ignore tables with odd names in SQLPreprocessor

2026-02-14 01:47:57 +00:00 · 2026-02-10 11:33:04 +01:00
parent d10d70944d
commit 7a3ea55f3d
1 changed files with 5 additions and 2 deletions
--- a/src/nominatim_db/db/sql_preprocessor.py
+++ b/src/nominatim_db/db/sql_preprocessor.py
@@ -2,12 +2,13 @@
 #
 # This file is part of Nominatim. (https://nominatim.org)
 #
-# Copyright (C) 2024 by the Nominatim developer community.
+# Copyright (C) 2026 by the Nominatim developer community.
 # For a full list of authors see the git log.
 """
 Preprocessing of SQL files.
 """
 from typing import Set, Dict, Any, cast
+import re

 import jinja2

@@ -34,7 +35,9 @@ def _get_tables(conn: Connection) -> Set[str]:
    with conn.cursor() as cur:
        cur.execute("SELECT tablename FROM pg_tables WHERE schemaname = 'public'")

-        return set((row[0] for row in list(cur)))
+        # paranoia check: make sure we don't get table names that cause
+        # an SQL injection later
+        return {row[0] for row in list(cur) if re.fullmatch(r'\w+', row[0])}


 def _get_middle_db_format(conn: Connection, tables: Set[str]) -> str: