dbviewer 0.3.1

data/lib/dbviewer/query_analyzer.rb

@@ -0,0 +1,109 @@
+module Dbviewer
+  # QueryAnalyzer handles analysis of query patterns and statistics
+  class QueryAnalyzer
+    # Calculate statistics for a collection of queries
+    def self.generate_stats(queries)
+      {
+        total_count: queries.size,
+        total_duration_ms: queries.sum { |q| q[:duration_ms] },
+        avg_duration_ms: calculate_average_duration(queries),
+        max_duration_ms: queries.map { |q| q[:duration_ms] }.max || 0,
+        tables_queried: extract_queried_tables(queries),
+        potential_n_plus_1: detect_potential_n_plus_1(queries),
+        slowest_queries: get_slowest_queries(queries)
+      }.merge(calculate_request_stats(queries))
+    end
+
+    # Detect potential N+1 query patterns
+    def self.detect_potential_n_plus_1(queries)
+      potential_issues = []
+
+      # Group queries by request_id
+      queries.group_by { |q| q[:request_id] }.each do |request_id, request_queries|
+        # Skip if there are too few queries to indicate a problem
+        next if request_queries.size < 5
+
+        # Look for repeated patterns within this request
+        analyze_request_patterns(request_id, request_queries, potential_issues)
+      end
+
+      # Sort by number of repetitions (most problematic first)
+      potential_issues.sort_by { |issue| -issue[:count] }
+    end
+
+    # Get the slowest queries from the dataset
+    def self.get_slowest_queries(queries, limit: 5)
+      # Return top N slowest queries with relevant info
+      queries.sort_by { |q| -q[:duration_ms] }
+        .first(limit)
+        .map do |q|
+          {
+            sql: q[:sql],
+            duration_ms: q[:duration_ms],
+            timestamp: q[:timestamp],
+            request_id: q[:request_id],
+            name: q[:name]
+          }
+        end
+    end
+
+    private
+
+    def self.calculate_average_duration(queries)
+      queries.any? ? (queries.sum { |q| q[:duration_ms] } / queries.size.to_f).round(2) : 0
+    end
+
+    def self.calculate_request_stats(queries)
+      # Calculate request groups statistics
+      requests = queries.group_by { |q| q[:request_id] }
+      {
+        request_count: requests.size,
+        avg_queries_per_request: queries.any? ? (queries.size.to_f / requests.size).round(2) : 0,
+        max_queries_per_request: requests.map { |_id, reqs| reqs.size }.max || 0
+      }
+    end
+
+    def self.extract_queried_tables(queries)
+      tables = Hash.new(0)
+
+      queries.each do |query|
+        extracted = QueryParser.extract_tables(query[:sql])
+        extracted.each { |table| tables[table] += 1 }
+      end
+
+      tables.sort_by { |_table, count| -count }.first(10).to_h
+    end
+
+    def self.analyze_request_patterns(request_id, request_queries, potential_issues)
+      # Group similar queries within this request
+      patterns = {}
+
+      request_queries.each do |query|
+        # Normalize the query to detect patterns
+        normalized = QueryParser.normalize(query[:sql])
+        patterns[normalized] ||= []
+        patterns[normalized] << query
+      end
+
+      # Look for patterns with many repetitions
+      patterns.each do |pattern, pattern_queries|
+        next if pattern_queries.size < 5  # Only interested in repeated patterns
+
+        # Check if these queries target the same table
+        tables = QueryParser.extract_tables(pattern_queries.first[:sql])
+        target_table = tables.size == 1 ? tables.first : nil
+
+        # Add to potential issues
+        total_time = pattern_queries.sum { |q| q[:duration_ms] }
+        potential_issues << {
+          request_id: request_id,
+          pattern: pattern_queries.first[:sql],
+          count: pattern_queries.size,
+          table: target_table,
+          total_duration_ms: total_time.round(2),
+          avg_duration_ms: (total_time / pattern_queries.size).round(2)
+        }
+      end
+    end
+  end
+end

