Bugfix/update nodevm sandbox options, sanitize tablename (#3818)

* update nodevm sandbox options, sanitize tablename

* sanitize file name when getFileFromStorage

packages/components/nodes/recordmanager/MySQLRecordManager/MySQLrecordManager.ts

@@ -178,6 +178,18 @@ class MySQLRecordManager implements RecordManagerInterface {
         this.config = config
     }
 
+    sanitizeTableName(tableName: string): string {
+        // Trim and normalize case, turn whitespace into underscores
+        tableName = tableName.trim().toLowerCase().replace(/\s+/g, '_')
+
+        // Validate using a regex (alphanumeric and underscores only)
+        if (!/^[a-zA-Z0-9_]+$/.test(tableName)) {
+            throw new Error('Invalid table name')
+        }
+
+        return tableName
+    }
+
     private async getDataSource(): Promise<DataSource> {
         const { mysqlOptions } = this.config
         if (!mysqlOptions) {
@@ -196,8 +208,9 @@ class MySQLRecordManager implements RecordManagerInterface {
         try {
             const dataSource = await this.getDataSource()
             const queryRunner = dataSource.createQueryRunner()
+            const tableName = this.sanitizeTableName(this.tableName)
 
-            await queryRunner.manager.query(`create table if not exists \`${this.tableName}\` (
+            await queryRunner.manager.query(`create table if not exists \`${this.sanitizeTableName(tableName)}\` (
                 \`uuid\` varchar(36) primary key default (UUID()),
                 \`key\` varchar(255) not null,
                 \`namespace\` varchar(255) not null,
@@ -211,11 +224,11 @@ class MySQLRecordManager implements RecordManagerInterface {
                 // MySQL does not support 'IF NOT EXISTS' function for Index
                 const Check = await queryRunner.manager.query(
                     `SELECT COUNT(1) IndexIsThere FROM INFORMATION_SCHEMA.STATISTICS 
-                        WHERE table_schema=DATABASE() AND table_name='${this.tableName}' AND index_name='${column}_index';`
+                        WHERE table_schema=DATABASE() AND table_name='${tableName}' AND index_name='${column}_index';`
                 )
                 if (Check[0].IndexIsThere === 0)
                     await queryRunner.manager.query(`CREATE INDEX \`${column}_index\`
-        ON \`${this.tableName}\` (\`${column}\`);`)
+        ON \`${tableName}\` (\`${column}\`);`)
             }
 
             await queryRunner.release()
@@ -253,6 +266,7 @@ class MySQLRecordManager implements RecordManagerInterface {
 
         const dataSource = await this.getDataSource()
         const queryRunner = dataSource.createQueryRunner()
+        const tableName = this.sanitizeTableName(this.tableName)
 
         const updatedAt = await this.getTime()
         const { timeAtLeast, groupIds: _groupIds } = updateOptions ?? {}
@@ -275,7 +289,7 @@ class MySQLRecordManager implements RecordManagerInterface {
         ])
 
         const query = `
-            INSERT INTO \`${this.tableName}\` (\`key\`, \`namespace\`, \`updated_at\`, \`group_id\`)
+            INSERT INTO \`${tableName}\` (\`key\`, \`namespace\`, \`updated_at\`, \`group_id\`)
             VALUES (?, ?, ?, ?)
             ON DUPLICATE KEY UPDATE \`updated_at\` = VALUES(\`updated_at\`)`
 
@@ -302,12 +316,13 @@ class MySQLRecordManager implements RecordManagerInterface {
 
         const dataSource = await this.getDataSource()
         const queryRunner = dataSource.createQueryRunner()
+        const tableName = this.sanitizeTableName(this.tableName)
 
         // Prepare the placeholders and the query
         const placeholders = keys.map(() => `?`).join(', ')
         const query = `
     SELECT \`key\`
-    FROM \`${this.tableName}\`
+    FROM \`${tableName}\`
     WHERE \`namespace\` = ? AND \`key\` IN (${placeholders})`
 
         // Initialize an array to fill with the existence checks
@@ -335,10 +350,11 @@ class MySQLRecordManager implements RecordManagerInterface {
     async listKeys(options?: ListKeyOptions): Promise<string[]> {
         const dataSource = await this.getDataSource()
         const queryRunner = dataSource.createQueryRunner()
+        const tableName = this.sanitizeTableName(this.tableName)
 
         try {
             const { before, after, limit, groupIds } = options ?? {}
-            let query = `SELECT \`key\` FROM \`${this.tableName}\` WHERE \`namespace\` = ?`
+            let query = `SELECT \`key\` FROM \`${tableName}\` WHERE \`namespace\` = ?`
             const values: (string | number | string[])[] = [this.namespace]
 
             if (before) {
@@ -385,9 +401,10 @@ class MySQLRecordManager implements RecordManagerInterface {
 
         const dataSource = await this.getDataSource()
         const queryRunner = dataSource.createQueryRunner()
+        const tableName = this.sanitizeTableName(this.tableName)
 
         const placeholders = keys.map(() => '?').join(', ')
-        const query = `DELETE FROM \`${this.tableName}\` WHERE \`namespace\` = ? AND \`key\` IN (${placeholders});`
+        const query = `DELETE FROM \`${tableName}\` WHERE \`namespace\` = ? AND \`key\` IN (${placeholders});`
         const values = [this.namespace, ...keys].map((v) => (typeof v !== 'string' ? `${v}` : v))
 
         // Directly using try/catch with async/await for cleaner flow