velocity-python 0.1.57__tar.gz → 0.1.61__tar.gz

{velocity_python-0.1.57 → velocity_python-0.1.61}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: velocity-python
-Version: 0.1.57
+Version: 0.1.61
 Summary: A rapid application development library for interfacing with data storage
 Author-email: Velocity Team <info@codeclubs.org>
 License-Expression: MIT

{velocity_python-0.1.57 → velocity_python-0.1.61}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "velocity-python"
-version = "0.1.57"
+version = "0.1.61"
 authors = [
   { name="Velocity Team", email="info@codeclubs.org" },
 ]

{velocity_python-0.1.57 → velocity_python-0.1.61}/src/velocity/__init__.py

@@ -1,4 +1,4 @@
-__version__ = version = "0.1.57"
+__version__ = version = "0.1.61"
 
 import importlib as _importlib
 

{velocity_python-0.1.57 → velocity_python-0.1.61}/src/velocity/aws/assets/backfill.py

@@ -70,7 +70,16 @@ def backfill_asset_records(
     bucket: str,
     objects: Iterable[Mapping[str, Any]],
     head_loader: HeadLoader | None = None,
+    dry_run: bool = False,
 ) -> tuple[list[AssetRecord], AssetBackfillSummary]:
+    """Register missing S3 objects as ``images`` rows.
+
+    When ``dry_run`` is True no rows are written: the function still scans,
+    checks for existing rows, and builds the candidate records, and the returned
+    summary's ``inserted`` count reflects how many rows *would* be created. The
+    returned asset list holds the normalized would-be records. This lets a
+    runbook or the admin button preview a backfill before committing it.
+    """
     inserted_assets: list[AssetRecord] = []
     scanned = 0
     inserted = 0
@@ -91,8 +100,11 @@ def backfill_asset_records(
         if not row:
             skipped_unsupported += 1
             continue
-        tx.table("images").upsert(row, {"key": row["key"]})
         inserted += 1
+        if dry_run:
+            inserted_assets.append(normalize_asset_record(row))
+            continue
+        tx.table("images").upsert(row, {"key": row["key"]})
         stored = tx.table("images").find({"key": row["key"]})
         inserted_assets.append(normalize_asset_record(stored.to_dict() if stored else row))
 

{velocity_python-0.1.57 → velocity_python-0.1.61}/src/velocity/aws/handlers/lambda_handler.py

@@ -209,6 +209,16 @@ class LambdaHandler(BaseHandler):
         try:
             self.execute_actions(tx, local_context, actions)
         except Exception as e:
+            # A single HTTP action is atomic: any exception (including a handled
+            # AlertError validation rejection) must discard partial writes so the
+            # surrounding @engine.transaction does not commit them on the normal
+            # return below. Without this, e.g. a write_hook that inserts a @new
+            # row and then raises a validation AlertError would leak a committed
+            # orphan row. Mirrors SqsHandler._process_record.
+            try:
+                tx.rollback()
+            except Exception:
+                pass
             self.handle_error(tx, local_context, e)
         local_context.perf.log("execute_actions total (serve)")
 

{velocity_python-0.1.57 → velocity_python-0.1.61}/src/velocity/aws/handlers/mixins/data_service.py

@@ -16,6 +16,7 @@ import xml.etree.ElementTree as ET
 from io import BytesIO, StringIO
 
 from velocity.aws import dirty_pipeline
+from velocity.aws.handlers.exceptions import AlertError
 from velocity.misc import export
 
 logger = logging.getLogger(__name__)
@@ -41,6 +42,15 @@ class DataServiceMixin:
     Override read_hook, write_hook, etc. methods to add custom business logic.
     """
 
+    # Tables that must NOT be reachable through the hook-bypassing generic
+    # actions (query-direct, update-rows, get-table-schema). The generic actions
+    # do not run rwx hooks, so any per-table row-scoping or secret-redaction a
+    # table relies on would be bypassed. Apps populate this set (business policy
+    # lives in the app, not this business-agnostic mixin) with the names of such
+    # tables; the normal read-object/find-object/query/write-object actions —
+    # which DO run hooks — remain the supported path for them.
+    restricted_direct_tables = frozenset()
+
     # PostgreSQL type mappings for frontend display
     _pg_types = {
         "bool": "string",
@@ -58,6 +68,14 @@ class DataServiceMixin:
         "timestamp": "string",
     }
 