data/lib/dbviewer/query_collection.rb

@@ -0,0 +1,41 @@
+module Dbviewer
+  # QueryCollection handles the storage and retrieval of SQL queries
+  # This class is maintained for backward compatibility
+  # New code should use InMemoryStorage or FileStorage directly
+  class QueryCollection < InMemoryStorage
+    # Maximum number of queries to keep in memory
+    MAX_QUERIES = 1000
+
+    def initialize
+      super
+    end
+
+    # Get recent queries, optionally filtered
+    def filter(limit: 100, table_filter: nil, request_id: nil, min_duration: nil)
+      result = all
+
+      # Apply filters if provided
+      result = filter_by_table(result, table_filter) if table_filter.present?
+      result = filter_by_request_id(result, request_id) if request_id.present?
+      result = filter_by_duration(result, min_duration) if min_duration.present?
+
+      # Return most recent queries first, limited to requested amount
+      result.reverse.first(limit)
+    end
+
+    private
+
+    def filter_by_table(queries, table_filter)
+      queries.select { |q| q[:sql].downcase.include?(table_filter.downcase) }
+    end
+
+    def filter_by_request_id(queries, request_id)
+      queries.select { |q| q[:request_id].to_s.include?(request_id) }
+    end
+
+    def filter_by_duration(queries, min_duration)
+      min_ms = min_duration.to_f
+      queries.select { |q| q[:duration_ms] >= min_ms }
+    end
+  end
+end

data/lib/dbviewer/query_parser.rb

@@ -0,0 +1,82 @@
+module Dbviewer
+  # QueryParser handles parsing SQL queries and extracting useful information
+  class QueryParser
+    # Extract table names from an SQL query string
+    def self.extract_tables(sql)
+      return [] if sql.nil?
+
+      # Convert to lowercase for case-insensitive matching
+      sql = sql.downcase
+
+      # Extract table names after FROM or JOIN
+      sql.scan(/(?:from|join)\s+[`"']?(\w+)[`"']?/).flatten.uniq
+    end
+
+    # Normalize a SQL query to find similar patterns
+    # Replaces specific values with placeholders
+    def self.normalize(sql)
+      return "" if sql.nil?
+
+      sql.gsub(/\b\d+\b/, "N")
+         .gsub(/'[^']*'/, "'X'")
+         .gsub(/"[^"]*"/, '"X"')
+    end
+
+    # Check if the query is from the DBViewer library
+    def self.from_dbviewer?(event)
+      # Check if the SQL itself references DBViewer tables
+      if event.payload[:sql].match(/\b(from|join|update|into)\s+["`']?dbviewer_/i)
+        return true
+      end
+
+      # Check the caller information if available
+      caller = event.payload[:caller]
+      if caller.is_a?(String) && caller.include?("/dbviewer/")
+        return true
+      end
+
+      # Check if query name indicates it's from DBViewer
+      if event.payload[:name].is_a?(String) &&
+         (event.payload[:name].include?("Dbviewer") || event.payload[:name].include?("DBViewer") || event.payload[:name] == "SQL")
+        return true
+      end
+
+      # Check for common DBViewer operations
+      sql = event.payload[:sql].downcase
+      if sql.include?("table_structure") ||
+         sql.include?("schema_migrations") ||
+         sql.include?("database_analytics")
+        return true
+      end
+
+      false
+    end
+
+    # Format bind parameters for storage
+    def self.format_binds(binds)
+      return [] unless binds.respond_to?(:map)
+
+      binds.map do |bind|
+        if bind.respond_to?(:value)
+          bind.value
+        elsif bind.is_a?(Array) && bind.size == 2
+          bind.last
+        else
+          bind.to_s
+        end
+      end
+    rescue
+      []
+    end
+
+    # Determine if a query should be skipped based on content
+    def self.should_skip_query?(event)
+      event.payload[:name] == "SCHEMA" ||
+      event.payload[:sql].include?("SHOW TABLES") ||
+      event.payload[:sql].include?("sqlite_master") ||
+      event.payload[:sql].include?("information_schema") ||
+      event.payload[:sql].include?("pg_catalog") ||
+      from_dbviewer?(event)
+    end
+  end
+end

