Commit ad418f9
fix: also reject dynamic SQL primitives in executeReadOnly() guard
EXEC('COMMIT') would bypass the COMMIT/ROLLBACK keyword guard because
stripCommentsAndStrings removes the string content. Block EXEC, EXECUTE,
sp_executesql, and xp_cmdshell at the connector level so dynamic SQL
carrying hidden transaction control cannot escape the rollback.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>1 parent ad2e669 commit ad418f9
1 file changed
Lines changed: 10 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
709 | 709 | | |
710 | 710 | | |
711 | 711 | | |
712 | | - | |
713 | | - | |
714 | | - | |
| 712 | + | |
| 713 | + | |
| 714 | + | |
| 715 | + | |
| 716 | + | |
715 | 717 | | |
716 | 718 | | |
717 | 719 | | |
| |||
723 | 725 | | |
724 | 726 | | |
725 | 727 | | |
| 728 | + | |
| 729 | + | |
| 730 | + | |
| 731 | + | |
| 732 | + | |
726 | 733 | | |
727 | 734 | | |
728 | 735 | | |
| |||
0 commit comments