fix(data): validate database path and drop redundant test infra

cpcloud · cursoragent · cpcloud · commit 72775c30b614 · 2026-02-11T13:07:28.000-05:00
Add ValidateDBPath to reject URI-like paths (scheme://, file:, query params) before they reach the SQLite driver's url.ParseQuery, closing the CVE GO-2026-4341 attack surface. Use unicode.IsLetter for broader scheme detection. Remove network isolation files (testmain, nonet_*) — full dep audit confirmed zero network calls in the entire dependency graph. Drop redundant TestPrintPath_* integration tests that duplicated the direct resolveDBPath unit tests via unnecessary go-build subprocesses. Closes #49 Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/cmd/micasa/main_test.go b/cmd/micasa/main_test.go
@@ -89,8 +89,9 @@ func TestResolveDBPath_ExplicitPathBeatsEnv(t *testing.T) {
 	}
 }
 
-// Integration tests that invoke the built binary with --print-path.
-// These exercise the full CLI parsing + resolveDBPath + print-and-exit path.
+// Version tests use exec.Command("go", "build") because debug.ReadBuildInfo()
+// only embeds VCS revision info in binaries built with go build, not go test,
+// and -ldflags -X injection likewise requires a real build step.
 
 func buildTestBinary(t *testing.T) string {
 	t.Helper()
@@ -107,84 +108,6 @@ func buildTestBinary(t *testing.T) string {
 	return bin
 }
 
-func TestPrintPath_Default(t *testing.T) {
-	bin := buildTestBinary(t)
-	cmd := exec.Command(bin, "--print-path")
-	cmd.Env = append(os.Environ(), "MICASA_DB_PATH=")
-	out, err := cmd.Output()
-	if err != nil {
-		t.Fatalf("--print-path failed: %v", err)
-	}
-	got := strings.TrimSpace(string(out))
-	if got == "" {
-		t.Fatal("expected non-empty output")
-	}
-	if !strings.HasSuffix(got, "micasa.db") {
-		t.Errorf("expected path ending in micasa.db, got %q", got)
-	}
-}
-
-func TestPrintPath_ExplicitPath(t *testing.T) {
-	bin := buildTestBinary(t)
-	cmd := exec.Command(bin, "--print-path", "/custom/path.db")
-	out, err := cmd.Output()
-	if err != nil {
-		t.Fatalf("--print-path failed: %v", err)
-	}
-	got := strings.TrimSpace(string(out))
-	if got != "/custom/path.db" {
-		t.Errorf("got %q, want /custom/path.db", got)
-	}
-}
-
-func TestPrintPath_EnvOverride(t *testing.T) {
-	bin := buildTestBinary(t)
-	cmd := exec.Command(bin, "--print-path")
-	cmd.Env = append(os.Environ(), "MICASA_DB_PATH=/env/test.db")
-	out, err := cmd.Output()
-	if err != nil {
-		t.Fatalf("--print-path failed: %v", err)
-	}
-	got := strings.TrimSpace(string(out))
-	if got != "/env/test.db" {
-		t.Errorf("got %q, want /env/test.db", got)
-	}
-}
-
-func TestPrintPath_DemoNoPath(t *testing.T) {
-	bin := buildTestBinary(t)
-	cmd := exec.Command(bin, "--print-path", "--demo")
-	out, err := cmd.Output()
-	if err != nil {
-		t.Fatalf("--print-path --demo failed: %v", err)
-	}
-	got := strings.TrimSpace(string(out))
-	if got != ":memory:" {
-		t.Errorf("got %q, want :memory:", got)
-	}
-}
-
-func TestPrintPath_DemoWithPath(t *testing.T) {
-	bin := buildTestBinary(t)
-	cmd := exec.Command(bin, "--print-path", "--demo", "/tmp/demo.db")
-	out, err := cmd.Output()
-	if err != nil {
-		t.Fatalf("--print-path --demo /path failed: %v", err)
-	}
-	got := strings.TrimSpace(string(out))
-	if got != "/tmp/demo.db" {
-		t.Errorf("got %q, want /tmp/demo.db", got)
-	}
-}
-
-func TestPrintPath_ExitCodeZero(t *testing.T) {
-	bin := buildTestBinary(t)
-	cmd := exec.Command(bin, "--print-path")
-	if err := cmd.Run(); err != nil {
-		t.Errorf("expected exit 0, got %v", err)
-	}
-}
-
 func TestVersion_DevShowsCommitHash(t *testing.T) {
 	// Skip when there is no .git directory (e.g. Nix sandbox builds from a
 	// source tarball), since Go won't embed VCS info without one.
diff --git a/internal/data/store.go b/internal/data/store.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"strings"
 	"time"
+	"unicode"
 
 	"github.com/cpcloud/micasa/internal/fake"
 	"github.com/glebarez/sqlite"
@@ -20,6 +21,9 @@ type Store struct {
 }
 
 func Open(path string) (*Store, error) {
+	if err := ValidateDBPath(path); err != nil {
+		return nil, err
+	}
 	db, err := gorm.Open(
 		sqlite.Open(path),
 		&gorm.Config{
@@ -35,6 +39,60 @@ func Open(path string) (*Store, error) {
 	return &Store{db: db}, nil
 }
 