+    def _assert_direct_access_allowed(self, table):
+        """Reject hook-bypassing direct access to a restricted table."""
+        if table in self.restricted_direct_tables:
+            raise AlertError(
+                f"Direct access to '{table}' is not permitted; "
+                "use the standard data actions."
+            )
+
     def _get_field_type(self, column_info):
         """Convert database column type to frontend display type"""
         return (
@@ -149,20 +167,39 @@ class DataServiceMixin:
             self._call_rwx_hook(
                 "before_new", table, tx, table, sys_id, incoming, context
             )
+            # Run before_write BEFORE inserting the row, passing the "@new"
+            # sentinel so table hooks can detect a create, validate required
+            # fields, and reject it without leaving an orphan row. (The serve()
+            # error path rolls the transaction back, but validating pre-insert
+            # avoids ever allocating the row in the first place.)
+            self._call_rwx_hook(
+                "before_write", "common", tx, table, "@new", incoming, context
+            )
+            self._call_rwx_hook(
+                "before_write", table, tx, table, "@new", incoming, context
+            )
             row = tx.table(table).new()
             sys_id = row["sys_id"]
             self._call_rwx_hook("after_new", "common", tx, table, sys_id, row, context)
             self._call_rwx_hook("after_new", table, tx, table, sys_id, row, context)
         elif sys_id:
             sys_id = int(sys_id)
+            self._call_rwx_hook(
+                "before_write", "common", tx, table, sys_id, incoming, context
+            )
+            self._call_rwx_hook(
+                "before_write", table, tx, table, sys_id, incoming, context
+            )
+            # Update path: the row must already exist. Use find (not get, which
+            # is get-or-create) so a write to a stale/unknown sys_id is a clear
+            # error rather than a phantom row inserted with a client-chosen PK.
+            row = tx.table(table).find(sys_id)
+            if not row:
+                raise AlertError(
+                    f"Cannot update {table}: record {sys_id} no longer exists."
+                )
         else:
             raise Exception("Object sys_id was not supplied on write operation.")
-        self._call_rwx_hook(
-            "before_write", "common", tx, table, sys_id, incoming, context
-        )
-        self._call_rwx_hook("before_write", table, tx, table, sys_id, incoming, context)
-        if not row:
-            row = tx.table(table).get(sys_id)
         row.update(incoming)
         self._call_rwx_hook("after_write", "common", tx, table, sys_id, row, context)
         self._call_rwx_hook("after_write", table, tx, table, sys_id, row, context)
@@ -842,6 +879,8 @@ class DataServiceMixin:
         if not rows:
             raise ValueError("Parameter 'updateRows' cannot be empty")
 
+        self._assert_direct_access_allowed(table)
+
         t = tx.table(table)
         count = t.update(data, {"sys_id": rows})
         context.response().toast(f"Updated {count} item(s).", "success")
@@ -867,6 +906,8 @@ class DataServiceMixin:
         if not table_name:
             raise ValueError("Parameter 'obj' cannot be empty")
 
+        self._assert_direct_access_allowed(table_name)
+
         params = payload.get("params", {})
 
         if payload.get("result_format") == "excel":
@@ -932,6 +973,8 @@ class DataServiceMixin:
         if not table_name:
             raise ValueError("Parameter 'tableName' cannot be empty")
 
+        self._assert_direct_access_allowed(table_name)
+
         try:
             # Query information_schema to get table schema
             schema_query = """

{velocity_python-0.1.57 → velocity_python-0.1.61}/src/velocity/db/servers/tablehelper.py

@@ -158,6 +158,54 @@ class TableHelper:
         self.foreign_keys[key] = data
         return data
 
