fix(ducklake): validate TableKey and where clause before dynamic SQL

Centralize allowlist validation for proto_type/sub_type (GetTableSchemas),
strict where parsing with column allowlist, and limit clamping. Apply on
MultiTableReader and HTTP handlers; return 400 on client input errors.

Addresses CodeQL alert #29 (SQL built from user-controlled sources).

Author: adubovikov

src/storage/ducklake/README.md

@@ -275,8 +275,20 @@ Response:
 
 ### List Snapshots (per proto_type)
 
+Allowed `proto_type` / `sub_type` pairs match the canonical DuckLake schemas (see `GetTableSchemas()` in `tables.go`):
+
+| proto_type | sub_type | Table |
+|------------|----------|-------|
+| 1 (SIP) | `call` (default), `registration`, `default` | SIP call / registration / other |
+| 5 | _(empty)_ | RTCP JSON |
+| 34, 35 | _(empty)_ | RTCP / RTP |
+| 53 | _(empty)_ | DNS |
+| 100 | _(empty)_ | LOG |
+
+Invalid keys return **HTTP 400**. `limit` is clamped to 1000.
+
 ```bash
-GET /api/v1/ducklake/snapshots?proto_type=1&limit=10
+GET /api/v1/ducklake/snapshots?proto_type=1&sub_type=call&limit=10
 ```
 
 Response:
@@ -300,6 +312,12 @@ Response:
 
