fix(langgraph-checkpoint-postgres): reject SQL LIKE wildcards in PostgresStore namespace labels#2512
Merged
Christian Bromann (christian-bromann) merged 1 commit intoJun 9, 2026
Conversation
…gresStore namespace labels
`BaseStore.search()` matches namespaces via
`namespace_path LIKE ${prefix}%` (bound parameter). The bind protects against
SQL injection but does *not* keep Postgres from interpreting `%`, `_`, or `\`
inside the label itself as `LIKE` wildcards / escape characters. So a
caller-supplied namespace prefix of `["%"]` matched every namespace in the
store, exposing data across tenants in any multi-tenant deployment that pipes
configurable values into a `BaseStore` namespace. `InMemoryStore` is unaffected
because it compares prefixes with literal `String.startsWith()`.
`validateNamespace()` now rejects `%`, `_`, and `\` alongside the existing `.`
and empty-label checks, and we apply it on the get/put/delete paths too so a
write under such a namespace can never become unreachable to its own search.
CWE-1336 (Improper Neutralization of Special Elements Used in a Template
Engine). No issue had been filed for this — found via cross-store consistency
review against `InMemoryStore`.
🦋 Changeset detectedLatest commit: a739e30 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@langchain/langgraph-checkpoint
@langchain/langgraph-checkpoint-mongodb
@langchain/langgraph-checkpoint-postgres
@langchain/langgraph-checkpoint-redis
@langchain/langgraph-checkpoint-sqlite
@langchain/langgraph-checkpoint-validation
create-langgraph
@langchain/langgraph-api
@langchain/langgraph-cli
@langchain/langgraph
@langchain/langgraph-cua
@langchain/langgraph-supervisor
@langchain/langgraph-swarm
@langchain/langgraph-ui
@langchain/langgraph-sdk
@langchain/angular
@langchain/react
@langchain/svelte
@langchain/vue
commit: |
Christian Bromann (christian-bromann)
approved these changes
Jun 9, 2026
Christian Bromann (christian-bromann)
left a comment
Member
There was a problem hiding this comment.
Thank you 👍
375c73f
into
langchain-ai:main
25 checks passed
This was referenced Jun 9, 2026
Christian Bromann (christian-bromann)
pushed a commit
that referenced
this pull request
Jun 10, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @langchain/langgraph-checkpoint@1.1.0 ### Minor Changes - [#2452](#2452) [`a8e7659`](a8e7659) Thanks [@christian-bromann](https://github.com/christian-bromann)! - Add `DeltaChannel` and the writes-history saver API (beta). `DeltaChannel` is a reducer channel that stores only a sentinel in checkpoint blobs instead of the full accumulated value, reconstructing state on read by replaying ancestor writes through a batch reducer. This avoids re-serializing the entire accumulated value at every step (e.g. long message histories). - `DeltaChannel(reducer, { snapshotFrequency })` in `@langchain/langgraph` — count-based snapshot cadence (default `snapshotFrequency=1000`) plus a system bound `DELTA_MAX_SUPERSTEPS_SINCE_SNAPSHOT` (default 5000, env `LANGGRAPH_DELTA_MAX_SUPERSTEPS_SINCE_SNAPSHOT`). - `messagesDeltaReducer` — a batching-invariant messages reducer that coerces raw object/string writes, for use with `DeltaChannel`. - `BaseCheckpointSaver.getDeltaChannelHistory({ config, channels })` (beta) — walks the parent chain returning per-channel `{ writes, seed? }`, with a direct-storage override in `MemorySaver`. - `counters_since_delta_snapshot` added to `CheckpointMetadata`; `DeltaSnapshot` serialization support in the JSON+ serializer. Reconstruction is wired through the Pregel read/execution paths (initialization, `getState`, `updateState`, local reads) and `exit` durability accumulates and anchors delta writes so threads remain reconstructible without forcing snapshots. ### Patch Changes - [#2450](#2450) [`2f6d873`](2f6d873) Thanks [@christian-bromann](https://github.com/christian-bromann)! - Add node-level timeouts. A `timeout` option is now supported on `StateGraph.addNode`, the functional