From acc88b40a2e4d9766665655c0db66db52e6866fc Mon Sep 17 00:00:00 2001
From: Tomas Turina <tomas.turina@wazuh.com>
Date: Tue, 14 Jan 2025 17:56:48 +0000
Subject: [PATCH] fix: escape single quotes in sqlite manager

---
 src/agent/persistence/src/sqlite_manager.cpp | 46 +++++++++++++++++---
 1 file changed, 39 insertions(+), 7 deletions(-)

diff --git a/src/agent/persistence/src/sqlite_manager.cpp b/src/agent/persistence/src/sqlite_manager.cpp
index bf08397afd..16c5582081 100644
--- a/src/agent/persistence/src/sqlite_manager.cpp
+++ b/src/agent/persistence/src/sqlite_manager.cpp
@@ -5,6 +5,7 @@
 #include <SQLiteCpp/SQLiteCpp.h>
 #include <fmt/format.h>
 #include <map>
+#include <regex>
 
 const std::map<ColumnType, std::string> MAP_COL_TYPE_STRING {
     {ColumnType::INTEGER, "INTEGER"}, {ColumnType::TEXT, "TEXT"}, {ColumnType::REAL, "REAL"}};
@@ -14,6 +15,18 @@ const std::map<OrderType, std::string> MAP_ORDER_STRING {{OrderType::ASC, "ASC"}
 
 SQLiteManager::~SQLiteManager() = default;
 
+namespace
+{
+    const std::string& TO_SEARCH = "'";
+    const std::string& TO_REPLACE = "''";
+
+    /// @brief Escapes single quotes in a string.
+    std::string EscapeSingleQuotes(const std::string& str)
+    {
+        return std::regex_replace(str, std::regex(TO_SEARCH), TO_REPLACE);
+    }
+} // namespace
+
 ColumnType SQLiteManager::ColumnTypeFromSQLiteType(const int type) const
 {
     if (type == SQLite::INTEGER)
@@ -79,7 +92,8 @@ void SQLiteManager::Insert(const std::string& tableName, const Row& cols)
         names.push_back(col.Name);
         if (col.Type == ColumnType::TEXT)
         {
-            values.push_back(fmt::format("'{}'", col.Value));
+            auto escapedValue = EscapeSingleQuotes(col.Value);
+            values.push_back(fmt::format("'{}'", escapedValue));
         }
         else
             values.push_back(col.Value);
@@ -107,7 +121,8 @@ void SQLiteManager::Update(const std::string& tableName,
     {
         if (col.Type == ColumnType::TEXT)
         {
-            setFields.push_back(fmt::format("{}='{}'", col.Name, col.Value));
+            auto escapedValue = EscapeSingleQuotes(col.Value);
+            setFields.push_back(fmt::format("{}='{}'", col.Name, escapedValue));
         }
         else
         {
@@ -124,7 +139,8 @@ void SQLiteManager::Update(const std::string& tableName,
         {
             if (col.Type == ColumnType::TEXT)
             {
-                conditions.push_back(fmt::format("{}='{}'", col.Name, col.Value));
+                auto escapedValue = EscapeSingleQuotes(col.Value);
+                conditions.push_back(fmt::format("{}='{}'", col.Name, escapedValue));
             }
             else
             {
@@ -149,7 +165,8 @@ void SQLiteManager::Remove(const std::string& tableName, const Criteria& selCrit
         {
             if (col.Type == ColumnType::TEXT)
             {
-                critFields.push_back(fmt::format("{}='{}'", col.Name, col.Value));
+                auto escapedValue = EscapeSingleQuotes(col.Value);
+                critFields.push_back(fmt::format("{}='{}'", col.Name, escapedValue));
             }
             else
             {
@@ -217,9 +234,14 @@ std::vector<Row> SQLiteManager::Select(const std::string& tableName,
         for (const auto& col : selCriteria)
         {
             if (col.Type == ColumnType::TEXT)
-                conditions.push_back(fmt::format("{}='{}'", col.Name, col.Value));
+            {
+                auto escapedValue = EscapeSingleQuotes(col.Value);
+                conditions.push_back(fmt::format("{}='{}'", col.Name, escapedValue));
+            }
             else
+            {
                 conditions.push_back(fmt::format("{}={}", col.Name, col.Value));
+            }
         }
         condition = fmt::format("WHERE {}", fmt::join(conditions, fmt::format(" {} ", MAP_LOGOP_STRING.at(logOp))));
     }
@@ -280,9 +302,14 @@ int SQLiteManager::GetCount(const std::string& tableName, const Criteria& selCri
         for (const auto& col : selCriteria)
         {
             if (col.Type == ColumnType::TEXT)
-                conditions.push_back(fmt::format("{}='{}'", col.Name, col.Value));
+            {
+                auto escapedValue = EscapeSingleQuotes(col.Value);
+                conditions.push_back(fmt::format("{}='{}'", col.Name, escapedValue));
+            }
             else
+            {
                 conditions.push_back(fmt::format("{}={}", col.Name, col.Value));
+            }
         }
         condition = fmt::format("WHERE {}", fmt::join(conditions, fmt::format(" {} ", MAP_LOGOP_STRING.at(logOp))));
     }
@@ -340,9 +367,14 @@ size_t SQLiteManager::GetSize(const std::string& tableName,
         for (const auto& col : selCriteria)
         {
             if (col.Type == ColumnType::TEXT)
-                conditions.push_back(fmt::format("{}='{}'", col.Name, col.Value));
+            {
+                auto escapedValue = EscapeSingleQuotes(col.Value);
+                conditions.push_back(fmt::format("{}='{}'", col.Name, escapedValue));
+            }
             else
+            {
                 conditions.push_back(fmt::format("{}={}", col.Name, col.Value));
+            }
         }
         condition = fmt::format("WHERE {}", fmt::join(conditions, fmt::format(" {} ", MAP_LOGOP_STRING.at(logOp))));
     }