execsql2 2.17.2__py3-none-any.whl → 2.18.0__py3-none-any.whl

execsql/cli/run.py

@@ -197,6 +197,11 @@ def _ping_db(db: Any) -> None:
 # ---------------------------------------------------------------------------
 
 
+# B12/F014: shared sensitive-name filter used by env-var seeding, -a
+# value logging, and any future credential-redaction sites.
+_SENSITIVE_SUBSTRINGS = ("SECRET", "TOKEN", "PASSWORD", "PASSWD", "PRIVATE_KEY", "CREDENTIAL")
+
+
 def _seed_early_subvars() -> SubVarSet:
     """Create and populate the initial substitution variable pool.
 
@@ -205,7 +210,6 @@ def _seed_early_subvars() -> SubVarSet:
     """
     subvars = SubVarSet()
 
-    _SENSITIVE_SUBSTRINGS = ("SECRET", "TOKEN", "PASSWORD", "PASSWD", "PRIVATE_KEY", "CREDENTIAL")
     for k in os.environ:
         if any(s in k.upper() for s in _SENSITIVE_SUBSTRINGS):
             continue
@@ -310,6 +314,14 @@ def _apply_dsn(dsn: str, conf: ConfigData, db_type: str | None) -> tuple[str | N
     if parsed["password"]:
         conf.db_password = parsed["password"]
         conf.passwd_prompt = False
+        # B12/F038: embedding the password in the --dsn URL leaks it to
+        # `ps`, shell history, and any logging that captures argv. Warn
+        # so the user knows to prefer keyring or a password-less DSN.
+        _err_console.print(
+            "[bold yellow]Warning:[/bold yellow] --dsn URL contains a password; "
+            "it may be visible in `ps`, shell history, and process accounting. "
+            "Consider keyring or a password-less DSN.",
+        )
     port = parsed["port"]  # may be None
     return db_type, user, port
 
@@ -490,8 +502,15 @@ def _setup_logging(
         for n, repl in enumerate(sub_vars):
             var = f"$ARG_{n + 1}"
             subvars.add_substitution(var, repl)
+            # B12/F014: -a values are user input that may contain
+            # secrets. Redact the value in the log line when the
+            # surrounding -a payload looks sensitive (matches the
+            # existing env-var filter at _seed_early_subvars).
+            display_repl = repl
+            if any(s in str(repl).upper() for s in _SENSITIVE_SUBSTRINGS):
+                display_repl = "***"
             logger.log_status_info(
-                f"Command-line substitution variable assignment: {var} set to {{{repl}}}",
+                f"Command-line substitution variable assignment: {var} set to {{{display_repl}}}",
             )
 
     return logger
@@ -533,6 +552,8 @@ def _run(
     lint: bool = False,
     debug: bool = False,
     no_system_cmd: bool = False,
+    no_rm_file: bool = False,
+    no_serve: bool = False,
     config_file: str | None = None,
 ) -> None:
     """Initialise state, connect to the database, load the script, and run it.
@@ -741,6 +762,12 @@ def _run(
     if no_system_cmd:
         conf.allow_system_cmd = False
 
+    if no_rm_file:
+        conf.allow_rm_file = False
+
+    if no_serve:
+        conf.allow_serve = False
+
     if _ast_tree is not None:
         _execute_script_ast(_ast_tree, conf, profile=profile, profile_limit=profile_limit)
 

execsql/config.py

@@ -315,6 +315,12 @@ class ConfigData:
         self._get_bool(cp, self._CONFIG_SECTION, "log_sql", "log_sql")
         self._get_int(cp, self._CONFIG_SECTION, "max_log_size_mb", "max_log_size_mb")
         self._get_bool(cp, self._CONFIG_SECTION, "allow_system_cmd", "allow_system_cmd")
+        self._get_bool(cp, self._CONFIG_SECTION, "allow_rm_file", "allow_rm_file")
+        self._get_bool(cp, self._CONFIG_SECTION, "allow_serve", "allow_serve")
+        self._get_str(cp, self._CONFIG_SECTION, "include_root", "include_root")
+        self._get_str(cp, self._CONFIG_SECTION, "serve_root", "serve_root")
+        self._get_str(cp, self._CONFIG_SECTION, "template_root", "template_root")
+        self._get_int(cp, self._CONFIG_SECTION, "max_substitution_bytes", "max_substitution_bytes")
         # --- [email] ---
         self._get_str(cp, self._EMAIL_SECTION, "host", "smtp_host")
         self._get_int(cp, self._EMAIL_SECTION, "port", "smtp_port")
@@ -426,6 +432,20 @@ class ConfigData:
         self.export_output_dir: str | None = None
         self.dao_flush_delay_secs = 5.0
         self.allow_system_cmd = True
+        # B05: path-containment controls. ``*_root`` keys, when set, force
+        # the corresponding handler to confine resolved paths under the
+        # named root and reject anything that escapes via ``..``,
+        # absolute paths, drive letters, or UNCs. ``allow_*`` toggles
+        # disable the handler entirely (symmetric with allow_system_cmd).
+        self.include_root: str | None = None
+        self.serve_root: str | None = None
+        self.template_root: str | None = None
+        self.allow_rm_file = True
+        self.allow_serve = True
+        # B17/F013: byte ceiling on substitute_vars() expansion to
+        # defeat exponential-expansion bombs. None = use the engine
+        # default (10 MB).
+        self.max_substitution_bytes: int | None = None
         self.zip_buffer_mb = 10
         if os.name == "posix":
             sys_config_file = str(Path("/etc") / self.config_file_name)

execsql/db/access.py

@@ -88,6 +88,12 @@ class AccessDatabase(Database):
     def __repr__(self) -> str:
         return f"AccessDatabase({self.db_name}, {self.encoding})"
 
+    def auto_commits_ddl(self) -> bool:
+        """MS Access (via Jet/ACE on pyodbc) implicitly commits DDL —
+        ``rollback()`` is a silent no-op for any transaction whose
+        boundary the DDL crossed."""
+        return True
+
     def open_db(self) -> None:
         """Open an ODBC connection to the Access database."""
         # Open an ODBC connection.

execsql/db/base.py

@@ -153,9 +153,41 @@ class Database(ABC):
 
     def quote_identifier(self, identifier: str) -> str:
         """Return *identifier* wrapped in double-quotes with any embedded
-        double-quotes escaped (standard SQL identifier quoting)."""
+        double-quotes escaped (standard SQL identifier quoting).
+
+        Override in subclasses for adapters whose native identifier quote
+        differs (MySQL uses backticks, SQL Server uses square brackets).
+        """
         return '"' + identifier.replace('"', '""') + '"'
 
+    def quote_qualified_identifier(self, *parts: str) -> str:
+        """Quote each non-empty part of a possibly-multi-segment identifier
+        and join them with ``.`` (e.g. ``"schema"."table"``).
+
+        Skips ``None`` or empty parts so callers don't need to special-case
+        schemaless databases (SQLite, Firebird).
+        """
+        return ".".join(self.quote_identifier(p) for p in parts if p)
+
+    def quote_literal(self, value: Any) -> str:
+        """Return *value* as a SQL string literal, safely escaped.
+
+        Default ANSI/Postgres behaviour: wrap in single quotes, double
+        embedded apostrophes, escape backslashes (so a value containing
+        ``\\'`` cannot terminate the literal on MySQL default mode or
+        PostgreSQL E-strings), and reject embedded NUL bytes (most
+        wire protocols truncate or reject them).
+
+        Override per-DBMS only when the wire protocol requires a different
+        literal form.
+        """
+        if value is None:
+            return "NULL"
+        s = str(value)
+        if "\x00" in s:
+            raise ValueError("SQL literal contains a NUL byte; refusing to quote.")
+        return "'" + s.replace("\\", "\\\\").replace("'", "''") + "'"
+
     def paramsubs(self, paramcount: int) -> str:
         """Return a comma-separated string of *paramcount* parameter placeholders."""
         return ",".join((self.paramstr,) * paramcount)
@@ -210,6 +242,30 @@ class Database(ABC):
             except Exception:
                 pass  # Best-effort; connection may already be closed.
 
+    def needs_explicit_commit_after_ddl(self) -> bool:
+        """Return True if this adapter's driver does NOT auto-commit DDL.
+
+        Firebird is the notable case: a CREATE TABLE issued via the
+        driver remains pending until commit, so callers that issue DDL
+        followed by DML on a fresh table must commit in between. Most
+        other adapters either auto-commit on DDL or run DDL inside the
+        current transaction with no special handling required.
+        """
+        return False
+
+    def auto_commits_ddl(self) -> bool:
+        """Return True if this adapter's driver implicitly commits DDL.
+
+        Oracle, MySQL, SQL Server, and MS Access all auto-commit DDL —
+        ``rollback()`` is a silent no-op for any transaction whose
+        boundary the DDL crossed. Callers that wrap DDL inside an
+        explicit ``BEGIN BATCH … END BATCH`` block on these adapters
+        get weaker rollback guarantees than on PostgreSQL / SQLite, and
+        should be aware of the asymmetry. See
+        ``docs/about/divergence.md`` for the full per-DBMS matrix.
+        """
+        return False
+
     def schema_qualified_table_name(self, schema_name: str | None, table_name: str) -> str:
         """Return the quoted, optionally schema-qualified form of *table_name*."""
         table_name = self.type.quoted(table_name)

execsql/db/dsn.py

@@ -70,17 +70,27 @@ class DsnDatabase(Database):
         if self.need_passwd and self.user and self.password is None:
             self.password = get_password("DSN", self.db_name, self.user)
 
+        def _odbc_quote(value: str) -> str:
+            """Brace-quote *value* for an ODBC connection-string attribute.
+
+            ODBC attribute lists are ``;``-delimited; a malicious value
+            containing ``;`` can inject attributes (CWE-91). Wrap every
+            user-supplied value in ``{…}`` and double any embedded ``}``
+            so ``pa}ss`` becomes ``{pa}}ss}``.
+            """
+            return "{" + str(value).replace("}", "}}") + "}"
+
         def _dsn_connect(autocommit: bool = False):
-            cs = "DSN=%s;"
+            # Build a connection string with brace-quoted attribute values
+            # so that ``;``, ``=`` and other ODBC delimiters in user-
+            # supplied credentials cannot inject additional attributes.
+            parts = [f"DSN={_odbc_quote(self.db_name)}"]
             if self.need_passwd:
-                kwargs = {"autocommit": autocommit} if autocommit else {}
-                self.conn = pyodbc.connect(
-                    f"{cs % self.db_name} Uid={self.user}; Pwd={self.password};",
-                    **kwargs,
-                )
-            else:
-                kwargs = {"autocommit": autocommit} if autocommit else {}
-                self.conn = pyodbc.connect(cs % self.db_name, **kwargs)
+                parts.append(f"UID={_odbc_quote(self.user)}")
+                parts.append(f"PWD={_odbc_quote(self.password)}")
+            connstr = ";".join(parts) + ";"
+            kwargs = {"autocommit": autocommit} if autocommit else {}
+            self.conn = pyodbc.connect(connstr, **kwargs)
 
         def _try_connect():
             try:

execsql/db/firebird.py

@@ -59,6 +59,12 @@ class FirebirdDatabase(Database):
             f"{self.need_passwd!r}, {self.port!r}, {self.encoding!r})"
         )
 
+    def needs_explicit_commit_after_ddl(self) -> bool:
+        """Firebird leaves DDL pending until commit — callers issuing
+        ``CREATE TABLE`` then ``INSERT`` on a fresh table must commit
+        in between."""
+        return True
+
     def open_db(self) -> None:
         """Open a connection to the Firebird database."""
         import fdb as firebird_lib

execsql/db/mysql.py

@@ -73,6 +73,87 @@ class MySQLDatabase(Database):
             f"{self.need_passwd!r}, {self.port!r}, {self.encoding!r})"
         )
 
