From 4c03e9cdd204592e5bcd5deb01035ad85904a2b1 Mon Sep 17 00:00:00 2001
From: Peter Stone <thepeterstone@gmail.com>
Date: Mon, 12 Jan 2026 13:13:20 -1000
Subject: Harden database security and reliability

Enable WAL mode for better concurrency, serialize writes to prevent database lock errors, and fix SQL injection vulnerability in GetNotes by using parameterized queries.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 internal/store/sqlite.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'internal/store/sqlite.go')

diff --git a/internal/store/sqlite.go b/internal/store/sqlite.go
index 45d7746..e2b0aee 100644
--- a/internal/store/sqlite.go
+++ b/internal/store/sqlite.go
@@ -29,6 +29,14 @@ func New(dbPath string) (*Store, error) {
 		return nil, fmt.Errorf("failed to enable foreign keys: %w", err)
 	}
 
+	// Enable WAL mode for better concurrency
+	if _, err := db.Exec("PRAGMA journal_mode = WAL"); err != nil {
+		return nil, fmt.Errorf("failed to enable WAL mode: %w", err)
+	}
+
+	// Serialize writes to prevent "database is locked" errors
+	db.SetMaxOpenConns(1)
+
 	store := &Store{db: db}
 
 	// Run migrations
@@ -204,11 +212,13 @@ func (s *Store) GetNotes(limit int) ([]models.Note, error) {
 		FROM notes
 		ORDER BY modified DESC
 	`
+	var args []interface{}
 	if limit > 0 {
-		query += fmt.Sprintf(" LIMIT %d", limit)
+		query += " LIMIT ?"
+		args = append(args, limit)
 	}
 
-	rows, err := s.db.Query(query)
+	rows, err := s.db.Query(query, args...)
 	if err != nil {
 		return nil, err
 	}
-- 
cgit v1.2.3