Fix SQL injection in cache modules

[codingfrog]

Context

During a security audit of dupeGuru, we identified SQL injection risks in two cache modules that build SQL queries using string formatting instead of parameterized queries.

Vulnerability

1. core/pe/cache_sqlite.py — Picture cache

The get_multiple() and purge_outdated() methods build SQL WHERE ... IN (...) clauses using Python string formatting:

# get_multiple() — rowids come from the database itself
ids = ",".join(map(str, rowids))
sql = f"... where rowid in ({ids})"
self.con.execute(sql)

# purge_outdated() — same pattern with todelete list
sql = "delete from pictures where rowid in (%s)" % ",".join(str(x) for x in todelete)

While the values currently originate from the database (limiting practical exploitability), this pattern is fragile — any future code path that passes untrusted values would become exploitable. Parameterized queries are the correct practice regardless.

2. core/fs.py — File hash cache (FilesDB)

The get() and put() methods use .format(key=key) to insert column names into SQL queries:

cursor = conn.execute(self.select_query.format(key=key), {...})

The key parameter (e.g., "digest", "digest_partial") is used as a column name. Since SQL parameterization (? placeholders) cannot be used for column names, the standard defense is a whitelist of allowed values.

Fix

cache_sqlite.py

Replace string formatting with ? parameterized placeholders:

placeholders = ",".join("?" * len(rowids))
sql = f"... where rowid in ({placeholders})"
self.con.execute(sql, list(rowids))

fs.py

Add a class-level whitelist and validate before use:

VALID_KEYS = {"digest", "digest_partial", "digest_samples"}

def get(self, path, key):
    if key not in self.VALID_KEYS:
        raise ValueError(f"Invalid cache key: {key}")
    # ... existing logic using .format(key=key)

Test plan

• pytest core/tests/cache_test.py core/tests/fs_test.py — 23 tests pass
• No behavioral changes — only query construction is modified

🤖 Generated with Claude Code