Fix crash and security defects in four packages (#5080)

## Summary
- **libs/sync/gitignore.go**: Add missing `return` after debug log on
non-`ErrExist` open failure — prevents nil `*os.File` dereference
(crash)
- **bundle/direct/dresources/util.go**: Replace bare type assertion
`err.(*retries.Err)` with `errors.As` — prevents panic on
wrapped/foreign error types during reconciliation
- **cmd/labs/unpack/zipball.go**: Guard against empty-zip panic
(`zipReader.File[0]` on empty archive), zip slip path traversal
(unchecked `filepath.Join`), and untrusted archive mode bits
(`zf.Mode()` honored as-is including setuid/world-writable)
- **experimental/aitools/cmd/discover_schema.go**: Validate table name
parts against `^[A-Za-z_][A-Za-z0-9_]*$` and backtick-quote identifiers
— prevents SQL injection via user/agent-supplied table names

## Test plan
- [ ] CI passes (unit tests, lint)
- [ ] Verify `databricks labs install` still works with valid GitHub
zipballs
- [ ] Verify `discover-schema` rejects malformed table names like
`a.b.c; DROP TABLE x`

Author: arsenyinfo

bundle/direct/dresources/util.go

@@ -1,6 +1,7 @@
 package dresources
 
 import (
+	"errors"
 	"fmt"
 	"regexp"
 
@@ -40,14 +41,11 @@ func ParsePostgresName(name string) (PostgresNameComponents, error) {
 // This is copied from the retries package of the databricks-sdk-go. It should be made public,
 // but for now, I'm copying it here.
 func shouldRetry(err error) bool {
-	if err == nil {
-		return false
+	var e *retries.Err
+	if errors.As(err, &e) {
+		return !e.Halt
 	}
-	e := err.(*retries.Err)
-	if e == nil {
-		return false
-	}
-	return !e.Halt
+	return false
 }
 
 // collectUpdatePathsWithPrefix extracts field paths from Changes that have action=Update,

cmd/labs/unpack/zipball.go

@@ -3,6 +3,7 @@ package unpack
 import (
 	"archive/zip"
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -25,14 +26,24 @@ func (v GitHubZipball) UnpackTo(libTarget string) error {
 	if err != nil {
 		return fmt.Errorf("zip: %w", err)
 	}
+	if len(zipReader.File) == 0 {
+		return errors.New("empty zip archive")
+	}
 	// GitHub packages entire repo contents into a top-level folder, e.g. databrickslabs-ucx-2800c6b
 	rootDirInZIP := zipReader.File[0].Name
 	for _, zf := range zipReader.File {
 		if zf.Name == rootDirInZIP {
 			continue
 		}
 		normalizedName := strings.TrimPrefix(zf.Name, rootDirInZIP)
+		if filepath.IsAbs(normalizedName) || strings.Contains(normalizedName, `\`) {
+			return fmt.Errorf("invalid zip entry name: %q", zf.Name)
+		}
 		targetName := filepath.Join(libTarget, normalizedName)
+		rel, err := filepath.Rel(libTarget, targetName)
+		if err != nil || strings.HasPrefix(rel, "..") {
+			return fmt.Errorf("zip entry escapes target directory: %q", zf.Name)
+		}
 		if zf.FileInfo().IsDir() {
 			err = os.MkdirAll(targetName, ownerRWXworldRX)
 			if err != nil {
@@ -54,7 +65,7 @@ func (v GitHubZipball) extractFile(zf *zip.File, targetName string) error {
 		return fmt.Errorf("source: %w", err)
 	}
 	defer reader.Close()
-	writer, err := os.OpenFile(targetName, os.O_CREATE|os.O_RDWR, zf.Mode())
+	writer, err := os.OpenFile(targetName, os.O_CREATE|os.O_WRONLY, zf.Mode()&0o755)
 	if err != nil {
 		return fmt.Errorf("target: %w", err)
 	}

experimental/aitools/cmd/discover_schema.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/databricks/cli/cmd/root"
@@ -16,6 +17,8 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var sqlIdentifierRe = regexp.MustCompile(`^[A-Za-z_][A-Za-z0-9_]*$`)
+
 func newDiscoverSchemaCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "discover-schema TABLE...",
@@ -37,11 +40,10 @@ For each table, returns:
 			ctx := cmd.Context()
 			w := cmdctx.WorkspaceClient(ctx)
 
