fix: SQL injection (backslash escape), orphaned credentials cleanup, stale columnDetails

datlechin · datlechin · commit 016e0330fd7f · 2026-04-04T17:30:42.000+07:00
diff --git a/TableProMobile/TableProMobile/AppState.swift b/TableProMobile/TableProMobile/AppState.swift
@@ -30,6 +30,7 @@ final class AppState {
             sshProvider: sshProvider
         )
         connections = storage.load()
+        secureStore.cleanOrphanedCredentials(validConnectionIds: Set(connections.map(\.id)))
 
         syncCoordinator.onConnectionsChanged = { [weak self] merged in
             guard let self else { return }
diff --git a/TableProMobile/TableProMobile/Drivers/MySQLDriver.swift b/TableProMobile/TableProMobile/Drivers/MySQLDriver.swift
@@ -144,8 +144,8 @@ final class MySQLDriver: DatabaseDriver, @unchecked Sendable {
     }
 
     func fetchForeignKeys(table: String, schema: String?) async throws -> [ForeignKeyInfo] {
-        let safe = table.replacingOccurrences(of: "'", with: "''")
-        let dbSafe = database.replacingOccurrences(of: "'", with: "''")
+        let safe = SQLBuilder.escapeString(table)
+        let dbSafe = SQLBuilder.escapeString(database)
         let query = """
             SELECT
                 kcu.CONSTRAINT_NAME,
diff --git a/TableProMobile/TableProMobile/Helpers/SQLBuilder.swift b/TableProMobile/TableProMobile/Helpers/SQLBuilder.swift
@@ -19,7 +19,9 @@ enum SQLBuilder {
     }
 
     static func escapeString(_ value: String) -> String {
-        value.replacingOccurrences(of: "'", with: "''")
+        value
+            .replacingOccurrences(of: "\\", with: "\\\\")
+            .replacingOccurrences(of: "'", with: "''")
     }
 
     static func buildSelect(table: String, type: DatabaseType, limit: Int, offset: Int) -> String {
diff --git a/TableProMobile/TableProMobile/Platform/KeychainSecureStore.swift b/TableProMobile/TableProMobile/Platform/KeychainSecureStore.swift
@@ -38,7 +38,9 @@ final class KeychainSecureStore: SecureStore {
             cachedAccessGroup = resolved
             return resolved
         }
-        let fallback = "D7HJ5TFYCU.com.TablePro.shared"
+        // Use non-shared access group as last resort — credentials won't sync
+        // across devices but the app still functions
+        let fallback = "com.TablePro.shared"
         cachedAccessGroup = fallback
         return fallback
     }
@@ -115,6 +117,34 @@ final class KeychainSecureStore: SecureStore {
         }
     }
 
+    /// Remove orphaned test connection credentials that may remain after a SIGKILL.
+    /// Test credentials use temp UUIDs not associated with any saved connection.
+    func cleanOrphanedCredentials(validConnectionIds: Set<UUID>) {
+        let prefixes = ["com.TablePro.password.", "com.TablePro.sshpassword.", "com.TablePro.keypassphrase."]
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: serviceName,
+            kSecAttrAccessGroup as String: accessGroup,
+            kSecReturnAttributes as String: true,
+            kSecMatchLimit as String: kSecMatchLimitAll,
+            kSecAttrSynchronizable as String: kSecAttrSynchronizableAny,
+            kSecUseDataProtectionKeychain as String: true,
+        ]
+        var result: AnyObject?
+        guard SecItemCopyMatching(query as CFDictionary, &result) == errSecSuccess,
+              let items = result as? [[String: Any]] else { return }
+
+        for item in items {
+            guard let account = item[kSecAttrAccount as String] as? String else { continue }
+            for prefix in prefixes {
+                guard account.hasPrefix(prefix) else { continue }
+                let uuidString = String(account.dropFirst(prefix.count))
+                guard let uuid = UUID(uuidString: uuidString),
+                      !validConnectionIds.contains(uuid) else { continue }
+                try? delete(forKey: account)
+            }
+        }
+    }
 }
 
 enum KeychainError: Error, LocalizedError {
diff --git a/TableProMobile/TableProMobile/Views/DataBrowserView.swift b/TableProMobile/TableProMobile/Views/DataBrowserView.swift
@@ -238,9 +238,7 @@ struct DataBrowserView: View {
 
             // columnDetails (from fetchColumns) provides PK info for edit/delete.
             // columns (from query result) only have name/type, no PK metadata.
-            if columnDetails.isEmpty {
-                self.columnDetails = try await session.driver.fetchColumns(table: table.name, schema: nil)
-            }
+            self.columnDetails = try await session.driver.fetchColumns(table: table.name, schema: nil)
 
             isLoading = false
         } catch {

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ final class AppState {`
`30`	`30`	`sshProvider: sshProvider`
`31`	`31`	`)`
`32`	`32`	`connections = storage.load()`
	`33`	`+ secureStore.cleanOrphanedCredentials(validConnectionIds: Set(connections.map(\.id)))`
`33`	`34`
`34`	`35`	`syncCoordinator.onConnectionsChanged = { [weak self] merged in`
`35`	`36`	`guard let self else { return }`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,9 @@ enum SQLBuilder {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`static func escapeString(_ value: String) -> String {`
`22`		`- value.replacingOccurrences(of: "'", with: "''")`
	`22`	`+ value`
	`23`	`+ .replacingOccurrences(of: "\\", with: "\\\\")`
	`24`	`+ .replacingOccurrences(of: "'", with: "''")`
`23`	`25`	`}`
`24`	`26`
`25`	`27`	`static func buildSelect(table: String, type: DatabaseType, limit: Int, offset: Int) -> String {`