[codex] fix mysql search table name validation

[theCyberTech]

Summary

• validate MySQLSearchTool table names before building the loader query
• quote accepted table and schema-qualified identifiers with backticks
• add regression coverage for injected table-name values and valid identifier handling

Root Cause

MySQLSearchTool.add() interpolated table_name directly into SELECT * FROM {table_name}; and passed that SQL through the RAG adapter to the MySQL loader, where it is executed with cursor.execute(query). The constructor API describes table_name as a table identifier, not arbitrary SQL, so attacker-controlled names could alter the query.

Validation

• .venv/bin/python -m pytest lib/crewai-tools/tests/tools/test_mysql_search_tool.py -> 15 passed
• .venv/bin/python -m ruff check lib/crewai-tools/src/crewai_tools/tools/mysql_search_tool/mysql_search_tool.py lib/crewai-tools/tests/tools/test_mysql_search_tool.py -> passed
• .venv/bin/python -m ruff format --check lib/crewai-tools/src/crewai_tools/tools/mysql_search_tool/mysql_search_tool.py lib/crewai-tools/tests/tools/test_mysql_search_tool.py -> passed
• pre-commit on commit: ruff, ruff-format, mypy passed

Summary by CodeRabbit

• Bug Fixes
  • Improved MySQL table handling so table names are validated and safely quoted before queries run.
  • Invalid table or schema.table formats are now rejected instead of being used in a query.
  • MySQL search behavior remains unchanged for valid inputs, with searches still delegated normally.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 71fd8be8-cbaa-4479-ab72-2748c51219f8

📥 Commits

Reviewing files that changed from the base of the PR and between 5d4851e and e3f7d1a.

📒 Files selected for processing (2)

• lib/crewai-tools/src/crewai_tools/tools/mysql_search_tool/mysql_search_tool.py
• lib/crewai-tools/tests/tools/test_mysql_search_tool.py

---

📝 Walkthrough

Walkthrough

MySQLSearchTool now validates and backtick-quotes table names before building SELECT * queries, and the test module covers valid and invalid identifiers, _run delegation, and MySQL metadata wiring.

Changes

MySQL search tool hardening

Layer / File(s)	Summary
Validation and quoting lib/crewai-tools/src/crewai_tools/tools/mysql_search_tool/mysql_search_tool.py	Adds regex-based validation for single- and two-part table names and uses quoted identifiers when building the MySQL query.
MySQL search tests lib/crewai-tools/tests/tools/test_mysql_search_tool.py	Adds mocked setup and tests for valid table names, invalid table names, _run delegation, and RagTool.add metadata.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: fixing MySQL search table-name validation and quoting.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-mysql-search-table-name-injection

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[corridor-security]

Summary: This PR hardens MySQLSearchTool table-name handling by validating schema/table identifiers and quoting accepted names before constructing the loader query; no exploitable security vulnerabilities were identified.

Risk: Low risk. The change reduces an existing SQL injection surface and does not introduce new authentication, authorization, data exposure, or network-facing attack surfaces.

[Copilot]

Pull request overview

This PR mitigates SQL injection risk in MySQLSearchTool by validating/quoting MySQL table identifiers before constructing the loader query, and adds regression tests to ensure unsafe identifiers are rejected.

Changes:

• Add strict validation + backtick-quoting for table_name (supports table and schema.table forms).
• Build loader query using the validated, quoted identifier.
• Add tests covering valid identifier quoting, rejection of injected identifiers, and unchanged search behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
lib/crewai-tools/src/crewai_tools/tools/mysql_search_tool/mysql_search_tool.py	Adds identifier validation and backtick-quoting before building the SELECT * FROM ... query.
lib/crewai-tools/tests/tools/test_mysql_search_tool.py	Introduces regression tests for valid/invalid table identifiers and confirms _run() behavior remains intact.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.