API (`task`/`entrypoint`), and the `Send` constructor. Pass a number of milliseconds for a hard wall-clock cap, or a `TimeoutPolicy` for finer control: ```ts import { TimeoutPolicy } from "@langchain/langgraph"; // hard wall-clock cap on each attempt builder.addNode("agent", agentFn, { timeout: 60_000 }); // full control builder.addNode("agent", agentFn, { timeout: { runTimeout: 60_000, // hard wall-clock cap, never refreshed idleTimeout: 10_000, // cap on time without observable progress refreshOn: "auto", // "auto" | "heartbeat" }, }); // per-task override new Send("agent", state, { timeout: { idleTimeout: 5_000 } }); ``` When a timeout fires, a `NodeTimeoutError` (carrying `node`, `kind` (`"run"`/`"idle"`), `timeout`, `elapsed`, `runTimeout`, `idleTimeout`) is raised, the attempt's buffered writes are dropped, and the node's `AbortSignal` is aborted. `idleTimeout` is refreshed by observable progress (writes, custom stream-writer calls, child-task scheduling, callback events) or an explicit `runtime.heartbeat()` call. The timer resets per retry attempt, and `NodeTimeoutError` is retryable under the default retry policy. Ports langchain-ai/langgraph#7599, [#7646](https://github.com/langchain-ai/langgraphjs/issues/7646), and [#7659](https://github.com/langchain-ai/langgraphjs/issues/7659). ## @langchain/langgraph@1.4.0 ### Minor Changes - [#2449](#2449) [`d12d269`](d12d269) Thanks [@christian-bromann](https://github.com/christian-bromann)! - Add cooperative, between-superstep graph draining via `RunControl`. A new `RunControl` (exported from `@langchain/langgraph`) exposes `requestDrain(reason)` plus read-only `drainRequested` / `drainReason`. Pass it through the new `control` option on `invoke` / `stream` / `streamEvents` (and the functional API). It is surfaced on `runtime.control`, so nodes can read it or call `requestDrain()` themselves, and it is propagated into subgraphs. When a drain is requested, the Pregel loop checks the flag at the top of each superstep (after the previous step's writes are applied and checkpointed): if more tasks remain it saves the checkpoint and throws the new `GraphDrained` error (also under `durability: "exit"`), so the run can be resumed later from the same config. If the graph naturally finishes on that tick it returns normally and the caller can inspect `control.drainRequested`. A drain requested inside a subgraph bubbles up and stops the parent at its next boundary. Draining never cancels work that is already running — pair it with an `AbortSignal` if you need a hard upper bound. - [#2452](#2452) [`a8e7659`](a8e7659) Thanks [@christian-bromann](https://github.com/christian-bromann)! - Add `DeltaChannel` and the writes-history saver API (beta). `DeltaChannel` is a reducer channel that stores only a sentinel in checkpoint blobs instead of the full accumulated value, reconstructing state on read by replaying ancestor writes through a batch reducer. This avoids re-serializing the entire accumulated value at every step (e.g. long message histories). - `DeltaChannel(reducer, { snapshotFrequency })` in `@langchain/langgraph` — count-based snapshot cadence (default `snapshotFrequency=1000`) plus a system bound `DELTA_MAX_SUPERSTEPS_SINCE_SNAPSHOT` (default 5000, env `LANGGRAPH_DELTA_MAX_SUPERSTEPS_SINCE_SNAPSHOT`). - `messagesDeltaReducer` — a batching-invariant messages reducer that coerces raw object/string writes, for use with `DeltaChannel`. - `BaseCheckpointSaver.getDeltaChannelHistory({ config, channels })` (beta) — walks the parent chain returning per-channel `{ writes, seed? }`, with a direct-storage override in `MemorySaver`. - `counters_since_delta_snapshot` added to `CheckpointMetadata`; `DeltaSnapshot` serialization support in the JSON+ serializer. Reconstruction is wired through the Pregel read/execution paths (initialization, `getState`, `updateState`, local reads) and `exit` durability accumulates and anchors delta writes so threads remain