continue icon indicating copy to clipboard operation
continue copied to clipboard

Published 20 hours ago verified publisher icon continuedev

Errors suggesting unsanitized SQL

Open JubilantJerry opened this issue 8 months ago • 4 comments

Before submitting your bug report

Relevant environment info

- OS: Ubuntu 24.04
- Continue version: 0.9.268, 0.8.68
- IDE version: VSCode 1.96.4
- Model: Qwen 2.5 7b Instruct
- config:
  
{
  "models": [
    {
      "title": "Qwen 2.5 72b Instruct",
      "model": "qwen2.5:72b-instruct-q8_0",
      "provider": "ollama",
      "apiBase": "https://api.ollama.companyname.com",
      "contextLength": 16384
    },
    {
      "title": "Qwen 2.5 7b Instruct",
      "model": "qwen2.5:7b-instruct-q8_0",
      "provider": "ollama",
      "apiBase": "https://api.ollama.companyname.com",
      "contextLength": 16384
    }
  ],
  "tabAutocompleteModel": {
    "title": "Qwen2.5-Coder 1.5B",
    "provider": "ollama",
    "model": "qwen2.5-coder:1.5b-base",
    "apiBase": "https://api.ollama.companyname.com"
  },
  "embeddingsProvider": {
    "title": "Nomic Embed Text",
    "provider": "ollama",
    "model": "nomic-embed-text",
    "apiBase": "https://api.ollama.companyname.com"
  },
  "reranker": {
    "name": "huggingface-tei",
    "params": {
      "apiBase": "http://192.168.187.57:11435",
      "truncate": true,
      "truncation_direction": "Right"
    }
  },
  "contextProviders": [
    {
      "name": "code",
      "params": {}
    },
    {
      "name": "docs",
      "params": {}
    },
    {
      "name": "diff",
      "params": {}
    },
    {
      "name": "terminal",
      "params": {}
    },
    {
      "name": "problems",
      "params": {}
    },
    {
      "name": "folder",
      "params": {}
    },
    {
      "name": "codebase",
      "params": {}
    }
  ],
  "slashCommands": [
    {
      "name": "share",
      "description": "Export the current chat session to markdown"
    },
    {
      "name": "cmd",
      "description": "Generate a shell command"
    },
    {
      "name": "commit",
      "description": "Generate a git commit message"
    }
  ]
}

Description

According to the VSCode Developer Console, there are SQLite errors like this:

workbench.desktop.main.js:746 [Extension Host] Error retrieving from FTS: Error: SQLITE_ERROR: fts5: syntax error near "'"
--> in Statement#all([
  "'s  OR s c OR  co OR cod OR ode",
  'file:///home/jubilantjerry/Documents/CrystalMuse/Mount/common-utils::master::chunks',
  16
], [Function: replacement])
	at new Promise (<anonymous>)

The query given to the model was "@Codebase What's the code doing?"

This seems like it's injecting the apostrophe into the SQL command, causing a syntax error. This suggests lack of SQL sanitation from the query, causing the query to not work as intended and possibly being a security risk.

To reproduce

Index a codebase, then ask "@Codebase What's the code doing?"

Log output

workbench.desktop.main.js:746 [Extension Host] Error retrieving from FTS: Error: SQLITE_ERROR: fts5: syntax error near "'"
--> in Statement#all([
  "'s  OR s c OR  co OR cod OR ode",
  'file:///home/jubilantjerry/Documents/CrystalMuse/Mount/common-utils::master::chunks',
  16
], [Function: replacement])
	at new Promise (<anonymous>)

JubilantJerry avatar Feb 19 '25 08:02 JubilantJerry