(core) forbid use of sqlite ATTACH except during VACUUM

Summary: This calls sqlite3_limit(SQLITE_LIMIT_ATTACHED, 0) so that if ever an `ATTACH` were snuck into an SQL query, it would be denied. The limit needs to be waived when calling VACUUM since the implementation of VACUUM uses ATTACH. Test Plan: added test; existing tests should pass Reviewers: alexmojaki Reviewed By: alexmojaki Subscribers: alexmojaki Differential Revision: https://phab.getgrist.com/D3316
2026-03-02 04:09:24 +00:00 · 2022-03-11 15:24:26 -05:00
parent 3a8e7032bc
commit b2715ae9ef
4 changed files with 27 additions and 9 deletions
--- a/package.json
+++ b/package.json
@@ -80,7 +80,7 @@
    "@gristlabs/express-session": "1.17.0",
    "@gristlabs/moment-guess": "1.2.4-grist.1",
    "@gristlabs/pidusage": "2.0.17",
-    "@gristlabs/sqlite3": "4.1.1-grist.4",
+    "@gristlabs/sqlite3": "4.1.1-grist.6",
    "@popperjs/core": "2.3.3",
    "accept-language-parser": "1.5.0",
    "async-mutex": "0.2.4",