-			// validate table names
+			// validate table names: each part must be a safe SQL identifier
 			for _, table := range args {
-				parts := strings.Split(table, ".")
-				if len(parts) != 3 {
-					return fmt.Errorf("invalid table format %q: expected CATALOG.SCHEMA.TABLE", table)
+				if _, err := quoteTableName(table); err != nil {
+					return err
 				}
 			}
 
@@ -94,8 +96,13 @@ For each table, returns:
 func discoverTable(ctx context.Context, w *databricks.WorkspaceClient, warehouseID, table string) (string, error) {
 	var sb strings.Builder
 
+	quoted, err := quoteTableName(table)
+	if err != nil {
+		return "", err
+	}
+
 	// 1. describe table - get columns and types
-	describeSQL := "DESCRIBE TABLE " + table
+	describeSQL := "DESCRIBE TABLE " + quoted
 	descResp, err := executeSQL(ctx, w, warehouseID, describeSQL)
 	if err != nil {
 		return "", fmt.Errorf("describe table: %w", err)
@@ -112,7 +119,7 @@ func discoverTable(ctx context.Context, w *databricks.WorkspaceClient, warehouse
 	}
 
 	// 2. sample data (5 rows)
-	sampleSQL := fmt.Sprintf("SELECT * FROM %s LIMIT 5", table)
+	sampleSQL := fmt.Sprintf("SELECT * FROM %s LIMIT 5", quoted)
 	sampleResp, err := executeSQL(ctx, w, warehouseID, sampleSQL)
 	if err != nil {
 		fmt.Fprintf(&sb, "\nSAMPLE DATA: Error - %v\n", err)
@@ -127,7 +134,7 @@ func discoverTable(ctx context.Context, w *databricks.WorkspaceClient, warehouse
 		nullCountExprs[i] = fmt.Sprintf("SUM(CASE WHEN `%s` IS NULL THEN 1 ELSE 0 END) AS `%s_nulls`", col, col)
 	}
 	nullSQL := fmt.Sprintf("SELECT COUNT(*) AS total_rows, %s FROM %s",
-		strings.Join(nullCountExprs, ", "), table)
+		strings.Join(nullCountExprs, ", "), quoted)
 
 	nullResp, err := executeSQL(ctx, w, warehouseID, nullSQL)
 	if err != nil {
@@ -231,3 +238,17 @@ func formatNullCounts(resp *dbsql.StatementResponse, columns []string) string {
 
 	return sb.String()
 }
+
+// quoteTableName validates and backtick-quotes a CATALOG.SCHEMA.TABLE identifier.
+func quoteTableName(table string) (string, error) {
+	parts := strings.Split(table, ".")
+	if len(parts) != 3 {
+		return "", fmt.Errorf("invalid table format %q: expected CATALOG.SCHEMA.TABLE", table)
+	}
+	for _, part := range parts {
+		if !sqlIdentifierRe.MatchString(part) {
+			return "", fmt.Errorf("invalid SQL identifier %q in table name %q", part, table)
+		}
+	}
+	return fmt.Sprintf("`%s`.`%s`.`%s`", parts[0], parts[1], parts[2]), nil
+}

libs/sync/gitignore.go

@@ -18,6 +18,7 @@ func WriteGitIgnore(ctx context.Context, dir string) {
 			return
 		}
 		log.Debugf(ctx, "Failed to create %s: %s", gitignorePath, err)
+		return
 	}
 
 	defer file.Close()