+    # Substrings that never legitimately appear inside a column/WHERE-key
+    # reference and are the signatures of identifier-level SQL injection. The
+    # values side of every predicate is parameterized; only the identifier side
+    # flows through here, so a placeholder, statement terminator, or comment in
+    # this position is always an attack, never a real column or expression.
+    _INJECTION_SIGNATURES: ClassVar[Tuple[str, ...]] = (
+        ";",  # statement terminator / stacked query
+        "--",  # line comment
+        "/*",  # block comment open
+        "*/",  # block comment close
+        "%s",  # positional bind-parameter smuggling
+        "%(",  # named bind-parameter smuggling
+    )
+
+    def _assert_safe_reference(self, key: str) -> None:
+        """
+        Reject identifier/expression references carrying SQL-injection signatures.
+
+        This is a defense-in-depth guard for the *structured* query path (WHERE
+        dict keys, ORDER BY / GROUP BY entries, projected columns). Values are
+        always parameterized; this guard protects the identifier side, which is
+        interpolated. It deliberately does not reject legitimate SQL expressions
+        (aggregates, CASE/CAST, window functions, correlated subqueries) — only
+        the unambiguous injection markers and unbalanced parentheses. Raw string
+        WHERE clauses are intentionally not routed through here and remain
+        caller-beware per the documented contract.
+
+        Raises:
+            ValueError: unconditionally (ignores bypass_on_error) when an
+                injection signature is present, because such input is never a
+                valid reference.
+        """
+        if not isinstance(key, str):
+            return
+        # Strip a leading operator prefix (e.g. '%', '%%', '>=') so that a LIKE
+        # key such as '%status' is not misread as the '%s' placeholder marker.
+        body = self.remove_operator(key)
+        lowered = body.lower()
+        for marker in self._INJECTION_SIGNATURES:
+            if marker in lowered:
+                raise ValueError(
+                    f"Unsafe SQL reference detected (contains {marker!r}): {key!r}"
+                )
+        if not self.are_parentheses_balanced(body):
+            raise ValueError(
+                f"Unsafe SQL reference detected (unbalanced parentheses): {key!r}"
+            )
+
     def resolve_references(
         self, key: str, options: Optional[Dict[str, Any]] = None
     ) -> str:
@@ -176,13 +224,20 @@ class TableHelper:
             Resolved column reference with appropriate aliasing
 
         Raises:
-            ValueError: If key is invalid and bypass_on_error is False
+            ValueError: If key is invalid and bypass_on_error is False, or if the
+                key carries an SQL-injection signature (always, regardless of
+                bypass_on_error)
         """
         if not key or not isinstance(key, str):
             if options and options.get("bypass_on_error"):
                 return key or ""
             raise ValueError(f"Invalid key: {key}")
 
+        # Identifier-level injection guard runs before bypass_on_error so that a
+        # poisoned reference is a hard error on every path, not silently passed
+        # through.
+        self._assert_safe_reference(key)
+
         if options is None:
             options = {"alias_column": True, "alias_table": False, "alias_only": False}
 

{velocity_python-0.1.57 → velocity_python-0.1.61}/src/velocity_python.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: velocity-python
-Version: 0.1.57
+Version: 0.1.61
 Summary: A rapid application development library for interfacing with data storage
 Author-email: Velocity Team <info@codeclubs.org>
 License-Expression: MIT

{velocity_python-0.1.57 → velocity_python-0.1.61}/src/velocity_python.egg-info/SOURCES.txt

@@ -162,7 +162,9 @@ tests/test_db_credentials_ssm_cascade.py
 tests/test_decorators.py
 tests/test_dirty_pipeline_fast_path.py
 tests/test_email_processing.py
+tests/test_http_handler_rollback.py
 tests/test_iconv_money_to_cents.py
+tests/test_identifier_injection_guard.py
 tests/test_jsonb_dict_adapter.py
 tests/test_lambda_handler.py
 tests/test_lambda_handler_auth.py
@@ -178,6 +180,7 @@ tests/test_pdf.py
 tests/test_prepared_statements.py
 tests/test_psycopg3_upgrade.py
 tests/test_query_cache.py
+tests/test_restricted_direct_tables.py
 tests/test_retry_side_effect_guard.py
 tests/test_return_default_safety.py
 tests/test_row_batch_update.py
@@ -192,4 +195,5 @@ tests/test_sqs_per_record_transactions.py
 tests/test_ssm_config.py
 tests/test_sys_modified_count_postgres_demo.py
 tests/test_table_alter.py
-tests/test_where_clause_validation.py
+tests/test_where_clause_validation.py
+tests/test_write_hook_create_flow.py

{velocity_python-0.1.57 → velocity_python-0.1.61}/tests/test_assets_service.py

@@ -299,6 +299,43 @@ def test_backfill_asset_records_skips_existing_and_thumbnail_objects():
     assert summary.skipped_unsupported == 1
 