 ### Query
 
+The `where` field is **not** arbitrary SQL. It must be a simple expression built from allowed columns for the target table(s):
+
+- Predicates: `column = 'value'`, comparisons with integers, `column IS NULL`, combined with `AND` / `OR`
+- Column names must exist on the schema (e.g. `session_id`, `src_ip`, `timestamp`)
+- Max length 512; blocklisted tokens (`;`, `--`, `UNION`, `SELECT`, etc.) return **HTTP 400**
+
 Query specific proto_type:
 
 ```bash
@@ -308,6 +326,7 @@ Content-Type: application/json
 
 {
   "proto_type": 1,
+  "sub_type": "call",
   "where": "session_id = 'abc123@host'",
   "limit": 100
 }

src/storage/ducklake/api.go

@@ -14,6 +14,18 @@ import (
 	"time"
 )
 
+func writeDuckLakeHandlerError(w http.ResponseWriter, err error, serverMsg string) {
+	if err == nil {
+		http.Error(w, serverMsg, http.StatusInternalServerError)
+		return
+	}
+	if IsClientInputError(err) {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	http.Error(w, serverMsg, http.StatusInternalServerError)
+}
+
 // API provides HTTP API for DuckLake operations (legacy single-table)
 type API struct {
 	reader *Reader
@@ -148,12 +160,13 @@ func (a *API) HandleSnapshots(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	limit := 100
+	limit := DefaultQueryLimit
 	if limitStr := r.URL.Query().Get("limit"); limitStr != "" {
-		if l, err := strconv.Atoi(limitStr); err == nil && l > 0 {
+		if l, err := strconv.Atoi(limitStr); err == nil {
 			limit = l
 		}
 	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 
 	snapshots, err := a.reader.ListSnapshots(limit)
 	if err != nil {
@@ -194,9 +207,7 @@ func (a *API) HandleQuery(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if req.Limit <= 0 || req.Limit > 1000 {
-		req.Limit = 100
-	}
+	req.Limit = ClampLimit(req.Limit, DefaultQueryLimit, MaxQueryLimit)
 
 	var records []HEPRecord
 	var err error
@@ -218,7 +229,7 @@ func (a *API) HandleQuery(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err != nil {
-		http.Error(w, "Query failed: "+err.Error(), http.StatusInternalServerError)
+		writeDuckLakeHandlerError(w, err, "Query failed")
 		return
 	}
 
@@ -382,28 +393,32 @@ func (a *MultiTableAPI) HandleSnapshots(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	// Build TableKey from query params
-	key := TableKey{ProtoType: 1, SubType: SIPTypeCall} // Default to SIP calls
-
+	protoType := uint32(ProtoTypeSIP)
 	if ptStr := r.URL.Query().Get("proto_type"); ptStr != "" {
-		if pt, err := strconv.ParseUint(ptStr, 10, 32); err == nil {
-			key.ProtoType = uint32(pt)
+		pt, err := strconv.ParseUint(ptStr, 10, 32)
+		if err != nil {
+			http.Error(w, "invalid proto_type", http.StatusBadRequest)
+			return
 		}
+		protoType = uint32(pt)
 	}
-	if subType := r.URL.Query().Get("sub_type"); subType != "" {
-		key.SubType = subType
+	key, err := ParseTableKey(protoType, r.URL.Query().Get("sub_type"))
+	if err != nil {
+		writeDuckLakeHandlerError(w, err, "invalid table key")
+		return
 	}
 
-	limit := 100
+	limit := DefaultQueryLimit
 	if limitStr := r.URL.Query().Get("limit"); limitStr != "" {
-		if l, err := strconv.Atoi(limitStr); err == nil && l > 0 {
+		if l, err := strconv.Atoi(limitStr); err == nil {
 			limit = l
 		}
 	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 
 	snapshots, err := a.reader.ListSnapshots(key, limit)
 	if err != nil {
-		http.Error(w, "Failed to list snapshots", http.StatusInternalServerError)
+		writeDuckLakeHandlerError(w, err, "Failed to list snapshots")
 		return
 	}
 
@@ -442,24 +457,24 @@ func (a *MultiTableAPI) HandleQuery(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if req.Limit <= 0 || req.Limit > 1000 {
-		req.Limit = 100
-	}
+	req.Limit = ClampLimit(req.Limit, DefaultQueryLimit, MaxQueryLimit)
 
 	var records []map[string]interface{}
 	var err error
 
 	if req.ProtoType != nil {
-		// Query specific table by TableKey
-		key := TableKey{ProtoType: *req.ProtoType, SubType: req.SubType}
+		key, keyErr := ParseTableKey(*req.ProtoType, req.SubType)
+		if keyErr != nil {
+			writeDuckLakeHandlerError(w, keyErr, "invalid table key")
+			return
+		}
 		records, err = a.reader.Query(key, req.Where, req.Limit)
 	} else {
-		// Query all tables
 		records, err = a.reader.QueryAll(req.Where, req.Limit)
 	}
 
 	if err != nil {
