Description
The csv_sql tool uses f-string formatting to construct SQL queries with the file path, which could lead to SQL injection or query errors if filenames contain special characters.
Current behavior
# Line 265 in csv_tool.py
con.execute(f"CREATE TABLE data AS SELECT * FROM read_csv_auto('{secure_path}')")
While secure_path comes from get_secure_path() (which prevents path traversal), filenames with single quotes, backslashes, or other SQL special characters can break the query or potentially allow SQL injection in the DuckDB context.
Steps to reproduce
- Create a CSV file with a filename containing a single quote:
test'file.csv
- Try to query it with
csv_sql:
csv_sql(
path="test'file.csv",
workspace_id="test",
agent_id="test",
session_id="test",
query="SELECT * FROM data"
)
# Results in SQL error: unterminated string literal
Expected behavior
The tool should safely handle filenames with special characters by using parameterized queries or proper SQL escaping.
Environment
- File:
tools/src/aden_tools/tools/csv_tool/csv_tool.py:265
Suggested fix
Use DuckDB's parameterized query support or read_csv_auto() with proper escaping:
# Option 1: Use DuckDB's parameter binding (if supported)
con.execute("CREATE TABLE data AS SELECT * FROM read_csv_auto(?)", [secure_path])
# Option 2: Escape single quotes
safe_path = secure_path.replace("'", "''")
con.execute(f"CREATE TABLE data AS SELECT * FROM read_csv_auto('{safe_path}')")
Happy to submit a PR for this!
Description
The
csv_sqltool uses f-string formatting to construct SQL queries with the file path, which could lead to SQL injection or query errors if filenames contain special characters.Current behavior
While
secure_pathcomes fromget_secure_path()(which prevents path traversal), filenames with single quotes, backslashes, or other SQL special characters can break the query or potentially allow SQL injection in the DuckDB context.Steps to reproduce
test'file.csvcsv_sql:Expected behavior
The tool should safely handle filenames with special characters by using parameterized queries or proper SQL escaping.
Environment
tools/src/aden_tools/tools/csv_tool/csv_tool.py:265Suggested fix
Use DuckDB's parameterized query support or
read_csv_auto()with proper escaping:Happy to submit a PR for this!