data/lib/dbviewer/sql_validator.rb

@@ -0,0 +1,194 @@
+module Dbviewer
+  # SqlValidator class handles SQL query validation and normalization
+  # to ensure queries are safe (read-only) and properly formatted.
+  # This helps prevent potentially destructive SQL operations.
+  class SqlValidator
+    # List of SQL keywords that could modify data or schema
+    FORBIDDEN_KEYWORDS = %w[
+      UPDATE INSERT DELETE DROP ALTER CREATE TRUNCATE REPLACE
+      RENAME GRANT REVOKE LOCK UNLOCK COMMIT ROLLBACK
+      SAVEPOINT INTO CALL EXECUTE EXEC
+    ]
+
+    # List of SQL keywords that should only be allowed in specific contexts
+    CONDITIONAL_KEYWORDS = {
+      # JOIN is allowed, but we should check for suspicious patterns
+      "JOIN" => /\bJOIN\b/i,
+      # UNION is allowed, but potential for injection
+      "UNION" => /\bUNION\b/i,
+      # WITH is allowed for CTEs, but need to ensure it's not a data modification
+      "WITH" => /\bWITH\b/i
+    }
+
+    # Maximum allowed query length
+    MAX_QUERY_LENGTH = 10000
+
+    # Determines if a query is safe (read-only)
+    # @param sql [String] The SQL query to validate
+    # @return [Boolean] true if the query is safe, false otherwise
+    def self.safe_query?(sql)
+      return false if sql.blank?
+
+      # Get max query length from configuration if available
+      max_length = respond_to?(:max_query_length) ? max_query_length : MAX_QUERY_LENGTH
+      return false if sql.length > max_length
+
+      normalized_sql = normalize(sql)
+
+      # Case-insensitive check for SELECT at the beginning
+      return false unless normalized_sql =~ /\A\s*SELECT\s+/i
+
+      # Check for forbidden keywords that might be used in subqueries or other SQL constructs
+      FORBIDDEN_KEYWORDS.each do |keyword|
+        # Look for the keyword with word boundaries to avoid false positives
+        return false if normalized_sql =~ /\b#{keyword}\b/i
+      end
+
+      # Check for suspicious patterns that might indicate SQL injection attempts
+      return false if has_suspicious_patterns?(normalized_sql)
+
+      # Check for multiple statements (;) which could allow executing multiple commands
+      statements = normalized_sql.split(";").reject(&:blank?)
+      return false if statements.size > 1
+
+      # Additional specific checks for common SQL injection patterns
+      return false if has_injection_patterns?(normalized_sql)
+
+      true
+    end
+
+    # Check for suspicious patterns in SQL that might indicate an attack
+    # @param sql [String] Normalized SQL query
+    # @return [Boolean] true if suspicious patterns found, false otherwise
+    def self.has_suspicious_patterns?(sql)
+      # Check for SQL comment sequences that might be used to hide malicious code
+      return true if sql =~ /\s+--/ || sql =~ /\/\*/
+
+      # Check for string concatenation which might be used for injection
+      return true if sql =~ /\|\|/ || sql =~ /CONCAT\s*\(/i
+
+      # Check for excessive number of quotes which might indicate injection
+      single_quotes = sql.count("'")
+      double_quotes = sql.count('"')
+      return true if single_quotes > 20 || double_quotes > 20
+
+      # Check for hex/binary data which might hide malicious code
+      return true if sql =~ /0x[0-9a-f]{16,}/i
+
+      false
+    end
+
+    # Check for specific SQL injection patterns
+    # @param sql [String] Normalized SQL query
+    # @return [Boolean] true if injection patterns found, false otherwise
+    def self.has_injection_patterns?(sql)
+      # Check for typical SQL injection test patterns
+      return true if sql =~ /'\s*OR\s*'.*'\s*=\s*'/i
+      return true if sql =~ /'\s*OR\s*1\s*=\s*1/i
+      return true if sql =~ /'\s*;\s*--/i
+
+      # Check for attempts to determine database type