 
+def test_backfill_asset_records_dry_run_reports_without_writing():
+    tx = FakeTx(
+        [
+            {
+                "sys_id": "img-1",
+                "bucket": "donate.resources",
+                "key": "client-a/existing.png",
+                "url": "https://donate.resources.s3.amazonaws.com/client-a/existing.png",
+                "public": True,
+            }
+        ]
+    )
+    objects = [
+        {"Key": "client-a/existing.png", "Size": 10, "ETag": '"a"'},
+        {"Key": "client-a/new.png", "Size": 11, "ETag": '"b"'},
+        {"Key": "client-a/new-thumb.png", "Size": 12, "ETag": '"c"'},
+    ]
+    rows_before = len(tx.images.rows)
+
+    inserted, summary = backfill_asset_records(
+        tx,
+        bucket="donate.resources",
+        objects=objects,
+        dry_run=True,
+    )
+
+    # Same accounting as a real run...
+    assert summary.scanned == 3
+    assert summary.inserted == 1
+    assert summary.skipped_existing == 1
+    assert summary.skipped_unsupported == 1
+    assert len(inserted) == 1
+    assert inserted[0].key == "client-a/new.png"
+    # ...but nothing was actually written.
+    assert len(tx.images.rows) == rows_before
+
+
 def _matches(row, where):
     for key, value in where.items():
         if key == "!%key":

{velocity_python-0.1.57 → velocity_python-0.1.61}/tests/test_dirty_pipeline_fast_path.py

@@ -39,6 +39,14 @@ class FakeTable:
     def get(self, sys_id):
         return self.row
 
+    def find(self, sys_id):
+        # Update path now uses find() (not get, which is get-or-create) so a
+        # write to a stale sys_id is an error rather than a phantom row.
+        return self.row
+
+    def new(self):
+        return self.row
+
 
 class FakeTx:
     def __init__(self, row):

velocity_python-0.1.61/tests/test_http_handler_rollback.py

@@ -0,0 +1,82 @@
+"""V2 — the HTTP handler must roll back partial writes before handle_error.
+
+A single HTTP action is atomic. Because the handler class is wrapped in
+@engine.transaction, a normal return from serve() commits. Without an explicit
+rollback on the error path, an action that writes and then raises — including a
+write_hook that inserts a @new row and then raises a validation AlertError
+(D2) — would leave a committed orphan row. These tests pin the rollback.
+"""
+
+import unittest
+from unittest.mock import MagicMock
+
+from velocity.aws.handlers.exceptions import AlertError
+from velocity.aws.handlers.lambda_handler import LambdaHandler
+from velocity.aws.handlers.context_factory import ContextFactory
+
+
+class _StubContext:
+    def __init__(self, response):
+        self._response = response
+        self.perf = MagicMock()
+
+    def parse_postdata(self):
+        return {"action": "do-thing", "payload": {}}
+
+    def update_postdata(self, postdata):
+        pass
+
+    def configure_perf(self, **kw):
+        pass
+
+    def action(self):
+        return "do-thing"
+
+    def postdata(self, keys=-1, default=None):
+        return {"action": "do-thing", "payload": {}}
+
+    def response(self):
+        return self._response
+
+
+class _StubContextFactory(ContextFactory):
+    def create(self, *, aws_event, aws_context, args, postdata, response, session):
+        return _StubContext(response)
+
+
+def _make_handler(raise_exc):
+    handler = LambdaHandler(
+        {"queryStringParameters": {}},
+        MagicMock(aws_request_id="req-123"),
+        context_factory=_StubContextFactory(),
+    )
+
+    def _boom(tx, local_context, actions):
+        raise raise_exc
+
+    handler.execute_actions = _boom
+    # Keep onError off the DB during the generic-exception path.
+    handler.onError = lambda tx, context, exc, tb: None
+    return handler
+
+
+class HttpHandlerRollbackTest(unittest.TestCase):
+    def test_alert_error_rolls_back_before_handle_error(self):
+        # D2: a validation AlertError raised after a @new insert must not commit
+        # the orphan row.
+        handler = _make_handler(AlertError("required field missing"))
+        tx = MagicMock()
+        handler.serve(tx)
+        tx.rollback.assert_called_once()
+
+    def test_unhandled_exception_rolls_back_and_returns_500(self):
+        handler = _make_handler(RuntimeError("kaboom"))
+        tx = MagicMock()
+        rendered = handler.serve(tx)
+        tx.rollback.assert_called_once()
+        # _set_unhandled_error_response sets a 500 on the response.
+        self.assertIn("500", str(rendered.get("statusCode", "")) + str(rendered))
+
+
+if __name__ == "__main__":
+    unittest.main()