+    def auto_commits_ddl(self) -> bool:
+        """MySQL / MariaDB implicitly commit DDL — ``rollback()`` is a
+        silent no-op for any transaction whose boundary the DDL
+        crossed. See ``docs/about/divergence.md``."""
+        return True
+
+    def quote_identifier(self, identifier: str) -> str:
+        """MySQL / MariaDB native identifier quoting uses backticks.
+
+        Override of :meth:`Database.quote_identifier` for B07a/F021: the
+        base ANSI ``"…"`` form only works after the connection sets
+        ``sql_mode=ANSI`` / ``ANSI_QUOTES`` (the adapter does this at
+        open_db, but user SQL that resets the mode would silently break
+        execsql-generated DDL).
+        """
+        return "`" + identifier.replace("`", "``") + "`"
+
+    # B10/F069: MySQL's ``lower_case_table_names`` server variable
+    # controls whether identifier comparisons against information_schema
+    # rows are case-sensitive. On Linux the default is 0 (case-sensitive
+    # storage, case-sensitive compare); on Windows/macOS the default is
+    # 1 (lowercased storage, case-insensitive compare); ``2`` stores
+    # as-created but compares case-insensitively. The base
+    # ``information_schema.tables`` lookups in Database compare
+    # literally, so ``table_exists("MyTable")`` returned False on
+    # case-sensitive Linux servers even when ``MyTable`` actually
+    # existed. Fold the input name when the server is case-insensitive.
+
+    def _lower_case_table_names(self) -> int:
+        """Return the server-level ``@@lower_case_table_names`` value, cached.
+
+        Looks up the system variable on first call; subsequent calls
+        return the cached value. Safe to call before ``open_db()``
+        returns — falls back to ``0`` (case-sensitive) if the lookup
+        fails for any reason.
+        """
+        cached = getattr(self, "_cached_lctn", None)
+        if cached is not None:
+            return cached
+        try:
+            _, rows = self.select_data("SELECT @@lower_case_table_names;")
+            value = int(rows[0][0]) if rows else 0
+        except Exception:
+            value = 0
+        self._cached_lctn = value
+        return value
+
+    def _fold_identifier(self, name: str | None) -> str | None:
+        """Lowercase *name* when the server is case-insensitive (LCTN 1/2)."""
+        if name is None:
+            return None
+        return name.lower() if self._lower_case_table_names() in (1, 2) else name
+
+    # NB: schema_exists is overridden below to return False unconditionally
+    # — MySQL's pre-existing behavior. The case-folding only matters for
+    # adapters where schema lookups are meaningful, which MySQL skips.
+
+    def table_exists(self, table_name: str, schema_name: str | None = None) -> bool:
+        return super().table_exists(
+            self._fold_identifier(table_name),
+            self._fold_identifier(schema_name),
+        )
+
+    def column_exists(
+        self,
+        table_name: str,
+        column_name: str,
+        schema_name: str | None = None,
+    ) -> bool:
+        return super().column_exists(
+            self._fold_identifier(table_name),
+            self._fold_identifier(column_name),
+            self._fold_identifier(schema_name),
+        )
+
+    def view_exists(self, view_name: str, schema_name: str | None = None) -> bool:
+        return super().view_exists(
+            self._fold_identifier(view_name),
+            self._fold_identifier(schema_name),
+        )
+
     def open_db(self) -> None:
         """Open a connection to the MySQL or MariaDB server."""
         import pymysql as mysql_lib

execsql/db/oracle.py

@@ -61,6 +61,12 @@ class OracleDatabase(Database):
             f"{self.need_passwd!r}, {self.port!r}, {self.encoding!r})"
         )
 
+    def auto_commits_ddl(self) -> bool:
+        """Oracle implicitly commits DDL — ``rollback()`` is a silent
+        no-op for any transaction whose boundary the DDL crossed.
+        See ``docs/about/divergence.md`` for the per-DBMS matrix."""
+        return True
+
     def open_db(self) -> None:
         """Open a connection to the Oracle database."""
         import cx_Oracle