reconstructible without forcing snapshots. - [#2451](#2451) [`d65a920`](d65a920) Thanks [@christian-bromann](https://github.com/christian-bromann)! - feat(langgraph): add node-level error handlers `StateGraph.addNode(name, fn, { errorHandler })` now accepts a first-class node-level error handler. The handler runs ONLY after the failing node's `retryPolicy` is exhausted, so retry and handling stay decoupled. It receives a typed `NodeError { node, error }` and the typed node input state, can return a state update, and can route to a recovery branch via `new Command({ goto })` (saga / compensation flows). Failure provenance is checkpointed (via a reserved `ERROR_SOURCE_NODE` write) so handlers observe the same context after a checkpoint resume. Uncaught node errors without a handler still abort the run as before, and `GraphBubbleUp` errors (such as `interrupt()`) are never swallowed by a handler. `StateGraph.setNodeDefaults({ errorHandler })` now also accepts a graph-wide default handler. It is materialized at `compile()` as a single shared handler and invoked for every regular node that does not set its own `errorHandler`. A per-node handler always takes precedence, the default never catches a failure raised by an error-handler node itself (handler failures fail the run), and the default is not inherited by subgraphs. Ports the Python feature from langchain-ai/langgraph#7233. - [#2450](#2450) [`2f6d873`](2f6d873) Thanks [@christian-bromann](https://github.com/christian-bromann)! - Add node-level timeouts. A `timeout` option is now supported on `StateGraph.addNode`, the functional API (`task`/`entrypoint`), and the `Send` constructor. Pass a number of milliseconds for a hard wall-clock cap, or a `TimeoutPolicy` for finer control: ```ts import { TimeoutPolicy } from "@langchain/langgraph"; // hard wall-clock cap on each attempt builder.addNode("agent", agentFn, { timeout: 60_000 }); // full control builder.addNode("agent", agentFn, { timeout: { runTimeout: 60_000, // hard wall-clock cap, never refreshed idleTimeout: 10_000, // cap on time without observable progress refreshOn: "auto", // "auto" | "heartbeat" }, }); // per-task override new Send("agent", state, { timeout: { idleTimeout: 5_000 } }); ``` When a timeout fires, a `NodeTimeoutError` (carrying `node`, `kind` (`"run"`/`"idle"`), `timeout`, `elapsed`, `runTimeout`, `idleTimeout`) is raised, the attempt's buffered writes are dropped, and the node's `AbortSignal` is aborted. `idleTimeout` is refreshed by observable progress (writes, custom stream-writer calls, child-task scheduling, callback events) or an explicit `runtime.heartbeat()` call. The timer resets per retry attempt, and `NodeTimeoutError` is retryable under the default retry policy. Ports langchain-ai/langgraph#7599, [#7646](https://github.com/langchain-ai/langgraphjs/issues/7646), and [#7659](https://github.com/langchain-ai/langgraphjs/issues/7659). - [#2461](#2461) [`801d955`](801d955) Thanks [@christian-bromann](https://github.com/christian-bromann)! - Add `StateGraph.setNodeDefaults()` for setting graph-wide node policy defaults (`retryPolicy`, `cachePolicy`). Per-node values passed to `addNode` always take precedence, and defaults are resolved at `compile()` time so call order does not matter. Defaults are not inherited by subgraphs. Ports Python's `set_node_defaults()` (langchain-ai/langgraph#7747). ### Patch Changes - [#2179](#2179) [`01c67df`](01c67df) Thanks [@christian-bromann](https://github.com/christian-bromann)! - fix(core): time travel replay/fork for graphs with interrupts and subgraphs Ports Python fixes for stale RESUME writes during replay, wrong subgraph checkpoint loading during time travel, missing fork checkpoints on replay, and direct-to-subgraph time travel. - [#2514](#2514) [`9e0201d`](9e0201d) Thanks [@christian-bromann](https://github.com/christian-bromann)! - fix(schema): expose StateSchema JSON schemas for Studio introspection Route StateSchema runtime