🛡️ Sentinel: [HIGH] Fix authorization bypass in database row mutation APIs

[Dexploarer]

🚨 Severity: HIGH
💡 Vulnerability: Authorization bypass in database API. The PUT and DELETE endpoints for modifying database rows did not verify that the target table was a legitimate user-facing base table using the assertTableExists check.
🎯 Impact: An attacker could potentially modify or delete rows in arbitrary tables, including internal system tables, by manually crafting a request to /api/database/tables/:table/rows with an unauthorized or internal table name.
🔧 Fix: Added await assertTableExists(runtime, tableName) to handleUpdateRow and handleDeleteRow, returning a 404 error if the table is invalid, mirroring the behavior of handleInsertRow and handleGetRows.
✅ Verification: Local tests pass. Ran bun run test src/api/database.security.test.ts test/database-api.e2e.test.ts to ensure core API flow and security tests remain green.

---

PR created automatically by Jules for task 2888632438088747809 started by @Dexploarer

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5e30fcdd-fd23-4755-90f2-b77cf9aaff19

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-database-auth-bypass-2888632438088747809

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codereviewbot-ai]

Security: Risk of SQL Injection in Update Handler

The code constructs SQL SET and WHERE clauses for the UPDATE statement by directly interpolating user-supplied data using custom helpers (sqlAssign, sqlPredicate). Unless these helpers are proven to be robust against all forms of SQL injection, this approach is highly risky. Attackers could potentially craft input that bypasses escaping and executes arbitrary SQL.

Recommendation:
Use parameterized queries provided by your database library or ORM instead of manual string interpolation. For example, with Drizzle or pg, use placeholders and pass values as parameters to ensure safe query execution.

Example (conceptual):

await db.execute('UPDATE table SET col1 = $1 WHERE col2 = $2', [val1, val2]);

[codereviewbot-ai]

Security: Risk of SQL Injection in Delete Handler

The construction of the WHERE clause for the DELETE statement uses direct mapping of user input via sqlPredicate, which may not be sufficient to prevent SQL injection. This is a critical security vulnerability if the helper does not fully sanitize all possible input cases.

Recommendation:
Switch to parameterized queries for all user-supplied data in SQL statements. Avoid manual string construction for SQL commands. Use the parameterization features of your database adapter to ensure all values are safely escaped and injected.

[gemini-code-assist]

Code Review

This pull request addresses an authorization bypass vulnerability by implementing table existence checks in the update and delete row endpoints, ensuring that operations are restricted to valid user tables. It also adds a corresponding entry to the sentinel log documenting the vulnerability and its prevention. The review feedback suggests optimizing these handlers by moving the existence checks before the request body parsing to follow a fail-fast pattern and improve resource efficiency.

[gemini-code-assist]

While adding the assertTableExists check correctly addresses the authorization bypass, its placement after readJsonBody is less than optimal. Moving this check to the very beginning of the function (before parsing the request body) would follow the 'fail-fast' principle, avoiding unnecessary resource consumption (CPU/memory for JSON parsing) when the target table does not exist. This would also align with the implementation in handleGetRows.

[gemini-code-assist]

Similar to handleUpdateRow, the assertTableExists check should ideally be performed at the start of the function, before readJsonBody. This prevents the server from processing potentially large or malformed request bodies for non-existent or unauthorized tables, improving efficiency and DoS resilience.