code QL issues fix in progressdbclient.cs file inside kernal memory floder

Akhileswara-Microsoft · Akhileswara-Microsoft · commit 4230c301fdd9 · 2025-12-16T09:29:38.000+05:30
diff --git a/App/kernel-memory/extensions/Postgres/Postgres/Internals/PostgresDbClient.cs b/App/kernel-memory/extensions/Postgres/Postgres/Internals/PostgresDbClient.cs
@@ -315,7 +315,8 @@ public async Task DeleteTableAsync(
                 await using (cmd.ConfigureAwait(false))
                 {
 #pragma warning disable CA2100 // SQL reviewed
-                    cmd.CommandText = $"DROP TABLE IF EXISTS {tableName}";
+                    // Escape and quote the table name to prevent SQL injection. This expects previous normalization/validation.
+                    cmd.CommandText = $"DROP TABLE IF EXISTS {EscapeIdentifierForPostgres(tableName)}";
 #pragma warning restore CA2100
 
                     this._log.LogTrace("Deleting table. SQL: {0}", cmd.CommandText);
@@ -778,4 +779,13 @@ private static long GenLockId(string resourceId)
         return BitConverter.ToUInt32(SHA256.HashData(Encoding.UTF8.GetBytes(resourceId)), 0)
                % short.MaxValue;
     }
+    /// <summary>
+    /// Escape a SQL identifier (such as table or schema name) for use in Postgres queries.
+    /// Assumes the identifier is already validated.
+    /// </summary>
+    private static string EscapeIdentifierForPostgres(string identifier)
+    {
+        // Double quotes in identifiers are escaped by doubling them in PostgreSQL
+        return $"\"{identifier.Replace("\"", "\"\"")}\"";
+    }
 }
diff --git a/App/kernel-memory/extensions/Postgres/Postgres/PostgresMemory.cs b/App/kernel-memory/extensions/Postgres/Postgres/PostgresMemory.cs
@@ -232,18 +232,11 @@ private void Dispose(bool disposing)
     // Note: "_" is allowed in Postgres, but we normalize it to "-" for consistency with other DBs
     private static readonly Regex s_replaceIndexNameCharsRegex = new(@"[\s|\\|/|.|_|:]");
     private const string ValidSeparator = "-";
-    // Only allow 1-63 chars, start with a lowercase letter, then letters, digits, dashes, or underscores.
-    private static readonly Regex s_validIndexNameRegex = new(@"^[a-z][a-z0-9\-_]{0,62}$", RegexOptions.Compiled);
-
+    
     private static string NormalizeIndexName(string index)
     {
         ArgumentNullExceptionEx.ThrowIfNullOrWhiteSpace(index, nameof(index), "The index name is empty");
-        index = s_replaceIndexNameCharsRegex.Replace(index.Trim().ToLowerInvariant(), ValidSeparator);
-        // Enforce positive validation for safe Postgres identifier.
-        if (!s_validIndexNameRegex.IsMatch(index))
-        {
-            throw new ArgumentException($"Index name '{index}' is invalid. Must match regex: ^[a-z][a-z0-9\\-_]{{0,62}}$");
-        }
+        index = s_replaceIndexNameCharsRegex.Replace(index.Trim().ToLowerInvariant(), ValidSeparator);   
 
         PostgresSchema.ValidateTableName(index);
 