definitions through getJsonSchema() and getInputJsonSchema() so LangGraph Studio receives state, input, and context schemas when graphs use the StateSchema primitive. Fixes [#2466](#2466) - [#2471](#2471) [`9b96f60`](9b96f60) Thanks [@christian-bromann](https://github.com/christian-bromann)! - perf(core): skip debug checkpoint snapshots when not streaming them Avoid building full-state `mapDebugCheckpoint` payloads on every tick when no consumer subscribed to `checkpoints` or `debug` stream modes. v3 companion checkpoint envelopes are unchanged (they come from values metadata). - [#2472](#2472) [`8e06ace`](8e06ace) Thanks [@christian-bromann](https://github.com/christian-bromann)! - perf(core): index pending writes for O(1) task-prep lookups Build a PendingWritesIndex once per \_prepareNextTasks call so resume and skip-done-task checks avoid repeated linear scans over checkpointPendingWrites. - [#2473](#2473) [`a8b0036`](a8b0036) Thanks [@christian-bromann](https://github.com/christian-bromann)! - perf(core): optimize applyWrites, interrupt seen, and channel errors Reduce allocations in \_applyWrites, fix O(N²) interrupt versions_seen updates, skip stack traces on EmptyChannelError control flow, and cache task lists in the pregel loop and runner. - [#2444](#2444) [`4096933`](4096933) Thanks [@christian-bromann](https://github.com/christian-bromann)! - feat(remote): add RemoteGraph v3 streaming support Expose the v3 `streamEvents` surface for `RemoteGraph` by adapting remote SDK thread streams to the local `GraphRunStream` shape. - Updated dependencies \[[`a8e7659`](a8e7659), [`2f6d873`](2f6d873)]: - @langchain/langgraph-checkpoint@1.1.0 ## @langchain/langgraph-checkpoint-mongodb@1.3.4 ### Patch Changes - [#2517](#2517) [`67a4f8d`](67a4f8d) Thanks [@jackjin1997](https://github.com/jackjin1997)! - fix: `MongoDBSaver.putWrites` now honors `WRITES_IDX_MAP`, pinning special channels (`__error__`, `__scheduled__`, `__interrupt__`, `__resume__`) to fixed negative indices instead of the call-local ordinal. Previously a mixed `putWrites([[...regular...], [INTERRUPT, …]], taskId)` placed the INTERRUPT at a positive idx that could collide with a regular write at the same `(task_id, idx)`, and the unconditional `$set` upsert silently overwrote whichever row landed there first. The conflict-resolution clause now matches the Postgres / SQLite (TS and Python) checkpointers: `$set` only when every channel is a special one, `$setOnInsert` otherwise. ## @langchain/langgraph-checkpoint-postgres@1.0.3 ### Patch Changes - [#2512](#2512) [`375c73f`](375c73f) Thanks [@jackjin1997](https://github.com/jackjin1997)! - fix: reject SQL `LIKE` wildcards (`%`, `_`) and the backslash escape character in `PostgresStore` namespace labels. `BaseStore.search()` matches namespaces via `namespace_path LIKE ${prefix}%`, and these characters in caller-supplied namespace labels are interpreted as wildcards by Postgres even through a bound parameter — letting a namespace prefix of `["%"]` match every namespace in the store across tenants. `validateNamespace` now throws for these characters at all `search` / `get` / `put` entrypoints, keeping store-wide consistency. CWE-1336. ## @langchain/langgraph-checkpoint-redis@1.0.8 ### Patch Changes - [#2518](#2518) [`9182ea3`](9182ea3) Thanks [@jackjin1997](https://github.com/jackjin1997)! - fix: `RedisSaver.putWrites` now honors `WRITES_IDX_MAP`, pinning special channels (`__error__`, `__scheduled__`, `__interrupt__`, `__resume__`) to fixed negative indices in their Redis key (`checkpoint_write:…:<idx>`) instead of the call-local ordinal. Previously a mixed `putWrites([[…regular…], [INTERRUPT, …]], taskId)` placed the INTERRUPT key at the positive idx of its position in the batch, where a peer task's regular write at the same idx would overwrite it via the unconditional `JSON.SET`. The conflict-resolution clause now matches Postgres / SQLite / MongoDB: unguarded `JSON.SET` when every write is