execsql/db/sqlite.py

@@ -189,6 +189,38 @@ class SQLiteDatabase(Database):
         sql = f"insert into {sq_name} ({colspec}) values ({paramspec});"
         curs = self.cursor()
         total_rows = 0
+        # B08/F019: batch rows and use cursor.executemany instead of one
+        # cursor.execute per row. The pre-fix code was 10–100× slower on
+        # the most common open-source target. Honour import_row_buffer
+        # (default 1000) so the batch never blows memory on huge imports.
+        batch_size = max(1, int(getattr(_state.conf, "import_row_buffer", 1000) or 1000))
+        batch: list[list[Any]] = []
+
+        def _flush(last_line: list[Any]) -> None:
+            nonlocal total_rows
+            if not batch:
+                return
+            try:
+                curs.executemany(sql, batch)
+            except ErrInfo:
+                raise
+            except Exception as e:
+                self.rollback()
+                raise ErrInfo(
+                    type="db",
+                    command_text=sql,
+                    exception_msg=exception_desc(),
+                    other_msg=f"Can't load data into table {sq_name} from line {{{last_line}}}",
+                ) from e
+            total_rows += len(batch)
+            batch.clear()
+            interval = getattr(_state.conf, "import_progress_interval", 0)
+            if _state.exec_log and interval > 0 and total_rows % interval == 0:
+                _state.exec_log.log_status_info(
+                    f"IMPORT into {sq_name}: {total_rows} rows imported so far.",
+                )
+
+        last_line: list[Any] = []
         try:
             for datalineno, line in enumerate(rowsource):
                 # Skip empty rows.
@@ -216,24 +248,11 @@ class SQLiteDatabase(Database):
                     if not _state.conf.empty_rows:
                         add_line = not all(c is None for c in linedata)
                     if add_line:
-                        try:
-                            curs.execute(sql, linedata)
-                        except ErrInfo:
-                            raise
-                        except Exception as e:
-                            self.rollback()
-                            raise ErrInfo(
-                                type="db",
-                                command_text=sql,
-                                exception_msg=exception_desc(),
-                                other_msg=f"Can't load data into table {sq_name} from line {{{line}}}",
-                            ) from e
-                        total_rows += 1
-                        interval = getattr(_state.conf, "import_progress_interval", 0)
-                        if _state.exec_log and interval > 0 and total_rows % interval == 0:
-                            _state.exec_log.log_status_info(
-                                f"IMPORT into {sq_name}: {total_rows} rows imported so far.",
-                            )
+                        batch.append(linedata)
+                        last_line = line
+                        if len(batch) >= batch_size:
+                            _flush(last_line)
+            _flush(last_line)
         finally:
             curs.close()
         if _state.exec_log:

execsql/db/sqlserver.py

@@ -58,6 +58,24 @@ class SqlServerDatabase(Database):
             f"{self.need_passwd!r}, {self.port!r}, {self.encoding!r})"
         )
 
+    def auto_commits_ddl(self) -> bool:
+        """SQL Server implicitly commits DDL on Microsoft's pyodbc
+        driver in autocommit mode — ``rollback()`` is a silent no-op
+        for any transaction whose boundary the DDL crossed."""
+        return True
+
+    def quote_identifier(self, identifier: str) -> str:
+        """SQL Server native identifier quoting uses square brackets.
+
+        Override of :meth:`Database.quote_identifier` for B07a/F021: the
+        base ANSI ``"…"`` form only works while ``QUOTED_IDENTIFIER`` is
+        ``ON`` (the adapter sets this at open_db, but user SQL that
+        toggles the session setting would silently break
+        execsql-generated DDL). ``]`` inside an identifier is escaped to
+        ``]]``.
+        """
+        return "[" + identifier.replace("]", "]]") + "]"
+
     def open_db(self) -> None:
         """Open a connection to the SQL Server database via pyodbc."""
         import pyodbc
@@ -133,13 +151,20 @@ class SqlServerDatabase(Database):
                     type="error",
                     other_msg=f"Can't open SQL Server database {self.db_name} on {self.server_name}",
                 )
+            # B11/F022: ensure the session-setup cursor is closed even
+            # if one of the SET statements raises. The previous code
+            # left a raw cursor open across pyodbc's connection,
+            # leaking a server-side handle for the connection's life.
             curs = self.conn.cursor()
-            curs.execute("SET IMPLICIT_TRANSACTIONS OFF;")
-            curs.execute("SET ANSI_NULLS ON;")
-            curs.execute("SET ANSI_PADDING ON;")
-            curs.execute("SET ANSI_WARNINGS ON;")
-            curs.execute("SET QUOTED_IDENTIFIER ON;")
-            self.conn.commit()
+            try:
+                curs.execute("SET IMPLICIT_TRANSACTIONS OFF;")
+                curs.execute("SET ANSI_NULLS ON;")
+                curs.execute("SET ANSI_PADDING ON;")
+                curs.execute("SET ANSI_WARNINGS ON;")
+                curs.execute("SET QUOTED_IDENTIFIER ON;")
+                self.conn.commit()
+            finally:
+                curs.close()
 
