added sanitization for sql schema

Author: waleedlatif1

apps/sim/app/api/tools/dynamodb/introspect/route.ts

@@ -1,7 +1,7 @@
 import { randomUUID } from 'crypto'
+import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { createLogger } from '@/lib/logs/console/logger'
 import { createRawDynamoDBClient, describeTable, listTables } from '@/app/api/tools/dynamodb/utils'
 
 const logger = createLogger('DynamoDBIntrospectAPI')

apps/sim/app/api/tools/mongodb/introspect/route.ts

@@ -1,7 +1,7 @@
 import { randomUUID } from 'crypto'
+import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { createLogger } from '@/lib/logs/console/logger'
 import { createMongoDBConnection, executeIntrospect } from '../utils'
 
 const logger = createLogger('MongoDBIntrospectAPI')

apps/sim/app/api/tools/mysql/introspect/route.ts

@@ -1,7 +1,7 @@
 import { randomUUID } from 'crypto'
+import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { createLogger } from '@/lib/logs/console/logger'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLIntrospectAPI')

apps/sim/app/api/tools/neo4j/introspect/route.ts

@@ -1,7 +1,7 @@
 import { randomUUID } from 'crypto'
+import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { createLogger } from '@/lib/logs/console/logger'
 import { createNeo4jDriver } from '@/app/api/tools/neo4j/utils'
 import type { Neo4jNodeSchema, Neo4jRelationshipSchema } from '@/tools/neo4j/types'
 

apps/sim/app/api/tools/postgresql/introspect/route.ts

@@ -1,7 +1,7 @@
 import { randomUUID } from 'crypto'
+import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { createLogger } from '@/lib/logs/console/logger'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLIntrospectAPI')

apps/sim/app/api/tools/rds/introspect/route.ts

@@ -1,7 +1,7 @@
 import { randomUUID } from 'crypto'
+import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { createLogger } from '@/lib/logs/console/logger'
 import { createRdsClient, executeIntrospect, type RdsEngine } from '@/app/api/tools/rds/utils'
 
 const logger = createLogger('RDSIntrospectAPI')

apps/sim/lib/core/security/input-validation.ts

@@ -1004,3 +1004,27 @@ export function validateGoogleCalendarId(
 
   return { isValid: true, sanitized: value }
 }
+
+/**
+ * Sanitizes a SQL identifier by escaping single quotes
+ *
+ * This function escapes single quotes by doubling them (PostgreSQL/MySQL standard)
+ * to prevent SQL injection while allowing all valid identifier names.
+ *
+ * @param name - The identifier name to sanitize
+ * @param maxLength - Maximum length allowed (default: 63 for PostgreSQL)
+ * @returns The sanitized identifier
+ * @throws Error if name is empty or exceeds maxLength
+ *
+ * @example
+ * ```typescript
+ * const safeSchema = sanitizeSqlIdentifier(schema)
+ * const query = `SELECT * FROM ${safeSchema}.users`
+ * ```
+ */
+export function sanitizeSqlIdentifier(name: string, maxLength = 63): string {
+  if (!name || name.length > maxLength) {
+    throw new Error(`Invalid identifier: ${name}`)
+  }
+  return name.replace(/'/g, "''")
+}

apps/sim/tools/supabase/introspect.ts

@@ -1,4 +1,5 @@
-import { createLogger } from '@/lib/logs/console/logger'
+import { createLogger } from '@sim/logger'
+import { sanitizeSqlIdentifier } from '@/lib/core/security/input-validation'
 import type {
   SupabaseColumnSchema,
   SupabaseIntrospectParams,
@@ -150,14 +151,16 @@ SELECT json_build_object(
 /**
  * SQL query filtered by specific schema
  */
-const getSchemaFilteredSQL = (schema: string) => `
+const getSchemaFilteredSQL = (schema: string) => {
+  const safeSchema = sanitizeSqlIdentifier(schema)
+  return `
 WITH table_info AS (
   SELECT
     t.table_schema,
     t.table_name
   FROM information_schema.tables t
   WHERE t.table_type = 'BASE TABLE'
-    AND t.table_schema = '${schema}'
+    AND t.table_schema = '${safeSchema}'
 ),
 columns_info AS (
   SELECT
@@ -181,7 +184,7 @@ pk_info AS (
     ON tc.constraint_name = kcu.constraint_name
     AND tc.table_schema = kcu.table_schema
   WHERE tc.constraint_type = 'PRIMARY KEY'
-    AND tc.table_schema = '${schema}'
+    AND tc.table_schema = '${safeSchema}'
 ),
 fk_info AS (
   SELECT
@@ -197,7 +200,7 @@ fk_info AS (
   JOIN information_schema.constraint_column_usage ccu
     ON ccu.constraint_name = tc.constraint_name
   WHERE tc.constraint_type = 'FOREIGN KEY'
-    AND tc.table_schema = '${schema}'
+    AND tc.table_schema = '${safeSchema}'
 ),
 index_info AS (
   SELECT
@@ -207,7 +210,7 @@ index_info AS (
     CASE WHEN indexdef LIKE '%UNIQUE%' THEN true ELSE false END AS is_unique,
     indexdef
   FROM pg_indexes
-  WHERE schemaname = '${schema}'
+  WHERE schemaname = '${safeSchema}'
 )
 SELECT json_build_object(
   'tables', (
@@ -285,6 +288,7 @@ SELECT json_build_object(
   )
 ) AS result;
 `
+}
 
 /**
  * Tool for introspecting Supabase database schema