Skip to content

sqlite: allow setting defensive flag #60217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

sqlite: allow setting defensive flag #60217

wants to merge 6 commits into from
+130 −0

Conversation

louwers
Copy link
Contributor

@louwers louwers commented Oct 11, 2025
edited
Loading

Adds support for setting the defensive flag. See SQLITE_DBCONFIG_DEFENSIVE.

This is one of the APIs needed for Defense Against The Dark Arts when dealing with untrusted SQL queries. Another being the sqlite3_limit() interface, which may be a neat future addition.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/sqlite

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Oct 11, 2025
@Renegade334
Copy link
Contributor

IMO it'd be worth considering setting this to enabled by default, either here or in a future semver-major change. >99% of users will have no need to alter engine-level internals.

@louwers
Copy link
Contributor Author

louwers commented Oct 11, 2025

@Renegade334 Good point. I think it makes sense to just set defensive as the default here since the SQLite API is experimental and you almost never want to mess with those indeed.

better-sqlite3 does the same. https://github.com/WiseLibs/better-sqlite3/blob/ea0d8c73615ce2b6133df67da10c7e6452115d73/docs/unsafe.md?plain=1#L5

@louwers
Copy link
Contributor Author

louwers commented Oct 11, 2025

@Renegade334 Enabled it by default.

This PR should have a notable-change label.

@codecov Codecov
Copy link

codecov bot commented Oct 12, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 68.57143% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.55%. Comparing base (f9fcc74) to head (af87669).
⚠️ Report is 7 commits behind head on main.

Files with missing lines Patch % Lines
src/node_sqlite.cc 65.62% 4 Missing and 7 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #60217      +/-   ##
==========================================
- Coverage   88.56%   88.55%   -0.02%     
==========================================
  Files         704      704              
  Lines      208125   208158      +33     
  Branches    40003    40010       +7     
==========================================
- Hits       184332   184329       -3     
- Misses      15809    15858      +49     
+ Partials     7984     7971      -13
Files with missing lines Coverage Δ
src/node_sqlite.h 81.48% <100.00%> (+1.08%) ⬆️
src/node_sqlite.cc 79.94% <65.62%> (-0.21%) ⬇️

... and 43 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@aduh95 aduh95 added the notable-change PRs with changes that should be highlighted in changelogs. label Oct 12, 2025
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
cjihrig
cjihrig reviewed Oct 12, 2025
View reviewed changes
@louwers louwers requested a review from cjihrig October 12, 2025 19:12
@rmgavana1223-commits

This comment was marked as spam.

Sign in to view
@aduh95 aduh95 added semver-minor PRs that contain new features and should be released in the next minor version. and removed notable-change PRs with changes that should be highlighted in changelogs. labels Oct 12, 2025
aduh95
aduh95 reviewed Oct 12, 2025
View reviewed changes
@louwers louwers requested a review from aduh95 October 12, 2025 20:10
@louwers
Copy link
Contributor Author

louwers commented Oct 12, 2025

How do I add a comment for the Notable Changes section?

@aduh95
Copy link
Contributor

aduh95 commented Oct 12, 2025

How do I add a comment for the Notable Changes section?

Wouldn't the notable change be the follow-up PR rather than this one?

@aduh95 aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Oct 12, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 12, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/69701/

@louwers
Copy link
Contributor Author

louwers commented Oct 12, 2025

@aduh95 That works too!

@louwers
Copy link
Contributor Author

louwers commented Oct 13, 2025

Could someone restart CI? Looks like a fluke.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cjihrig cjihrig cjihrig approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@aduh95 aduh95 aduh95 approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. semver-minor PRs that contain new features and should be released in the next minor version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@louwers @nodejs-github-bot @Renegade334 @rmgavana1223-commits @aduh95 @cjihrig @UlisesGascon