fix(clickhouse sink): SQL-standard identifier escaping for database and table names

[pront]

Summary

The ClickHouse sink was not escaping the database identifier at all, and was using the wrong escape sequence (\") for the table identifier. ClickHouse's double-quoted identifiers follow SQL standard: the only escape is doubling the quote (""). Using \" is interpreted by ClickHouse as an escaped quote inside the identifier rather than a closing delimiter, which means a crafted table or database name could break out of the identifier and inject arbitrary SQL into the INSERT statement.

This fix applies the correct escaping to both identifiers:

1. Escape \ → \\ first (so a literal backslash isn't mistaken for an escape prefix)
2. Escape " → "" (SQL standard)

Vector configuration

sinks:
  my_sink:
    type: clickhouse
    inputs: [...]
    endpoint: http://localhost:8123
    database: my_database
    table: my_table

How did you test this PR?

Added a table-driven unit test (identifier_escaping) covering:

• Plain identifiers (pass through unchanged)
• " in table name (doubled)
• " in database name (doubled)
• Injection payload in database name (breakout neutralised)
• Backslash followed by " (backslash doubled first, then quote doubled)

Updated existing encode_valid assertions to match the corrected escaping.

Change Type

• Bug fix
• New feature
• Dependencies
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

Notes

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cbc75ed7aa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Do not switch ClickHouse identifiers to quote doubling

For ClickHouse database or table names that contain a literal " (including the injection payload this change is meant to neutralize), replacing quotes with "" does not follow ClickHouse's documented quoted-identifier escaping rules: identifiers use the same escapes as string literals, where \" represents a double quote and \\ represents a backslash. The generated INSERT INTO "..."."..." can therefore still be parsed incorrectly by ClickHouse; keep escaping backslashes but escape embedded double quotes with a backslash rather than SQL-standard doubling.

Useful? React with 👍 / 👎.