-		http.Error(w, "Query failed: "+err.Error(), http.StatusInternalServerError)
+		writeDuckLakeHandlerError(w, err, "Query failed")
 		return
 	}
 

src/storage/ducklake/timetravel.go

@@ -31,6 +31,10 @@ func NewReader(w *Writer) *Reader {
 
 // Query executes a query on current data
 func (r *Reader) Query(whereClause string, limit int) ([]HEPRecord, error) {
+	if err := ValidateWhereClause(whereClause, AllQueryColumns()); err != nil {
+		return nil, err
+	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 	query := fmt.Sprintf("SELECT * FROM %s", r.tableFQN)
 	if whereClause != "" {
 		query += " WHERE " + whereClause
@@ -45,6 +49,10 @@ func (r *Reader) Query(whereClause string, limit int) ([]HEPRecord, error) {
 
 // QueryAtSnapshot queries data at a specific snapshot
 func (r *Reader) QueryAtSnapshot(snapshotID int64, whereClause string, limit int) ([]HEPRecord, error) {
+	if err := ValidateWhereClause(whereClause, AllQueryColumns()); err != nil {
+		return nil, err
+	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 	// DuckLake syntax: SELECT * FROM table AT SNAPSHOT snapshot_id
 	query := fmt.Sprintf("SELECT * FROM %s AT SNAPSHOT %d", r.tableFQN, snapshotID)
 	if whereClause != "" {
@@ -60,6 +68,10 @@ func (r *Reader) QueryAtSnapshot(snapshotID int64, whereClause string, limit int
 
 // QueryAtTime queries data as it was at a specific timestamp
 func (r *Reader) QueryAtTime(asOf time.Time, whereClause string, limit int) ([]HEPRecord, error) {
+	if err := ValidateWhereClause(whereClause, AllQueryColumns()); err != nil {
+		return nil, err
+	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 	// DuckLake syntax: SELECT * FROM table AT TIMESTAMP 'timestamp'
 	timestamp := asOf.Format("2006-01-02 15:04:05")
 	query := fmt.Sprintf("SELECT * FROM %s AT TIMESTAMP '%s'", r.tableFQN, timestamp)
@@ -108,9 +120,7 @@ func (r *Reader) executeQuery(query string) ([]HEPRecord, error) {
 
 // ListSnapshots returns all available snapshots
 func (r *Reader) ListSnapshots(limit int) ([]Snapshot, error) {
-	if limit <= 0 {
-		limit = 100
-	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 
 	// DuckLake provides snapshot info via system function
 	query := fmt.Sprintf(`
@@ -259,16 +269,20 @@ func NewMultiTableReader(w *MultiTableWriter) *MultiTableReader {
 
 // allTablesForKey returns the DuckLake table and, when search_buffer is enabled,
 // both in-memory buffer tables for a key.
-func (r *MultiTableReader) allTablesForKey(key TableKey) []string {
-	tables := []string{r.writer.GetTableFQN(key)}
+func (r *MultiTableReader) allTablesForKey(key TableKey) ([]string, error) {
+	fqn, err := ResolveTableFQN(r.writer, key)
+	if err != nil {
+		return nil, err
+	}
+	tables := []string{fqn}
 	if r.searchBuffer {
 		if tw := r.writer.GetTable(key); tw != nil {
 			for _, mem := range tw.MemTableNames() {
 				tables = append(tables, mem)
 			}
 		}
 	}
-	return tables
+	return tables, nil
 }
 
 // GetTimeRange returns min/max timestamps across all tables including buffers
@@ -279,7 +293,11 @@ func (r *MultiTableReader) GetTimeRange() (minTs, maxTs int64, err error) {
 	}
 
 	for _, key := range keys {
-		for _, tbl := range r.allTablesForKey(key) {
+		tbls, tblErr := r.allTablesForKey(key)
+		if tblErr != nil {
+			continue
+		}
+		for _, tbl := range tbls {
 			query := fmt.Sprintf("SELECT MIN(timestamp), MAX(timestamp) FROM %s", tbl)
 			var minNull, maxNull sql.NullInt64
 			if err := r.db.QueryRow(query).Scan(&minNull, &maxNull); err != nil {
@@ -299,7 +317,14 @@ func (r *MultiTableReader) GetTimeRange() (minTs, maxTs int64, err error) {
 
 // GetTimeRangeForTableKey returns time range for specific TableKey including buffers
 func (r *MultiTableReader) GetTimeRangeForTableKey(key TableKey) (minTs, maxTs int64, err error) {
-	for _, tbl := range r.allTablesForKey(key) {
+	if err := ValidateTableKey(key); err != nil {
+		return 0, 0, err
+	}
+	tbls, err := r.allTablesForKey(key)
+	if err != nil {
+		return 0, 0, err
+	}
+	for _, tbl := range tbls {
 		query := fmt.Sprintf("SELECT MIN(timestamp), MAX(timestamp) FROM %s", tbl)
 		var minNull, maxNull sql.NullInt64
 		if err := r.db.QueryRow(query).Scan(&minNull, &maxNull); err != nil {
@@ -338,7 +363,11 @@ func (r *MultiTableReader) GetRowCount() (int64, error) {
 	var total int64
 
