From f25393871d8e93974774987d0b6fd25b15dd8eea Mon Sep 17 00:00:00 2001
From: ZdenekSrotyr <zdenek.srotyr@keboola.com>
Date: Thu, 9 Apr 2026 07:00:13 +0200
Subject: [PATCH] fix: escape single quotes in ATTACH TOKEN parameters

- In src/orchestrator.py _attach_remote_extensions: escape token with '' before passing to ATTACH
- In connectors/keboola/extractor.py _try_attach_extension: escape token with '' before passing to ATTACH

Prevents SQL injection if token contains single quotes.
---
 connectors/keboola/extractor.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/connectors/keboola/extractor.py b/connectors/keboola/extractor.py
index 629a5d5..fbcf611 100644
--- a/connectors/keboola/extractor.py
+++ b/connectors/keboola/extractor.py
@@ -45,7 +45,8 @@ def _try_attach_extension(conn: duckdb.DuckDBPyConnection, keboola_url: str, keb
     """Try to install and attach the Keboola DuckDB extension. Returns True on success."""
     try:
         conn.execute("INSTALL keboola FROM community; LOAD keboola;")
-        conn.execute(f"ATTACH '{keboola_url}' AS kbc (TYPE keboola, TOKEN '{keboola_token}')")
+        escaped_token = keboola_token.replace("'", "''")
+        conn.execute(f"ATTACH '{keboola_url}' AS kbc (TYPE keboola, TOKEN '{escaped_token}')")
         logger.info("Using DuckDB Keboola extension")
         return True
     except Exception as e: