Circuit-Forge/circuitforge-core
3
0
Fork 0
Code Issues 6 Pull requests Projects Releases 5 Packages Wiki Activity Actions

Harden SQLCipher PRAGMA key against SQL injection #45

New issue
Open
opened 2026-04-10 17:20:14 -07:00 by pyr0ball · 0 comments
pyr0ball commented 2026-04-10 17:20:14 -07:00
Owner
Copy link

Bug

circuitforge_core/db/base.py line 26 uses raw string interpolation to set the SQLCipher database key:

conn.execute(f"PRAGMA key='{key}'")

If key contains a single quote or other SQL metacharacters, this is a SQL injection vector. All products that pass a per-user key to get_connection() in cloud mode are affected (Peregrine, Kiwi, Snipe).

Fix

SQLCipher 4.x supports parameterized PRAGMA:

# Option A: parameterized (SQLCipher 4+)
conn.execute("PRAGMA key=?", (key,))

# Option B: hex-encoded raw key (works on all SQLCipher versions)
# Only applicable when key is bytes, not a passphrase
if isinstance(key, bytes):
    conn.execute(f"PRAGMA key=\"x'{key.hex()}'\"")
else:
    conn.execute("PRAGMA key=?", (key,))

Confirm which SQLCipher version is pinned in requirements before choosing the approach. Add a test with a key containing ' to regression-cover this.

Affected files

  • circuitforge_core/db/base.py line 26

Priority

Fix before any product ships cloud user data encryption. Low exploitability in current deployments (key comes from env, not user input) but the pattern is unsafe as the codebase grows.

Labels

security, bug

## Bug `circuitforge_core/db/base.py` line 26 uses raw string interpolation to set the SQLCipher database key: ```python conn.execute(f"PRAGMA key='{key}'") ``` If `key` contains a single quote or other SQL metacharacters, this is a SQL injection vector. All products that pass a per-user key to `get_connection()` in cloud mode are affected (Peregrine, Kiwi, Snipe). ## Fix SQLCipher 4.x supports parameterized PRAGMA: ```python # Option A: parameterized (SQLCipher 4+) conn.execute("PRAGMA key=?", (key,)) # Option B: hex-encoded raw key (works on all SQLCipher versions) # Only applicable when key is bytes, not a passphrase if isinstance(key, bytes): conn.execute(f"PRAGMA key=\"x'{key.hex()}'\"") else: conn.execute("PRAGMA key=?", (key,)) ``` Confirm which SQLCipher version is pinned in requirements before choosing the approach. Add a test with a key containing `'` to regression-cover this. ## Affected files - `circuitforge_core/db/base.py` line 26 ## Priority Fix before any product ships cloud user data encryption. Low exploitability in current deployments (key comes from env, not user input) but the pattern is unsafe as the codebase grows. ## Labels `security`, `bug`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feature/api-exports
feature/license-validation
feature/affiliates-module
feature/docker-ci
feature/manage-py
feature/agent-watchdog
feature/hardware-docuvision
feature/orch-llm-server
feature/orch-auto-lifecycle
feature/orch-dashboard
feature/shared-task-scheduler
feature/cforch-core-orchestration
v0.10.0
v0.9.0
v0.5.0
v0.4.0
v0.3.0
v0.2.0
Labels
Clear labels   
architecture

   
backlog

   
enhancement

   
module:documents

   
module:hardware

   
module:manage

   
module:pipeline

   
module:voice

cf_voice module

  
priority:backlog

   
priority:high

   
priority:medium
No labels
architecture
backlog
enhancement
module:documents
module:hardware
module:manage
module:pipeline
module:voice
priority:backlog
priority:high
priority:medium
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/circuitforge-core#45
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?