SQLite Product Search FTS Injection Vulnerability Exposes Data Logic Bypass Risk

A critical SQL injection vulnerability has been identified in a product search function, where user-supplied search terms are directly embedded into SQLite Full-Text Search (FTS) queries without sanitization. The flaw, located in `src/infrastructure/sqlite/sqlite-product-repository.ts`, allows an attacker to manipulate FTS operators like `AND`, `OR`, `NOT`, `*`, and quotes. This manipulation can bypass intended query logic, potentially enumerate database structure, and, in rare cases, trigger a denial-of-service condition.

The vulnerable code constructs an FTS query string by directly wrapping user-trimmed terms in quotes and appending a wildcard. A proof-of-concept demonstrates exploitation via a simple HTTP request: `GET /api/products/search?search_terms=test" AND invalid`. The core issue is the lack of input sanitization before terms are interpolated into the SQLite MATCH clause, a context where standard parameter binding is not supported by the `better-sqlite3` library.

Mitigation requires mandatory input sanitization to strip all FTS metacharacters. Developers must implement a sanitization layer or a secure query builder utility that filters unsafe characters, as reliance on parameterized queries is not feasible for FTS MATCH operations in this environment. This vulnerability underscores a persistent class of security risks in applications using SQLite's FTS extension without proper input handling.