fix: add WHERE clause validation and null guards for data-diff

suryaiyer95 · suryaiyer95 · commit 80c1ff3cab4d · 2026-03-13T14:39:19.000-07:00
- Add `_validate_where_clause()` to reject injection patterns (semicolons, comments)
- Validate all WHERE clause parameters before passing to Rust engine
- Remove unused `_SIDE_MAP` constant from `data_diff.py`
- Add null guards for `diff_percent` and `match_percent` in TypeScript to prevent NaN display
diff --git a/packages/altimate-engine/src/altimate_engine/sql/data_diff.py b/packages/altimate-engine/src/altimate_engine/sql/data_diff.py
@@ -24,8 +24,18 @@
 except ImportError:
     RELADIFF_AVAILABLE = False
 
-# Map TableSide enum values to warehouse names
-_SIDE_MAP = {"Table1": "source", "Table2": "target"}
+
+def _validate_where_clause(clause: str | None) -> str | None:
+    """Validate a WHERE clause for safety. Rejects injection patterns."""
+    if clause is None:
+        return None
+    if ";" in clause:
+        raise ValueError("WHERE clause must not contain semicolons")
+    if "--" in clause:
+        raise ValueError("WHERE clause must not contain SQL comments (--)")
+    if "/*" in clause:
+        raise ValueError("WHERE clause must not contain block comments (/*)")
+    return clause
 
 
 def _resolve_dialect(warehouse_name: str) -> str:
@@ -101,6 +111,11 @@ def run_data_diff(
 
     target_warehouse = target_warehouse or source_warehouse
 
+    # Validate WHERE clauses
+    where_clause = _validate_where_clause(where_clause)
+    source_where_clause = _validate_where_clause(source_where_clause)
+    target_where_clause = _validate_where_clause(target_where_clause)
+
     # Resolve dialects from connection types
     dialect1 = _resolve_dialect(source_warehouse)
     dialect2 = _resolve_dialect(target_warehouse)
diff --git a/packages/opencode/src/altimate/tools/data-diff-run.ts b/packages/opencode/src/altimate/tools/data-diff-run.ts
@@ -123,16 +123,17 @@ function formatOutcome(outcome: Record<string, unknown>, args: Record<string, un
       lines.push(`Exclusive to table1: ${stats.exclusive_table1 ?? 0}`)
       lines.push(`Exclusive to table2: ${stats.exclusive_table2 ?? 0}`)
       lines.push(`Updated: ${stats.updated ?? 0}`)
-      lines.push(`Diff %: ${((stats.diff_percent as number) * 100).toFixed(2)}%`)
+      const diffPct = stats.diff_percent != null ? ((stats.diff_percent as number) * 100).toFixed(2) : "N/A"
+      lines.push(`Diff %: ${diffPct}%`)
 
       // Per-column match rates
       const matchRates = (stats.column_match_rates ?? []) as Record<string, unknown>[]
       if (matchRates.length > 0) {
         lines.push("")
         lines.push("Column Match Rates:")
         for (const col of matchRates) {
-          const pct = (col.match_percent as number).toFixed(1)
-          lines.push(`  ${col.column}: ${pct}% (${col.matched}/${col.total})`)
+          const pct = col.match_percent != null ? (col.match_percent as number).toFixed(1) : "N/A"
+          lines.push(`  ${col.column}: ${pct}% (${col.matched ?? "?"}/${col.total ?? "?"})`)
         }
       }
 