     def exec_cmd(self, querycommand: str) -> None:
         """Execute a stored procedure by name."""

execsql/exporters/base.py

@@ -22,7 +22,7 @@ from execsql.script import current_script_line
 from execsql.utils.errors import file_size_date
 from execsql.utils.gui import ConsoleUIError
 
-__all__ = ["WriteSpec", "ExportRecord", "ExportMetadata"]
+__all__ = ["ExportMetadata", "ExportRecord", "WriteSpec"]
 
 
 class ExportRecord:

execsql/exporters/duckdb.py

@@ -37,21 +37,25 @@ def export_duckdb(
     from execsql.models import DataTable
 
     chunksize = 10000
+    # B07a/F026: tablename and catalog are substituted from user input.
+    # Identifier-quote the table-name interpolation site and use
+    # placeholders for the information_schema literal-value query.
+    qtable = dbt_duckdb.quoted(tablename)
     pre_exist = Path(outfile).is_file()
     ddb = duckdb.connect(outfile, read_only=False)
     if pre_exist:
         catalog = Path(outfile).stem
         curs = ddb.cursor()
         res = curs.execute(
-            f"select count(*) as rows from information_schema.tables "
-            f"where table_catalog = '{catalog}' and table_name = '{tablename}';",
+            "select count(*) as rows from information_schema.tables where table_catalog = ? and table_name = ?;",
+            (catalog, tablename),
         )
         rv = res.fetchone()
         if not (rv is None or rv[0] == 0):
             if append:
                 raise ErrInfo(type="error", other_msg=f"The table {tablename} already exists in {outfile}.")
             else:
-                curs.execute(f"drop table {tablename};")
+                curs.execute(f"drop table {qtable};")
         curs.close()
     # Construct and run the CREATE TABLE statement
     rowdata = list(rows)
@@ -63,7 +67,7 @@ def export_duckdb(
     columns = [dbt_duckdb.quoted(col) for col in hdrs]
     colspec = ",".join(columns)
     paramspec = ",".join(("?",) * len(columns))
-    sql = f"insert into {tablename} ({colspec}) values ({paramspec});"
+    sql = f"insert into {qtable} ({colspec}) values ({paramspec});"
     n_chunks = math.ceil(len(rowdata) / chunksize)
     curs.execute("BEGIN TRANSACTION;")
     for i in range(n_chunks):

execsql/exporters/ods.py

@@ -35,6 +35,17 @@ class OdsFile:
     def __init__(self) -> None:
         """Import odfpy and initialise the workbook state."""
         global of
+        # B15/F030: defuse stdlib XML parsers before odfpy uses them.
+        # odfpy parses .ods through xml.dom.minidom and friends — a
+        # malicious .ods can carry a billion-laughs or external-entity
+        # bomb. defuse_stdlib() is a global patch and is idempotent.
+        try:
+            import defusedxml
+
+            defusedxml.defuse_stdlib()
+        except ImportError:
+            # defusedxml is in the [ods] extra; absence is non-fatal.
+            pass
         try:
             import odf as of  # noqa: F401 — submodule imports below register on the `of` alias
             import odf.opendocument  # noqa: F401