a special channel, `JSON.SET … NX` (insert-or-ignore) otherwise. ## @langchain/langgraph-checkpoint-sqlite@1.0.3 ### Patch Changes - [#2516](#2516) [`f6a6d26`](f6a6d26) Thanks [@jackjin1997](https://github.com/jackjin1997)! - fix: `SqliteSaver.putWrites` now honors `WRITES_IDX_MAP`, pinning special channels (`__error__`, `__scheduled__`, `__interrupt__`, `__resume__`) to fixed negative indices instead of the call-local ordinal. Previously a follow-up `putWrites([[INTERRUPT, …]], taskId)` for the same checkpoint silently `REPLACE`d the regular write previously stored at `idx=0` for that task, losing data. The conflict-resolution clause also now matches the Python checkpointer contract: `OR REPLACE` only when every channel is a special one (so e.g. INTERRUPT→RESUME state transitions overwrite), `OR IGNORE` otherwise. ## @langchain/angular@1.0.21 ### Patch Changes - [#2515](#2515) [`49b8c1a`](49b8c1a) Thanks [@christian-bromann](https://github.com/christian-bromann)! - fix: make AnyStream a true supertype so selector hooks need no cast A concrete `useStream<typeof agent>()` handle was not assignable to `AnyStream` because generic-computed covariant members (`toolCalls`, `values`) don't widen under `any` — `InferToolCalls<any>[]` resolves to `AssembledToolCall<…, never>[]`, narrower than a concrete handle. Override those members with their widest forms (preserving each framework's reactivity wrapper — plain arrays for React/Svelte, `ShallowRef` for Vue, `Signal` for Angular) so the message/tool/value selector hooks accept a fully-typed stream without an `as AnyStream` cast. ## @langchain/react@1.0.21 ### Patch Changes - [#2515](#2515) [`49b8c1a`](49b8c1a) Thanks [@christian-bromann](https://github.com/christian-bromann)! - fix: make AnyStream a true supertype so selector hooks need no cast A concrete `useStream<typeof agent>()` handle was not assignable to `AnyStream` because generic-computed covariant members (`toolCalls`, `values`) don't widen under `any` — `InferToolCalls<any>[]` resolves to `AssembledToolCall<…, never>[]`, narrower than a concrete handle. Override those members with their widest forms (preserving each framework's reactivity wrapper — plain arrays for React/Svelte, `ShallowRef` for Vue, `Signal` for Angular) so the message/tool/value selector hooks accept a fully-typed stream without an `as AnyStream` cast. ## @langchain/svelte@1.0.21 ### Patch Changes - [#2515](#2515) [`49b8c1a`](49b8c1a) Thanks [@christian-bromann](https://github.com/christian-bromann)! - fix: make AnyStream a true supertype so selector hooks need no cast A concrete `useStream<typeof agent>()` handle was not assignable to `AnyStream` because generic-computed covariant members (`toolCalls`, `values`) don't widen under `any` — `InferToolCalls<any>[]` resolves to `AssembledToolCall<…, never>[]`, narrower than a concrete handle. Override those members with their widest forms (preserving each framework's reactivity wrapper — plain arrays for React/Svelte, `ShallowRef` for Vue, `Signal` for Angular) so the message/tool/value selector hooks accept a fully-typed stream without an `as AnyStream` cast. ## @langchain/vue@1.0.21 ### Patch Changes - [#2515](#2515) [`49b8c1a`](49b8c1a) Thanks [@christian-bromann](https://github.com/christian-bromann)! - fix: make AnyStream a true supertype so selector hooks need no cast A concrete `useStream<typeof agent>()` handle was not assignable to `AnyStream` because generic-computed covariant members (`toolCalls`, `values`) don't widen under `any` — `InferToolCalls<any>[]` resolves to `AssembledToolCall<…, never>[]`, narrower than a concrete handle. Override those members with their widest forms (preserving each framework's reactivity wrapper — plain arrays for React/Svelte, `ShallowRef` for Vue, `Signal` for Angular) so the message/tool/value selector hooks accept a fully-typed stream without an `as AnyStream` cast. ## @example/ai-elements@0.1.36 ### Patch Changes - Updated