, removing duplicated validation logic.

Activity

• PR created automatically by Jules for task 17574086292071621154 started by @Dexploarer.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codereviewbot-ai]

Security: Read-Only Query Validation is Not a Full SQL Parser

The validateReadOnlyQuery function (lines 462-626) attempts to block mutation queries and dangerous functions by stripping comments and string literals, then searching for keywords. However, this approach is not as robust as a true SQL parser and can be bypassed by sufficiently obfuscated queries (e.g., using Unicode homoglyphs, unusual whitespace, or creative CTEs). The code comments acknowledge this limitation, but the risk remains significant if the API is exposed to untrusted users.

Recommendation:

• Consider using a proper SQL parser or a third-party library designed for query analysis to enforce read-only constraints more reliably.
• If this is not feasible, ensure that the API is only accessible to trusted users, and document the limitations clearly in the API documentation.

[codereviewbot-ai]

Security: Reliance on validateReadOnlyQuery for Mutation Protection

In the query handler (lines 1238-1247), the code relies on validateReadOnlyQuery to prevent mutation queries when readOnly is not explicitly set to false. As noted above, this validator is not a full SQL parser and can be bypassed by sophisticated attackers. If the API is exposed to untrusted clients, this could allow unauthorized data modification.

Recommendation:

• Treat the read-only mode as a best-effort safeguard, not a guarantee. For high-security environments, restrict access to this endpoint or use a more robust query analysis tool.

[gemini-code-assist]

Code Review

This pull request effectively addresses a critical SQL injection vulnerability by modifying how comments are stripped from queries. Replacing comments with spaces instead of empty strings correctly prevents keyword concatenation attacks. The extraction of the validation logic into a reusable validateReadOnlyQuery function is an excellent improvement for code clarity and maintainability. The lists of mutation keywords and dangerous functions are comprehensive. Overall, this is a solid security fix and refactoring. I have one minor suggestion to improve efficiency.

[gemini-code-assist]

You can make this code more efficient and readable by using a capturing group in the dangerousFnPattern regex to extract the function name directly, instead of running a second regex match. This avoids the need for fnMatch[0].match(...).

  const dangerousFnPattern = new RegExp(
    `(?:^|[^\\w$])"?(${dangerousFunctions.join("|")})"?\\s*\\(`,
    "i",
  );
  const fnMatch = dangerousFnPattern.exec(noLiterals);
  if (fnMatch) {
    const fnName = fnMatch[1].toUpperCase();
    return `Query rejected: "${fnName}" is a dangerous function that can modify server state. Set readOnly: false to execute this query.`;
  }