+// ValidateDBPath rejects paths that could be interpreted as URIs by the
+// SQLite driver. The underlying go-sqlite driver passes query strings
+// through net/url.ParseQuery (subject to CVE GO-2026-4341) and enables
+// SQLITE_OPEN_URI, so both file:// URIs and scheme://... URLs must be
+// blocked. Only plain filesystem paths and the special ":memory:" value
+// are accepted.
+func ValidateDBPath(path string) error {
+	if path == "" {
+		return fmt.Errorf("database path must not be empty")
+	}
+	if path == ":memory:" {
+		return nil
+	}
+	// Reject anything with a URI scheme (letters followed by "://").
+	if i := strings.Index(path, "://"); i > 0 {
+		scheme := path[:i]
+		if isLetterOnly(scheme) {
+			return fmt.Errorf(
+				"database path %q looks like a URI (%s://); only filesystem paths are accepted",
+				path, scheme,
+			)
+		}
+	}
+	// Reject "file:" prefix -- even without "//", SQLite interprets
+	// "file:path?query" as a URI when SQLITE_OPEN_URI is set.
+	if strings.HasPrefix(path, "file:") {
+		return fmt.Errorf(
+			"database path %q uses the file: scheme; pass a plain filesystem path instead",
+			path,
+		)
+	}
+	// Reject paths containing '?' -- the go-sqlite driver splits on '?'
+	// and feeds the remainder to url.ParseQuery.
+	if strings.ContainsRune(path, '?') {
+		return fmt.Errorf(
+			"database path %q contains '?' which would be interpreted as query parameters",
+			path,
+		)
+	}
+	return nil
+}
+
+func isLetterOnly(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+	for _, r := range s {
+		if !unicode.IsLetter(r) {
+			return false
+		}
+	}
+	return true
+}
+
 // Close closes the underlying database connection.
 func (s *Store) Close() error {
 	sqlDB, err := s.db.DB()
diff --git a/internal/data/validate_path_test.go b/internal/data/validate_path_test.go
@@ -0,0 +1,114 @@
+// Copyright 2026 Phillip Cloud
+// Licensed under the Apache License, Version 2.0
+
+package data
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/brianvoe/gofakeit/v7"
+)
+
+func TestValidateDBPath(t *testing.T) {
+	tests := []struct {
+		path    string
+		wantErr string // substring of error, "" means no error
+	}{
+		// Valid paths.
+		{path: ":memory:"},
+		{path: "/home/user/micasa.db"},
+		{path: "relative/path.db"},
+		{path: "./local.db"},
+		{path: "../parent/db.sqlite"},
+		{path: "/tmp/micasa test.db"},
+		{path: "C:\\Users\\me\\micasa.db"},
+
+		// URI schemes -- must be rejected.
+		{path: "https://evil.com/db", wantErr: "looks like a URI"},
+		{path: "http://localhost/db", wantErr: "looks like a URI"},
+		{path: "ftp://files.example.com/data.db", wantErr: "looks like a URI"},
+		{path: "file://localhost/tmp/test.db", wantErr: "looks like a URI"},
+
+		// file: without // -- SQLite still interprets this as URI.
+		{path: "file:/tmp/test.db", wantErr: "file: scheme"},
+		{path: "file:test.db", wantErr: "file: scheme"},
+		{path: "file:test.db?mode=ro", wantErr: "file: scheme"},
+
+		// Query parameters -- trigger url.ParseQuery in driver.
+		{path: "/tmp/test.db?_pragma=journal_mode(wal)", wantErr: "contains '?'"},
+		{path: "test.db?cache=shared", wantErr: "contains '?'"},
+
+		// Empty path.
+		{path: "", wantErr: "must not be empty"},
+
+		// Not a scheme: no letters before "://".
+		{path: "/path/with://in/middle"},
+
+		// Numeric prefix before :// is not a scheme.
+		{path: "123://not-a-scheme"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.path, func(t *testing.T) {
+			err := ValidateDBPath(tt.path)
+			if tt.wantErr == "" {
+				if err != nil {
+					t.Errorf("ValidateDBPath(%q) = %v, want nil", tt.path, err)
+				}
+				return
+			}
+			if err == nil {
+				t.Errorf("ValidateDBPath(%q) = nil, want error containing %q", tt.path, tt.wantErr)
+				return
+			}
+			if !strings.Contains(err.Error(), tt.wantErr) {
+				t.Errorf(
+					"ValidateDBPath(%q) = %v, want error containing %q",
+					tt.path, err, tt.wantErr,
+				)
+			}
+		})
+	}
+}
+
+func TestValidateDBPathRejectsRandomURLs(t *testing.T) {
+	f := gofakeit.New(42)
+	for i := 0; i < 100; i++ {
+		u := f.URL()
+		t.Run(fmt.Sprintf("seed42_%d", i), func(t *testing.T) {
+			err := ValidateDBPath(u)
+			if err == nil {
+				t.Errorf("ValidateDBPath(%q) = nil, want rejection", u)
+			}
+		})
+	}
+}
+
+func TestValidateDBPathRejectsRandomURLsWithQueryParams(t *testing.T) {
+	f := gofakeit.New(99)
+	for i := 0; i < 50; i++ {
+		// Construct URLs with query params that would hit url.ParseQuery.
+		u := fmt.Sprintf("%s?%s=%s", f.URL(), f.Word(), f.Word())
+		t.Run(fmt.Sprintf("seed99_%d", i), func(t *testing.T) {
+			err := ValidateDBPath(u)
+			if err == nil {
+				t.Errorf("ValidateDBPath(%q) = nil, want rejection", u)
+			}
+		})
+	}
+}
+
+func TestOpenRejectsURIs(t *testing.T) {
+	f := gofakeit.New(7)
+	for i := 0; i < 10; i++ {
+		u := f.URL()
+		t.Run(fmt.Sprintf("seed7_%d", i), func(t *testing.T) {
+			_, err := Open(u)
+			if err == nil {
+				t.Fatalf("Open(%q) should reject URI paths", u)
+			}
+		})
+	}
+}