dependencies \[[`01c67df`](01c67df), [`d12d269`](d12d269), [`a8e7659`](a8e7659), [`49b8c1a`](49b8c1a), [`9e0201d`](9e0201d), [`9b96f60`](9b96f60), [`8e06ace`](8e06ace), [`d65a920`](d65a920), [`2f6d873`](2f6d873), [`a8b0036`](a8b0036), [`4096933`](4096933), [`801d955`](801d955)]: - @langchain/langgraph@1.4.0 - @langchain/react@1.0.21 ## @examples/assistant-ui-claude@0.1.36 ### Patch Changes - Updated dependencies \[[`01c67df`](01c67df), [`d12d269`](d12d269), [`a8e7659`](a8e7659), [`49b8c1a`](49b8c1a), [`9e0201d`](9e0201d), [`9b96f60`](9b96f60), [`8e06ace`](8e06ace), [`d65a920`](d65a920), [`2f6d873`](2f6d873), [`a8b0036`](a8b0036), [`4096933`](4096933), [`801d955`](801d955)]: - @langchain/langgraph@1.4.0 - @langchain/react@1.0.21 ## @examples/ui-angular@0.0.46 ### Patch Changes - Updated dependencies \[[`01c67df`](01c67df), [`d12d269`](d12d269), [`a8e7659`](a8e7659), [`49b8c1a`](49b8c1a), [`9e0201d`](9e0201d), [`9b96f60`](9b96f60), [`8e06ace`](8e06ace), [`d65a920`](d65a920), [`2f6d873`](2f6d873), [`a8b0036`](a8b0036), [`4096933`](4096933), [`801d955`](801d955)]: - @langchain/langgraph@1.4.0 - @langchain/angular@1.0.21 ## @examples/ui-multimodal@0.0.22 ### Patch Changes - Updated dependencies \[[`01c67df`](01c67df), [`d12d269`](d12d269), [`a8e7659`](a8e7659), [`49b8c1a`](49b8c1a), [`9e0201d`](9e0201d), [`9b96f60`](9b96f60), [`8e06ace`](8e06ace), [`d65a920`](d65a920), [`2f6d873`](2f6d873), [`a8b0036`](a8b0036), [`4096933`](4096933), [`801d955`](801d955)]: - @langchain/langgraph@1.4.0 - @langchain/react@1.0.21 ## @examples/ui-react@0.0.22 ### Patch Changes - Updated dependencies \[[`01c67df`](01c67df), [`d12d269`](d12d269), [`a8e7659`](a8e7659), [`49b8c1a`](49b8c1a), [`9e0201d`](9e0201d), [`9b96f60`](9b96f60), [`8e06ace`](8e06ace), [`d65a920`](d65a920), [`2f6d873`](2f6d873), [`a8b0036`](a8b0036), [`4096933`](4096933), [`801d955`](801d955)]: - @langchain/langgraph@1.4.0 - @langchain/react@1.0.21 ## langgraph@1.0.40 ### Patch Changes - Updated dependencies \[[`01c67df`](01c67df), [`d12d269`](d12d269), [`a8e7659`](a8e7659), [`9e0201d`](9e0201d), [`9b96f60`](9b96f60), [`8e06ace`](8e06ace), [`d65a920`](d65a920), [`2f6d873`](2f6d873), [`a8b0036`](a8b0036), [`4096933`](4096933), [`801d955`](801d955)]: - @langchain/langgraph@1.4.0 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BaseStore.search()onPostgresStorematches namespaces vianamespace_path LIKE \${prefix}%(bound parameter). The bind protects against SQL injection but does not keep Postgres from interpreting%,_, or\inside the label itself asLIKEwildcards / escape characters. So a caller-supplied namespace prefix containing%silently widens the prefix into a glob — data leaks across namespaces in any multi-tenant deployment that pipes configurable values into aBaseStorenamespace.InMemoryStoreis unaffected — it compares prefixes via literalString.startsWith().Repro (conceptually, against the old
validateNamespace)After this PR
validateNamespacerejects%/_/\at allsearch/get/put/deleteentrypoints, matching the existing handling of.and empty labels.Tests
New
src/store/modules/utils.test.tsexercisesvalidateNamespacedirectly (it's a pure function, so no live Postgres needed). 8 new cases cover each wildcard char in isolation, in combination with other letters, and at non-first positions; benign characters that look similar (-,:, digits, unicode) are explicitly allowed.Reverse-verified: with this PR's
utils.tsreverted, 7 of the 7 new LIKE-wildcard tests fail (expected [Function] to throw an error / Received undefined).Consistency
InMemoryStoreString.startsWith()(literal)PostgresStorenamespace_path LIKE \${prefix}%RedisStore(precedent)KEYS namespace:*:...*/?/[/]/\viaassertSafeKeyComponentCWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine).
AI Disclosure
This issue was identified via cross-store consistency review with AI assistance, and the fix was validated against a focused unit-test suite plus reverse-verification (test suite fails without the fix).