From fedf7db8a4920dd283ccc59362cc9bbb1efef3c5 Mon Sep 17 00:00:00 2001 From: Mikhail Solovev Date: Thu, 16 Apr 2026 21:56:16 +0300 Subject: [PATCH] Quote table and column identifiers using SQLAlchemy dialect preparer when adding missing columns to avoid SQL injection and syntax errors. (#1237) --- src/modules/DashboardConfig.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/modules/DashboardConfig.py b/src/modules/DashboardConfig.py index 3ae7ab3f..c027d0cc 100644 --- a/src/modules/DashboardConfig.py +++ b/src/modules/DashboardConfig.py @@ -146,7 +146,10 @@ class DashboardConfig: if col_name not in existing_columns: type_str = col_type().compile(dialect=self.engine.dialect) current_app.logger.info(f"Adding missing column '{col_name}' to table '{table_name}'") - conn.execute(db.text(f'ALTER TABLE "{table_name}" ADD COLUMN "{col_name}" {type_str}')) + preparer = self.engine.dialect.identifier_preparer + quoted_table = preparer.quote_identifier(table_name) + quoted_column = preparer.quote_identifier(col_name) + conn.execute(db.text(f"ALTER TABLE {quoted_table} ADD COLUMN {quoted_column} {type_str}")) def getConnectionString(self, database) -> str or None: sqlitePath = os.path.join(DashboardConfig.ConfigurationPath, "db")