execsql/exporters/sqlite.py

@@ -30,20 +30,27 @@ def export_sqlite(
     from execsql.models import DataTable
 
     chunksize = 10000
+    # B07a/F025: tablename is substituted from user input — use the
+    # existing dbt_sqlite.quoted helper to identifier-quote every site
+    # rather than f-string-interpolating into SQL.
+    qtable = dbt_sqlite.quoted(tablename)
     pre_exist = Path(outfile).is_file()
     sdb = sqlite3.connect(outfile)
     try:
         if pre_exist:
             curs = sdb.cursor()
+            # Existence check: the table name is a value here (not an
+            # identifier), so use a parameter rather than string concat.
             res = curs.execute(
-                f"select name from sqlite_master where type='table' and name='{tablename}';",
+                "select name from sqlite_master where type='table' and name=?;",
+                (tablename,),
             )
             rv = res.fetchone()
             if not (rv is None or rv[0] == 0):
                 if append:
                     raise ErrInfo(type="error", other_msg=f"The table {tablename} already exists in {outfile}.")
                 else:
-                    curs.execute(f"drop table {tablename};")
+                    curs.execute(f"drop table {qtable};")
             curs.close()
         # Construct and run the CREATE TABLE statement
         rowdata = list(rows)
@@ -55,7 +62,7 @@ def export_sqlite(
         columns = [dbt_sqlite.quoted(col) for col in hdrs]
         colspec = ",".join(columns)
         paramspec = ",".join(("?",) * len(columns))
-        sql = f"insert into {tablename} ({colspec}) values ({paramspec});"
+        sql = f"insert into {qtable} ({colspec}) values ({paramspec});"
         n_chunks = math.ceil(len(rowdata) / chunksize)
         for i in range(n_chunks):
             start = i * chunksize

execsql/exporters/templates.py

@@ -28,6 +28,11 @@ class StrTemplateReport:
     def __init__(self, template_file: str) -> None:
         """Load and compile the template from the given file path."""
         conf = _state.conf
+        template_root = getattr(conf, "template_root", None)
+        if template_root:
+            from execsql.utils.fileio import safe_output_path
+
+            template_file = safe_output_path(template_file, template_root)
         self.infname = template_file
         from execsql.utils.fileio import EncodedFile
 
@@ -89,6 +94,11 @@ class JinjaTemplateReport:
                 "The jinja2 library is required to produce reports with the Jinja2 templating system.   See http://jinja.pocoo.org/",
             )
         conf = _state.conf
+        template_root = getattr(conf, "template_root", None)
+        if template_root:
+            from execsql.utils.fileio import safe_output_path
+
+            template_file = safe_output_path(template_file, template_root)
         self.infname = template_file
         from execsql.utils.fileio import EncodedFile
 

execsql/exporters/xls.py

@@ -203,6 +203,10 @@ class XlsxFile:
         self.encoding = encoding
         self.read_only = read_only
         if Path(filename).is_file():
+            # B15/F031: defend against zip-bomb XLSX before openpyxl parses it.
+            from execsql.utils.fileio import check_zip_decompression_ratio
+
+            check_zip_decompression_ratio(filename)
             if read_only:
                 self.wbk = self._openpyxl.load_workbook(filename, read_only=True)
             else:

execsql/exporters/xlsx.py

@@ -61,6 +61,8 @@ def _cell_value(item: Any) -> Any:
     if isinstance(item, datetime.time):
         # openpyxl has no native time-only type; store as HH:MM:SS string.
         return item.strftime("%H:%M:%S")
+    if isinstance(item, str):
+        return item
     return str(item)
 
 
@@ -103,6 +105,10 @@ def write_query_to_xlsx(
     # Determine sheet name and open/create workbook
     # ------------------------------------------------------------------
     if append and Path(outfile).is_file():
+        # B15/F031: defend against zip-bomb XLSX before openpyxl parses it.
+        from execsql.utils.fileio import check_zip_decompression_ratio
+
+        check_zip_decompression_ratio(outfile)
         wb = openpyxl.load_workbook(outfile)
         existing_names = wb.sheetnames
         base = sheetname or "Sheet"
@@ -223,6 +229,9 @@ def write_queries_to_xlsx(
         os.unlink(outfile)
 
     if Path(outfile).is_file():
+        from execsql.utils.fileio import check_zip_decompression_ratio
+
+        check_zip_decompression_ratio(outfile)
         wb = openpyxl.load_workbook(outfile)
     else:
         wb = openpyxl.Workbook()