From e2284695fca40c1005d1e4bd5b92574a1f92aa5f Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Sat, 11 Apr 2026 21:41:54 +0300
Subject: [PATCH] Validates table names when purging

---
 app/core/PluginManager.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/core/PluginManager.php b/app/core/PluginManager.php
index e1013e7..9110760 100644
--- a/app/core/PluginManager.php
+++ b/app/core/PluginManager.php
@@ -332,6 +332,12 @@ class PluginManager
             $foreignKeyChecksDisabled = true;
 
             foreach ($tables as $table) {
+                // Defensive validation: only allow plain SQL identifiers for drop targets.
+                if (!preg_match('/^[a-zA-Z0-9_]+$/', $table)) {
+                    app_log('warning', 'PluginManager::purge: Skipped unsafe table identifier "' . (string)$table . '" for plugin ' . $plugin, ['scope' => 'plugin']);
+                    continue;
+                }
+
                 $pdo->exec("DROP TABLE IF EXISTS `$table`");
                 app_log('info', 'PluginManager::purge: Dropped table ' . $table . ' for plugin ' . $plugin, ['scope' => 'plugin']);
             }