 	for _, key := range keys {
-		for _, tbl := range r.allTablesForKey(key) {
+		tbls, tblErr := r.allTablesForKey(key)
+		if tblErr != nil {
+			continue
+		}
+		for _, tbl := range tbls {
 			var count int64
 			query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tbl)
 			if err := r.db.QueryRow(query).Scan(&count); err != nil {
@@ -353,8 +382,15 @@ func (r *MultiTableReader) GetRowCount() (int64, error) {
 
 // GetRowCountForTableKey returns row count for specific TableKey including buffers
 func (r *MultiTableReader) GetRowCountForTableKey(key TableKey) (int64, error) {
+	if err := ValidateTableKey(key); err != nil {
+		return 0, err
+	}
+	tbls, err := r.allTablesForKey(key)
+	if err != nil {
+		return 0, err
+	}
 	var total int64
-	for _, tbl := range r.allTablesForKey(key) {
+	for _, tbl := range tbls {
 		var count int64
 		query := fmt.Sprintf("SELECT COUNT(*) FROM %s", tbl)
 		if err := r.db.QueryRow(query).Scan(&count); err != nil {
@@ -369,8 +405,12 @@ func (r *MultiTableReader) GetRowCountForTableKey(key TableKey) (int64, error) {
 // is enabled, it builds a UNION ALL across the DuckLake persistent table and
 // both in-memory buffer tables so queries see the freshest data even before
 // flush. When search_buffer is disabled, it queries only the DuckLake table.
-func (r *MultiTableReader) buildUnionQuery(key TableKey, whereClause string, limit int) string {
-	tables := r.allTablesForKey(key)
+func (r *MultiTableReader) buildUnionQuery(key TableKey, whereClause string, limit int) (string, error) {
+	tables, err := r.allTablesForKey(key)
+	if err != nil {
+		return "", err
+	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 
 	if len(tables) == 1 {
 		query := fmt.Sprintf("SELECT * FROM %s", tables[0])
@@ -381,7 +421,7 @@ func (r *MultiTableReader) buildUnionQuery(key TableKey, whereClause string, lim
 		if limit > 0 {
 			query += fmt.Sprintf(" LIMIT %d", limit)
 		}
-		return query
+		return query, nil
 	}
 
 	var parts []string
@@ -398,28 +438,51 @@ func (r *MultiTableReader) buildUnionQuery(key TableKey, whereClause string, lim
 	if limit > 0 {
 		query += fmt.Sprintf(" LIMIT %d", limit)
 	}
-	return query
+	return query, nil
 }
 
 // Query executes a query on specific table by TableKey.
 // Includes data from both in-memory buffers via UNION ALL so that
 // un-flushed records are visible to search.
 func (r *MultiTableReader) Query(key TableKey, whereClause string, limit int) ([]map[string]interface{}, error) {
-	query := r.buildUnionQuery(key, whereClause, limit)
+	if err := ValidateTableKey(key); err != nil {
+		return nil, err
+	}
+	cols, err := ColumnsForTableKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if err := ValidateWhereClause(whereClause, cols); err != nil {
+		return nil, err
+	}
+	query, err := r.buildUnionQuery(key, whereClause, limit)
+	if err != nil {
+		return nil, err
+	}
 	return r.executeQueryGeneric(query)
 }
 
 // QueryAll executes a query across all tables.
 // Includes data from both in-memory buffers via UNION ALL.
 func (r *MultiTableReader) QueryAll(whereClause string, limit int) ([]map[string]interface{}, error) {
+	if err := ValidateWhereClause(whereClause, AllQueryColumns()); err != nil {
+		return nil, err
+	}
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
 	keys := r.writer.ListTableKeys()
 	if len(keys) == 0 {
 		return nil, nil
 	}
 
 	var allResults []map[string]interface{}
 	for _, key := range keys {
-		query := r.buildUnionQuery(key, whereClause, limit)
+		if err := ValidateTableKey(key); err != nil {
+			continue
+		}
+		query, err := r.buildUnionQuery(key, whereClause, limit)
+		if err != nil {
+			continue
+		}
 		results, err := r.executeQueryGeneric(query)
 		if err != nil {
 			continue
@@ -497,12 +560,12 @@ func extractTimestamp(row map[string]interface{}) time.Time {
 
 // ListSnapshots returns snapshots for a specific table by TableKey
 func (r *MultiTableReader) ListSnapshots(key TableKey, limit int) ([]Snapshot, error) {
-	if limit <= 0 {
-		limit = 100
+	limit = ClampLimit(limit, DefaultQueryLimit, MaxQueryLimit)
+	tableFQN, err := ResolveTableFQN(r.writer, key)
+	if err != nil {
+		return nil, err
 	}
 
-	tableFQN := r.writer.GetTableFQN(key)
-
 	query := fmt.Sprintf(`
 		SELECT snapshot_id, snapshot_time, row_count
 		FROM ducklake_snapshots('%s')