🛡️ Sentinel: [CRITICAL] Fix SQL injection in db.py kwargs unpacking

[davidjuarezdev]

🚨 Severity: CRITICAL
💡 Vulnerability: The streamrip/db.py module unpacks **items dictionaries to construct dynamic SQL queries for methods like remove and contains. The remove method had no validation, and the contains and add methods used assert statements which are removed when Python runs with optimization flags (e.g. python -O), making the queries vulnerable to SQL injection through unsanitized keys.
🎯 Impact: Attackers could inject arbitrary SQL commands by passing malicious keys inside kwargs dictionary arguments to database operations.
🔧 Fix: Replaced weak assert statements with explicit if not in checks raising ValueError in contains, add, and remove methods to strictly validate query column keys against the table schema.
✅ Verification: Ran PYTHONPATH=. poetry run pytest tests suite, verified all tests pass, and ensured manual validations correctly execute. Added journal entry to .jules/sentinel.md.

---

PR created automatically by Jules for task 2931766349854045394 started by @davidjuarezdev

Summary by Sourcery

Harden database operations against unsafe kwargs by enforcing runtime key validation and documenting the resolved SQL injection risk.

Bug Fixes:

• Replace assertion-based validation in database contains and add operations with explicit runtime checks that raise ValueError for invalid input.
• Validate column keys in the remove operation against the table schema before constructing dynamic SQL, preventing SQL injection via kwargs.

Documentation:

• Add a Sentinel security journal entry documenting the SQL injection vulnerability, its cause, and prevention guidance.

---

Summary by cubic

Fixes a critical SQL injection in streamrip/db.py by validating kwargs keys and replacing asserts with runtime checks. Blocks malicious keys from reaching dynamic SQL, including when Python runs with -O.

• Bug Fixes
  • Validate kwargs keys in contains and remove against the table schema; raise ValueError on invalid keys.
  • Replace assert with explicit runtime checks in contains and add to enforce valid keys and correct item count.

^{Written for commit a7d3922. Summary will update on new commits.}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Warning

Rate limit exceeded

@davidjuarezdev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 50 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 20 minutes and 50 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5b9aa371-8669-47e9-a565-ac8ea58f1caa

📥 Commits

Reviewing files that changed from the base of the PR and between 6fb4162 and a7d3922.

📒 Files selected for processing (2)

• .jules/sentinel.md
• streamrip/db.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-sql-injection-2931766349854045394

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch sentinel-fix-sql-injection-2931766349854045394

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Replaces insecure assert-based validation in the database wrapper with explicit runtime checks and extends key validation to the remove() method to prevent SQL injection via kwargs, and documents the incident in the Sentinel journal.

Sequence diagram for validated database remove operation

sequenceDiagram
    actor Caller
    participant DBTable
    participant SQLiteDB

    Caller->>DBTable: remove(items_kwargs)
    DBTable->>DBTable: allowed_keys = structure.keys()
    DBTable->>DBTable: validate all(item in allowed_keys)
    alt Invalid keys
        DBTable-->>Caller: raise ValueError
    else Valid keys
        DBTable->>DBTable: build conditions: key=? AND ...
        DBTable->>SQLiteDB: execute DELETE FROM name WHERE conditions
        SQLiteDB-->>DBTable: rows_affected
        DBTable-->>Caller: None
    end

Loading

Sequence diagram for contains and add with explicit validation

sequenceDiagram
    actor Caller
    participant DBTable
    participant SQLiteDB

    Caller->>DBTable: contains(items_kwargs)
    DBTable->>DBTable: allowed_keys = structure.keys()
    DBTable->>DBTable: validate all(item in allowed_keys)
    alt Invalid contains keys
        DBTable-->>Caller: raise ValueError
    else Valid contains keys
        DBTable->>DBTable: cast values to str
        DBTable->>SQLiteDB: execute SELECT ... WHERE key=? AND ...
        SQLiteDB-->>DBTable: result_exists
        DBTable-->>Caller: bool
    end

    Caller->>DBTable: add(items_tuple)
    DBTable->>DBTable: validate len(items) == len(structure)
    alt Wrong number of items
        DBTable-->>Caller: raise ValueError
    else Correct number of items
        DBTable->>DBTable: params = join(structure.keys())
        DBTable->>DBTable: placeholders = ?, ?, ...
        DBTable->>SQLiteDB: execute INSERT INTO name (params) VALUES(placeholders)
        SQLiteDB-->>DBTable: success
        DBTable-->>Caller: None
    end

Loading

File-Level Changes

Change	Details	Files
Harden db API methods against SQL injection by replacing assert-based validation with explicit runtime checks and adding missing key validation, plus adding a Sentinel security journal entry.	In contains(), replace assert-based validation of kwargs keys with an explicit allowed-keys check that raises ValueError on invalid keys before building the WHERE clause. In add(), replace the length assert with an explicit length comparison that raises ValueError when the number of provided items does not match the table schema. In remove(), introduce an allowed-keys set check and raise ValueError when kwargs contain invalid column names before constructing the dynamic DELETE query. Add a .jules/sentinel.md entry documenting the SQL injection vulnerability, the root cause (unsafe **kwargs and asserts), and prevention guidance.	streamrip/db.py .jules/sentinel.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.