ECOPROJECT-4724 | fix: Escape SQL string fields in query builder to prevent second-order SQL injection

[AvielSegev]

Cluster names from user-uploaded RVTools spreadsheets were interpolated
unescaped into ~27 DuckDB query templates via text/template, allowing
single-quote breakout and arbitrary SQL execution (e.g. read_text() for
file exfiltration). Apply escapeSQLString() to all user-controlled
queryParams fields (ClusterFilter, OSFilter, PowerStateFilter, VmIDFilter,
Category) before template execution.

[coderabbitai]

Warning

Review limit reached

@AvielSegev, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 15 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 28c828e0-b586-47bf-a9a6-effc660c530e

📥 Commits

Reviewing files that changed from the base of the PR and between db4c785 and b2c241c.

📒 Files selected for processing (1)

• pkg/duckdb_parser/builder.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tupyy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [tupyy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment