🛡️ Sentinel: [CRITICAL] Fix SQL injection risk via assertion bypass

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-05-18 - Prevent SQL Injection by Avoiding Assert for Validation
+**Vulnerability:** The `streamrip/db.py` module relied on Python's `assert` statement to validate keyword argument keys against expected columns before unpacking them into SQL queries.
+**Learning:** Python strips `assert` statements entirely when executed with optimizations enabled (`-O`). An attacker could supply malicious keyword argument keys (which bypass Python's strict identifier restrictions) leading to SQL injection in queries dynamically constructed from those keys.
+**Prevention:** Never use `assert` for security-critical validation or control flow logic. Always use explicit `if` statements and raise standard exceptions like `ValueError` to ensure the validation code remains active under all runtime conditions.

streamrip/db.py

@@ -113,9 +113,9 @@ def contains(self, **items) -> bool:
         :rtype: bool
         """
         allowed_keys = set(self.structure.keys())
-        assert all(
-            key in allowed_keys for key in items.keys()
-        ), f"Invalid key. Valid keys: {allowed_keys}"
+        if not all(key in allowed_keys for key in items.keys()):
+            # 🛡️ Sentinel: Prevent SQL injection via kwargs bypassing assert in optimized mode
+            raise ValueError(f"Invalid key. Valid keys: {allowed_keys}")
 
         items = {k: str(v) for k, v in items.items()}
 
@@ -155,6 +155,11 @@ def remove(self, **items):
 
         :param items:
         """
+        allowed_keys = set(self.structure.keys())
+        if not all(key in allowed_keys for key in items.keys()):
+            # 🛡️ Sentinel: Prevent SQL injection via kwargs unpacking
+            raise ValueError(f"Invalid key. Valid keys: {allowed_keys}")
+
         conditions = " AND ".join(f"{key}=?" for key in items.keys())
         command = f"DELETE FROM {self.name} WHERE {conditions}"