Skip to content

feat(storage): implement backend sorting with sql injection protection#145

Open
Lutherwaves wants to merge 18 commits intomainfrom
fix/AddSortingSQLAdapter
Open

feat(storage): implement backend sorting with sql injection protection#145
Lutherwaves wants to merge 18 commits intomainfrom
fix/AddSortingSQLAdapter

Conversation

@Lutherwaves
Copy link
Contributor

@Lutherwaves Lutherwaves commented Feb 17, 2026
edited
Loading

  • Adds sortDirection support to cursor-paginated queries across SQL, CosmosDB, and DynamoDB adapters
  • Introduces SortingDirection type with Ascending/Descending constants
  • Validates sortKey against a strict column-name whitelist before interpolation into ORDER BY clauses, closing an injection vector where Order() does not escape inputs
  • Surfaces previously silent cursor extraction failures as slog.Warn — pagination that silently breaks now shows up in logs
  • Documents sortKey and SortDirectionKey on the exported StorageAdapter interface following Google's Go style guide

What's NOT in this PR

Replacing params ...map[string]any with typed options is deferred — it's an interface-breaking change across all downstream services, and the migration only pays for itself once a second cross-adapter param is added to the bag.

@Lutherwaves Lutherwaves self-assigned this Feb 17, 2026
ayashjorden
ayashjorden requested changes Feb 20, 2026
View reviewed changes
@Lutherwaves
Copy link
Contributor Author

Lutherwaves commented Feb 20, 2026

@ayashjorden Thanks for the review, available for re-review.

ayashjorden
ayashjorden reviewed Feb 20, 2026
View reviewed changes
ayashjorden
ayashjorden reviewed Feb 20, 2026
View reviewed changes
deanefrati
deanefrati reviewed Feb 23, 2026
View reviewed changes
@Lutherwaves Lutherwaves changed the title feat: add sorting to sql adapter feat: add sorting to sql adapter and refactor sort key/direction handling in storage adapter Feb 23, 2026
@Lutherwaves
chore(test): restore sqlAdapterInstance singleton after TestListRejec…
5d5f92c 
…tsMaliciousSortKey
@Lutherwaves
fix: warn on cursor field extraction failure, remove redundant else b…
83e52f2 
…ranch
@Lutherwaves
refactor(style): use snake_case log keys in cursor extraction warnings
b72b96e
@Lutherwaves
fix: validate sortKey in DynamoDB List and Search to prevent PartiQL …
0cec523 
…injection
@Lutherwaves
chore(docs): add godoc to executePaginatedQuery in SQL and CosmosDB a…
b25e988 
…dapters
@Lutherwaves
chore(docs): document sortKey and SortDirectionKey on StorageAdapter …
4b4931c 
…interface

Move user-facing documentation (struct field name requirement, sort direction
param) to the exported List and Search interface methods where library consumers
can discover it. Trim unexported executePaginatedQuery docs to maintainer notes.
@Lutherwaves Lutherwaves force-pushed the fix/AddSortingSQLAdapter branch from 331a059 to 4b4931c Compare February 23, 2026 19:31
@Lutherwaves Lutherwaves changed the title feat: add sorting to sql adapter and refactor sort key/direction handling in storage adapter feat(storage): implement backend sorting with sql injection protection Feb 23, 2026
@Lutherwaves
Copy link
Contributor Author

Lutherwaves commented Feb 24, 2026

@deanefrati @ayashjorden please take a look when you have time

ayashjorden
ayashjorden reviewed Feb 24, 2026
View reviewed changes
ayashjorden
ayashjorden reviewed Feb 24, 2026
View reviewed changes
@Lutherwaves
Copy link
Contributor Author

Lutherwaves commented Mar 1, 2026

@ayashjorden @deanefrati ready for rereview

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ayashjorden ayashjorden ayashjorden approved these changes

@deanefrati deanefrati Awaiting requested review from deanefrati

Assignees

@Lutherwaves Lutherwaves

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Lutherwaves @ayashjorden @deanefrati