refactor: resolve codebase audit issues (#872)

* fix: non-unique sheet id, singleton init access, dead observer code

* fix: validate raw SQL filter input to prevent injection

* refactor: extract shared plugin validation to eliminate duplicate loading code

* refactor: remove sessionVersion backward-compatibility shim

* refactor: migrate QueryHistoryStorage from DispatchQueue to actor

* fix: tighten comment injection pattern, eliminate double bundle creation

Author: datlechin

CHANGELOG.md

@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Raw SQL filter accepting destructive statements and comment injection
 - Export "Don't show again" preference lost when clicking "Open Folder"
 - Connection failure error not shown on welcome screen
 - Window position not restored between launches

TablePro/Core/Database/DatabaseManager.swift

@@ -38,9 +38,6 @@ final class DatabaseManager {
     /// counter to avoid cross-connection re-renders.
     internal(set) var connectionStatusVersions: [UUID: Int] = [:]
 
-    /// Backward-compatible alias for views not yet migrated to fine-grained counters.
-    var sessionVersion: Int { connectionStatusVersion }
-
     /// Currently selected session ID (displayed in UI)
     internal var currentSessionId: UUID?
 

TablePro/Core/Database/FilterSQLGenerator.swift

@@ -38,12 +38,11 @@ struct FilterSQLGenerator {
         return conditions.joined(separator: separator)
     }
 
-    /// Generate a single filter condition
     func generateCondition(from filter: TableFilter) -> String? {
         guard filter.isValid else { return nil }
 
-        // Raw SQL mode - return as-is
         if filter.isRawSQL, let rawSQL = filter.rawSQL {
+            guard isRawSQLSafe(rawSQL) else { return nil }
             return "(\(rawSQL))"
         }
 
@@ -273,9 +272,36 @@ struct FilterSQLGenerator {
             .replacingOccurrences(of: "_", with: "\\_")
     }
 
+    // MARK: - Raw SQL Validation
+
+    private static let destructiveStatementPattern: NSRegularExpression? = {
+        let keywords = "DROP|DELETE|INSERT|UPDATE|ALTER|CREATE|TRUNCATE|GRANT|REVOKE|EXEC|EXECUTE"
+        let pattern = ";\\s*(\(keywords))\\b"
+        return try? NSRegularExpression(pattern: pattern, options: .caseInsensitive)
+    }()
+
+    private static let commentInjectionPattern: NSRegularExpression? = {
+        try? NSRegularExpression(pattern: "(?:^|\\s)--|\\/\\*", options: [])
+    }()
+
+    private func isRawSQLSafe(_ sql: String) -> Bool {
+        let range = NSRange(sql.startIndex..., in: sql)
+
+        if let pattern = Self.destructiveStatementPattern,
+           pattern.firstMatch(in: sql, range: range) != nil {
+            return false
+        }
+
+        if let pattern = Self.commentInjectionPattern,
+           pattern.firstMatch(in: sql, range: range) != nil {
+            return false
+        }
+
+        return true
+    }
+
     // MARK: - List Parsing
 
-    /// Parse comma-separated list values
     private func parseListValues(_ input: String) -> [String] {
         input.split(separator: ",", omittingEmptySubsequences: true)
             .compactMap {