velocity_python-0.1.61/tests/test_identifier_injection_guard.py

@@ -0,0 +1,116 @@
+"""V1 — identifier-level SQL-injection guard for the structured query path.
+
+The value side of every predicate is parameterized; the identifier side (WHERE
+dict keys, ORDER BY / GROUP BY entries, projected columns) is interpolated and
+flows through TableHelper.resolve_references / make_predicate. These tests pin
+down that injection signatures on the identifier side are rejected while
+legitimate column expressions (aggregates, CASE/CAST, window functions, pointer
+syntax, operator prefixes including LIKE/ILIKE) still resolve.
+"""
+
+import unittest
+
+# Importing the postgres SQL module configures TableHelper.operators / .reserved
+# as a side effect, which make_predicate / resolve_references rely on.
+from velocity.db.servers.postgres.sql import SQL  # noqa: F401
+from velocity.db.servers.postgres.operators import OPERATORS
+from velocity.db.servers.postgres.reserved import reserved_words
+from velocity.db.servers.tablehelper import TableHelper
+
+
+class IdentifierInjectionGuardTest(unittest.TestCase):
+    def setUp(self):
+        # Pin the postgres operator/reserved tables on the shared class attrs so
+        # this suite is independent of any other test that mutates them.
+        TableHelper.operators = OPERATORS
+        TableHelper.reserved = reserved_words
+        # tx is only consulted for pointer (foreign-key) resolution; the cases
+        # here are all local columns/expressions, so None is sufficient.
+        self.helper = TableHelper(tx=None, table="customers")
+
+    # --- the confirmed proof-of-concept vectors from the code review ---------
+
+    def test_where_key_placeholder_injection_rejected(self):
+        with self.assertRaises(ValueError):
+            self.helper.make_predicate("email = %s) OR (1=1", "x")
+
+    def test_orderby_style_stacked_query_rejected(self):
+        with self.assertRaises(ValueError):
+            self.helper.resolve_references(
+                "name; DROP TABLE users",
+                options={"alias_only": True, "bypass_on_error": True},
+            )
+
+    def test_column_comment_and_stacking_rejected(self):
+        with self.assertRaises(ValueError):
+            self.helper.resolve_references(
+                "1 FROM users; DELETE FROM users WHERE 1=1 --",
+                options={
+                    "alias_column": True,
+                    "alias_table": True,
+                    "bypass_on_error": True,
+                },
+            )
+
+    # --- bypass_on_error must NOT swallow an injection ------------------------
+
+    def test_bypass_on_error_does_not_swallow_injection(self):
+        for poisoned in (
+            "col; SELECT 1",
+            "col /* x */",
+            "col -- comment",
+            "col = %s",
+            "col = %(name)s",
+            "col) OR (1=1",
+        ):
+            with self.subTest(poisoned=poisoned):
+                with self.assertRaises(ValueError):
+                    self.helper.resolve_references(
+                        poisoned, options={"bypass_on_error": True}
+                    )
+
+    # --- legitimate references still resolve ---------------------------------
+
+    def test_plain_column_resolves(self):
+        sql, val = self.helper.make_predicate("email_address", "a@example.com")
+        self.assertEqual(sql, "email_address = %s")
+        self.assertEqual(val, "a@example.com")
+
+    def test_like_operator_prefix_not_flagged_as_placeholder(self):
+        # '%status' is a LIKE on the `status` column; the leading '%' is an
+        # operator prefix, not a '%s' bind placeholder.
+        sql, val = self.helper.make_predicate("%status", "active%")
+        self.assertIn("status", sql)
+        self.assertIn("LIKE", sql.upper())
+        self.assertEqual(val, "active%")
+
+    def test_ilike_double_percent_prefix_ok(self):
+        sql, _ = self.helper.make_predicate("%%name", "smith")
+        self.assertIn("ILIKE", sql.upper())
+
+    def test_aggregate_expression_column_ok(self):
+        result = self.helper.resolve_references(
+            "SUM(amount)",
+            options={"alias_column": True, "bypass_on_error": True},
+        )
+        self.assertIn("amount", result)
+
+    def test_balanced_function_expression_ok(self):
+        result = self.helper.resolve_references(
+            "COALESCE(amount, 0)",
+            options={"alias_column": True, "bypass_on_error": True},
+        )
+        self.assertIn("amount", result)
+
+    def test_in_list_predicate_ok(self):
+        sql, val = self.helper.make_predicate("sys_id", [1, 2, 3])
+        self.assertIn("IN", sql.upper())
+        self.assertEqual(tuple(val), (1, 2, 3))
+
+    def test_not_equal_operator_prefix_ok(self):
+        sql, _ = self.helper.make_predicate("!status", "deleted")
+        self.assertIn("status", sql)
+
+
+if __name__ == "__main__":
+    unittest.main()

