Potential fix for code scanning alert no. 3944: Database query built from user-controlled sources

[timvaillancourt]

Potential fix for https://github.com/vitessio/vitess/security/code-scanning/3944

The best way to fix this problem is to ensure that user-controlled data is never directly executed as a query string without full validation and/or query parameterization.

• For the VExplain endpoint, the key safety issue is that the sql parameter from the HTTP request is parsed for syntax/statement type, but is then immediately provided as the query to the database.
• If the Vitess/VExplain subsystem supports parameter binding, the fix is to split user input from the query template using prepared statements or parameters.
• If not, add a strict validation step: after parsing the SQL, reconstruct the statement from the syntax tree (sqlparser.VExplainStmt) (instead of trusting and forwarding the original string from the user), so that any malicious content or injected payloads are dropped. This is known as canonicalization and is a strong defense if parameterization is unavailable.
• To implement this, after parsing the SQL, regenerate the canonical query using the known-good AST. Then pass only the canonicalized query to execution.
• Modify VExplain endpoint (in api.go and vtsql.go) to only execute the reconstructed, canonicalized query. Do not use the original user input directly.
• This change is safely restricted to the VExplain call chain, so only requires modification in api.go and vtsql.go.
• The canonicalization step may look like: sqlparser.String(stmt) (after verifying type).

Files/regions:

• In go/vt/vtadmin/api.go at the VExplain endpoint: after parsing and typechecking, reconstruct the query from AST before passing to c.DB.VExplain.
• In go/vt/vtadmin/vtsql/vtsql.go: Ensure that the query string passed to QueryContext is the canonicalized version.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• Ensure there is a link to an issue (except for internal cleanup and flaky test fixes), new features should have an RFC that documents use cases and test cases.

Tests

• Bug fixes should have at least one unit or end-to-end test, enhancement and new features should have a sufficient number of tests.

Documentation

• Apply the release notes (needs details) label if users need to know about this change.
• New features should be documented.
• There should be some code comments as to why things are implemented the way they are.
• There should be a comment at the top of each new or modified test to explain what the test does.

New flags

• Is this flag really necessary?
• Flag names must be clear and intuitive, use dashes (-), and have a clear help text.

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow needs to be marked as required, the maintainer team must be notified.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from vitess-operator and arewefastyet, if used there.
• vtctl command output order should be stable and awk-able.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.78%. Comparing base (8230b8a) to head (fac66ad).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #18941   +/-   ##
=======================================
  Coverage   69.77%   69.78%           
=======================================
  Files        1608     1608           
  Lines      214865   214867    +2     
=======================================
+ Hits       149922   149938   +16     
+ Misses      64943    64929   -14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.