fix(storage): escape SQL wildcards in KV prefix queries, log parse errors (#73)

secret-mars · claude · web-flow · commit a3fcdb0e32e0 · 2026-03-15T04:46:19.000-07:00
C1: Escape `%`, `_`, and `\` in user-supplied prefix before building the LIKE clause in `kvList`, and add `ESCAPE '\\'` to the query so wildcard characters in key prefixes cannot bypass prefix-boundary filtering. C3: Add `console.warn` in `parseJsonField` and `parseStringArray` so corrupt stored values surface in Cloudflare Worker logs instead of silently returning null / []. Fixes #72. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/src/durable-objects/StorageDO.ts b/src/durable-objects/StorageDO.ts
@@ -36,7 +36,8 @@ function parseJsonField(value: unknown): Record<string, unknown> | null {
   if (!value) return null;
   try {
     return JSON.parse(value as string);
-  } catch {
+  } catch (e) {
+    console.warn('parseJsonField: failed to parse stored JSON value', e);
     return null;
   }
 }
@@ -50,7 +51,8 @@ function parseStringArray(value: unknown): string[] {
   try {
     const parsed = JSON.parse(value as string);
     return Array.isArray(parsed) ? parsed : [];
-  } catch {
+  } catch (e) {
+    console.warn('parseStringArray: failed to parse stored JSON array value', e);
     return [];
   }
 }
@@ -258,8 +260,9 @@ export class StorageDO extends DurableObject<Env> {
     const params: unknown[] = [];
 
     if (options?.prefix) {
-      query += " WHERE key LIKE ?";
-      params.push(`${options.prefix}%`);
+      query += " WHERE key LIKE ? ESCAPE '\\'";
+      const escapedPrefix = options.prefix.replace(/[%_\\]/g, '\\$&');
+      params.push(`${escapedPrefix}%`);
     }
     query += " ORDER BY key LIMIT ?";
     params.push(limit);

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,8 @@ function parseJsonField(value: unknown): Record<string, unknown> \| null {`
`36`	`36`	`if (!value) return null;`
`37`	`37`	`try {`
`38`	`38`	`return JSON.parse(value as string);`
`39`		`- } catch {`
	`39`	`+ } catch (e) {`
	`40`	`+ console.warn('parseJsonField: failed to parse stored JSON value', e);`
`40`	`41`	`return null;`
`41`	`42`	`}`
`42`	`43`	`}`
`@@ -50,7 +51,8 @@ function parseStringArray(value: unknown): string[] {`
`50`	`51`	`try {`
`51`	`52`	`const parsed = JSON.parse(value as string);`
`52`	`53`	`return Array.isArray(parsed) ? parsed : [];`
`53`		`- } catch {`
	`54`	`+ } catch (e) {`
	`55`	`+ console.warn('parseStringArray: failed to parse stored JSON array value', e);`
`54`	`56`	`return [];`
`55`	`57`	`}`
`56`	`58`	`}`
`@@ -258,8 +260,9 @@ export class StorageDO extends DurableObject<Env> {`
`258`	`260`	`const params: unknown[] = [];`
`259`	`261`
`260`	`262`	`if (options?.prefix) {`
`261`		`- query += " WHERE key LIKE ?";`
`262`		- params.push(`${options.prefix}%`);
	`263`	`+ query += " WHERE key LIKE ? ESCAPE '\\'";`
	`264`	`+ const escapedPrefix = options.prefix.replace(/[%_\\]/g, '\\$&');`
	`265`	+ params.push(`${escapedPrefix}%`);
`263`	`266`	`}`
`264`	`267`	`query += " ORDER BY key LIMIT ?";`
`265`	`268`	`params.push(limit);`