Summary
queuefs currently relies on sanitizeTableName(queueName) as the main boundary before interpolating queue table names into SQL statements. On upstream/master, that helper only rewrites /, -, and . before the resulting identifier is used in CREATE TABLE, SELECT, UPDATE, DELETE, and DROP TABLE statements.
Current upstream code
On upstream/master:
agfs-server/pkg/plugins/queuefs/db_backend.go:232 defines sanitizeTableName(queueName string)- it currently rewrites only
/, -, and . and prefixes queuefs_queue_
- the resulting table name is then interpolated directly into SQL statements in the SQL-backed queue backend
Why this needs follow-up
This is fragile as a long-term identifier strategy:
- it depends on partial character replacement rather than a strict identifier policy
- it does not centralize backend-specific identifier quoting/escaping
- different SQL dialects have different rules for unquoted identifiers
- newer SQL backend refactors reuse the same table-name strategy across SQLite, TiDB/MySQL, and PostgreSQL, so the impact surface grows
Even if most queue names are path-like today, using partial sanitization as the safety boundary for SQL identifiers is brittle and should be tightened.
Suggested direction
A follow-up fix should move to one of these stricter approaches:
- define a strict normalized identifier alphabet (for example
[A-Za-z0-9_] after normalization) and reject/transform everything else deterministically
- apply dialect-specific identifier quoting consistently when interpolating table/index identifiers
- ideally do both: normalize first, then quote when building SQL
The goal is to stop treating sanitizeTableName as sufficient identifier hardening by itself.
Summary
queuefscurrently relies onsanitizeTableName(queueName)as the main boundary before interpolating queue table names into SQL statements. Onupstream/master, that helper only rewrites/,-, and.before the resulting identifier is used inCREATE TABLE,SELECT,UPDATE,DELETE, andDROP TABLEstatements.Current upstream code
On
upstream/master:agfs-server/pkg/plugins/queuefs/db_backend.go:232definessanitizeTableName(queueName string)/,-, and.and prefixesqueuefs_queue_Why this needs follow-up
This is fragile as a long-term identifier strategy:
Even if most queue names are path-like today, using partial sanitization as the safety boundary for SQL identifiers is brittle and should be tightened.
Suggested direction
A follow-up fix should move to one of these stricter approaches:
[A-Za-z0-9_]after normalization) and reject/transform everything else deterministicallyThe goal is to stop treating
sanitizeTableNameas sufficient identifier hardening by itself.