Avoid potential SQL injection.

rkistner · rkistner · commit f000958ac17a · 2024-08-21T11:14:37.000+02:00
diff --git a/packages/powersync/lib/src/bucket_storage.dart b/packages/powersync/lib/src/bucket_storage.dart
@@ -263,7 +263,8 @@ class BucketStorage {
       }
 
       await tx.execute(
-          "UPDATE ps_buckets SET target_op = ? WHERE name='\$local'", [opId]);
+          "UPDATE ps_buckets SET target_op = CAST(? as INTEGER) WHERE name='\$local'",
+          [opId]);
 
       return true;
     });
@@ -300,7 +301,8 @@ class BucketStorage {
             if (writeCheckpoint != null &&
                 (await tx.execute('SELECT 1 FROM ps_crud LIMIT 1')).isEmpty) {
               await tx.execute(
-                  'UPDATE ps_buckets SET target_op = $writeCheckpoint WHERE name=\'\$local\'');
+                  'UPDATE ps_buckets SET target_op = CAST(? as INTEGER) WHERE name=\'\$local\'',
+                  [writeCheckpoint]);
             } else {
               await tx.execute(
                   'UPDATE ps_buckets SET target_op = $maxOpId WHERE name=\'\$local\'');
diff --git a/packages/powersync/lib/src/database/powersync_db_mixin.dart b/packages/powersync/lib/src/database/powersync_db_mixin.dart
@@ -310,7 +310,8 @@ mixin PowerSyncDatabaseMixin implements SqliteConnection {
             if (writeCheckpoint != null &&
                 await db.getOptional('SELECT 1 FROM ps_crud LIMIT 1') == null) {
               await db.execute(
-                  'UPDATE ps_buckets SET target_op = $writeCheckpoint WHERE name=\'\$local\'');
+                  'UPDATE ps_buckets SET target_op = CAST(? as INTEGER) WHERE name=\'\$local\'',
+                  [writeCheckpoint]);
             } else {
               await db.execute(
                   'UPDATE ps_buckets SET target_op = $maxOpId WHERE name=\'\$local\'');
@@ -361,7 +362,8 @@ mixin PowerSyncDatabaseMixin implements SqliteConnection {
                   await db.getOptional('SELECT 1 FROM ps_crud LIMIT 1') ==
                       null) {
                 await db.execute(
-                    'UPDATE ps_buckets SET target_op = $writeCheckpoint WHERE name=\'\$local\'');
+                    'UPDATE ps_buckets SET target_op = CAST(? as INTEGER) WHERE name=\'\$local\'',
+                    [writeCheckpoint]);
               } else {
                 await db.execute(
                     'UPDATE ps_buckets SET target_op = $maxOpId WHERE name=\'\$local\'');