velocity_python-0.1.61/tests/test_restricted_direct_tables.py

@@ -0,0 +1,59 @@
+"""D6 — hook-bypassing generic actions must refuse restricted tables.
+
+query-direct / update-rows / get-table-schema run no rwx hooks, so a table
+that relies on per-row scoping or secret redaction in its hooks must not be
+reachable through them. Apps declare such tables in restricted_direct_tables.
+"""
+
+import unittest
+from unittest.mock import MagicMock
+
+from velocity.aws.handlers.exceptions import AlertError
+from velocity.aws.handlers.mixins.data_service import DataServiceMixin
+
+
+class _Service(DataServiceMixin):
+    restricted_direct_tables = frozenset({"mail_accounts"})
+
+
+def _ctx(payload):
+    ctx = MagicMock()
+    ctx.payload.return_value = payload
+    return ctx
+
+
+class RestrictedDirectTablesTest(unittest.TestCase):
+    def setUp(self):
+        self.service = _Service()
+        self.tx = MagicMock()
+
+    def test_query_direct_blocks_restricted(self):
+        ctx = _ctx({"obj": "mail_accounts", "params": {}})
+        with self.assertRaises(AlertError):
+            self.service.OnActionQueryDirect(self.tx, ctx)
+
+    def test_update_rows_blocks_restricted(self):
+        ctx = _ctx(
+            {"table": "mail_accounts", "updateData": {"x": 1}, "updateRows": [1, 2]}
+        )
+        with self.assertRaises(AlertError):
+            self.service.OnActionUpdateRows(self.tx, ctx)
+
+    def test_get_table_schema_blocks_restricted(self):
+        ctx = _ctx({"tableName": "mail_accounts"})
+        with self.assertRaises(AlertError):
+            self.service.OnActionGetTableSchema(self.tx, ctx)
+
+    def test_unrestricted_table_not_blocked_by_guard(self):
+        # A non-restricted table passes the guard (it then proceeds to touch the
+        # mocked tx, which is fine for this assertion — no AlertError from the
+        # guard itself).
+        ctx = _ctx({"table": "customers", "updateData": {"x": 1}, "updateRows": [1]})
+        try:
+            self.service.OnActionUpdateRows(self.tx, ctx)
+        except AlertError:
+            self.fail("guard should not block an unrestricted table")
+
+
+if __name__ == "__main__":
+    unittest.main()

{velocity_python-0.1.57 → velocity_python-0.1.61}/tests/test_security_hardening.py

@@ -93,17 +93,18 @@ class TestAggregateQuoting:
         assert 'min("amount")' in sql
 
     def test_sum_injection_prevented(self):
+        # The identifier-level injection guard (V1) rejects the poisoned column
+        # outright rather than relying on quoting to defang it.
         table = _make_table()
         malicious = "balance); DROP TABLE users; --"
-        sql, _ = table.sum(malicious, sql_only=True)
-        # The malicious payload should be inside quotes, not executable
-        assert "DROP TABLE" not in sql.split('"')[-1]  # not outside quotes
+        with pytest.raises(ValueError):
+            table.sum(malicious, sql_only=True)
 
     def test_max_injection_prevented(self):
         table = _make_table()
         malicious = "x); DELETE FROM accounts; --"
-        sql, _ = table.max(malicious, sql_only=True)
-        assert "DELETE" not in sql.replace('"', "").split(")")[0]
+        with pytest.raises(ValueError):
+            table.max(malicious, sql_only=True)
 
 
 # ──────────────────────────────────────────────────────────────────────