NanaSQLite

English

日本語

English

日本語

Appearance

Security Audit Report

Audit Date: 2026-03-09
Target: NanaSQLite current HEAD
Auditor: Internal Security Team

Summary

  1. No new critical vulnerabilities were found in the current HEAD
  2. Known SQL injection via table argument is mitigated by _sanitize_identifier()
  3. Known None value reloading issue is fixed using the _NOT_FOUND sentinel pattern
  4. Performance improvements are possible without breaking the existing API

Known Issues — Current Status

SQL Injection via table Parameter

Status: Mitigated ✅

The table parameter in the constructor is sanitized by _sanitize_identifier(), which properly quotes and escapes identifiers to prevent SQL injection.

python
# These malicious inputs are safely handled:
db = NanaSQLite("test.db", table='data"; DROP TABLE data; --')
# → Table name is properly quoted/escaped

None Value Consistency

Status: Fixed ✅

The _NOT_FOUND = object() sentinel pattern correctly distinguishes between:

  • A key that doesn't exist in the database
  • A key that exists but has a None value
python
db["key"] = None        # Stores None
val = db["key"]         # Returns None (not KeyError)
del db["nonexistent"]   # Raises KeyError

Watch List

A. Backup/Restore Path Trust Boundary

backup() and restore() accept file paths from the caller. Path validation (traversal prevention, symlink checks) is the caller's responsibility.

Recommendation: Document clearly that callers must validate paths before passing them.

python
# Caller's responsibility to validate:
import os
backup_path = os.path.abspath(user_input_path)
if not backup_path.startswith(ALLOWED_DIR):
    raise ValueError("Path not allowed")
db.backup(backup_path)

B. AsyncNanaSQLite Queue Growth

Under sustained high load, the internal task queue of AsyncNanaSQLite can grow unboundedly. This is by design for maximum throughput, but could lead to memory pressure in extreme cases.

Recommendation: Monitor queue depth in production. Consider setting max_workers appropriately.

C. AEAD Encryption Without AAD

The current AES-GCM and ChaCha20-Poly1305 implementations pass None for Additional Authenticated Data (AAD). While not an immediate security issue, adding AAD (e.g., the key name) would provide additional integrity guarantees.

Recommendation (P2): Future enhancement to support opt-in AAD.

SQL Security Measures

NanaSQLite implements multiple layers of SQL security:

LayerMechanismPurpose
Identifier sanitization_sanitize_identifier()Prevents SQL injection via table/column names
SQL validationstrict_sql_validationBlocks dangerous functions (LOAD_EXTENSION, etc.)
Function allowlist/blocklistallowed_sql_functions / forbidden_sql_functionsFine-grained function control
Clause length limitsmax_clause_lengthPrevents DoS via oversized queries
Parameter bindingAll query methodsStandard SQL injection prevention
Column type validationWhitelist regexBlocks injection via ALTER TABLE

Performance Improvement Opportunities

  1. values() / items() always call load_all() — Could benefit from streaming APIs for large datasets
  2. batch_get() cache checks — Minor optimization possible for cache hit path
  3. PRAGMA commands — Could be batched during initialization
  4. General recommendations: Use batch_update() for bulk operations, tune bulk_load based on DB size

Priority Recommendations

P0 (Critical — Maintain)

  • Continue maintaining identifier sanitization in all SQL-constructing methods
  • Document path trust boundary for backup() / restore()
  • Document max_workers tuning guidelines

P1 (Important — Improve)

  • Add streaming APIs for large dataset iteration
  • Micro-optimize batch_get() cache lookup

P2 (Enhancement — Future)

  • Opt-in path constraints for backup/restore
  • Configurable queue limits for async mode
  • AAD-aware encryption format