Fix SQLite volume lookup queries matching too liberally

mheon · mheon · commit b276e7ef21c6 · 2025-05-28T13:10:10.000-04:00
Specifically, this does two things: 1. Turn on case-sensitive LIKE queries. Technically, this is not specific to volumes, as it will also affect container and pod lookups - but there, it only affects IDs. So `podman rm abc123` will not be the same as `podman rm ABC123` but I don't think anyone was manually entering uppercase SHA256 hash IDs so it shouldn't matter. 2. Escape the _ and % characters in volume lookup queries. These are SQLite wildcards, and meant that `podman volume rm test_1` would also match `podman volume rm testa2` (or any character in place of the underscore). This isn't done with pod and container lookups, but again those just use LIKE for IDs - so technically `podman volume rm abc_123` probably works and removes containers with an ID matching that pattern... I don't think that matters though. Fixes #26168 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
diff --git a/libpod/sqlite_state.go b/libpod/sqlite_state.go
@@ -39,13 +39,16 @@ const (
 	sqliteOptionForeignKeys = "&_foreign_keys=1"
 	// Make sure that transactions happen exclusively.
 	sqliteOptionTXLock = "&_txlock=exclusive"
+	// Enforce case sensitivity for LIKE
+	sqliteOptionCaseSensitiveLike = "&_cslike=TRUE"
 
 	// Assembled sqlite options used when opening the database.
 	sqliteOptions = "db.sql?" +
 		sqliteOptionLocation +
 		sqliteOptionSynchronous +
 		sqliteOptionForeignKeys +
-		sqliteOptionTXLock
+		sqliteOptionTXLock +
+		sqliteOptionCaseSensitiveLike
 )
 
 // NewSqliteState creates a new SQLite-backed state database.
@@ -2210,7 +2213,9 @@ func (s *SQLiteState) LookupVolume(name string) (*Volume, error) {
 		return nil, define.ErrDBClosed
 	}
 
-	rows, err := s.conn.Query("SELECT Name, JSON FROM VolumeConfig WHERE Name LIKE ? ORDER BY LENGTH(Name) ASC;", name+"%")
+	escaper := strings.NewReplacer("\\", "\\\\", "_", "\\_", "%", "\\%")
+	queryString := escaper.Replace(name) + "%"
+	rows, err := s.conn.Query("SELECT Name, JSON FROM VolumeConfig WHERE Name LIKE ? ESCAPE '\\' ORDER BY LENGTH(Name) ASC;", queryString)
 	if err != nil {
 		return nil, fmt.Errorf("querying database for volume %s: %w", name, err)
 	}
diff --git a/test/e2e/volume_rm_test.go b/test/e2e/volume_rm_test.go
@@ -114,4 +114,14 @@ var _ = Describe("Podman volume rm", func() {
 		Expect(session).Should(ExitCleanly())
 		Expect(len(session.OutputToStringArray())).To(BeNumerically(">=", 2))
 	})
+
+	It("podman volume rm by unique partial name - case & underscore insensitive", func() {
+		volNames := []string{"test_volume", "test-volume", "test", "Test"}
+		for _, name := range volNames {
+			podmanTest.PodmanExitCleanly("volume", "create", name)
+		}
+
+		podmanTest.PodmanExitCleanly("volume", "rm", volNames[0])
+		podmanTest.PodmanExitCleanly("volume", "rm", volNames[2])
+	})
 })