+      return true if sql =~ /@@version/i
+      return true if sql =~ /version\(\)/i
+
+      false
+    end
+
+    # Normalize SQL by removing comments and extra whitespace
+    # @param sql [String] The SQL query to normalize
+    # @return [String] The normalized SQL query
+    def self.normalize(sql)
+      return "" if sql.nil?
+
+      begin
+        # Remove SQL comments (both -- and /* */ styles)
+        normalized = sql.gsub(/--.*$/, "")             # Remove -- style comments
+                .gsub(/\/\*.*?\*\//m, "")       # Remove /* */ style comments
+                .gsub(/\s+/, " ")               # Normalize whitespace
+                .strip                          # Remove leading/trailing whitespace
+
+        # Replace multiple spaces with a single space
+        normalized.gsub(/\s{2,}/, " ")
+      rescue => e
+        Rails.logger.error("[DBViewer] SQL normalization error: #{e.message}")
+        ""
+      end
+    end
+
+    # Validates a query and raises an exception if it's unsafe
+    # @param sql [String] The SQL query to validate
+    # @raise [SecurityError] if the query is unsafe
+    # @return [String] The normalized SQL query if it's safe
+    def self.validate!(sql)
+      if sql.blank?
+        raise SecurityError, "Empty query is not allowed"
+      end
+
+      # Get max query length from configuration if available
+      max_length = respond_to?(:max_query_length) ? max_query_length : MAX_QUERY_LENGTH
+      if sql.length > max_length
+        raise SecurityError, "Query exceeds maximum allowed length (#{max_length} chars)"
+      end
+
+      normalized_sql = normalize(sql)
+
+      # Special case for SQLite PRAGMA statements which are safe read-only commands
+      if normalized_sql =~ /\A\s*PRAGMA\s+[a-z0-9_]+\s*\z/i
+        return normalized_sql
+      end
+
+      unless normalized_sql =~ /\A\s*SELECT\s+/i
+        raise SecurityError, "Query must begin with SELECT for security reasons"
+      end
+
+      FORBIDDEN_KEYWORDS.each do |keyword|
+        if normalized_sql =~ /\b#{keyword}\b/i
+          raise SecurityError, "Forbidden keyword '#{keyword}' detected in query"
+        end
+      end
+
+      if has_suspicious_patterns?(normalized_sql)
+        raise SecurityError, "Query contains suspicious patterns that may indicate SQL injection"
+      end
+
+      # Check for multiple statements
+      statements = normalized_sql.split(";").reject(&:blank?)
+      if statements.size > 1
+        raise SecurityError, "Multiple SQL statements are not allowed"
+      end
+
+      if has_injection_patterns?(normalized_sql)
+        raise SecurityError, "Query contains patterns commonly associated with SQL injection attempts"
+      end
+
+      normalized_sql
+    end
+
+    # Check if a query is using a specific database feature that might need special handling
+    # @param sql [String] The SQL query
+    # @param feature [Symbol] The feature to check for (:join, :subquery, :order_by, etc.)
+    # @return [Boolean] true if the feature is used in the query
+    def self.uses_feature?(sql, feature)
+      normalized = normalize(sql)
+      case feature
+      when :join
+        normalized =~ /\b(INNER|LEFT|RIGHT|FULL|CROSS)?\s*JOIN\b/i
+      when :subquery
+        # Check if there are parentheses that likely contain a subquery
+        normalized.count("(") > normalized.count(")")
+      when :order_by
+        normalized =~ /\bORDER\s+BY\b/i
+      when :group_by
+        normalized =~ /\bGROUP\s+BY\b/i
+      when :having
+        normalized =~ /\bHAVING\b/i
+      when :union
+        normalized =~ /\bUNION\b/i
+      when :window_function
+        normalized =~ /\bOVER\s*\(/i
+      else
+        false
+      end
+    end
+  end
+end

data/lib/dbviewer/storage/base.rb

@@ -0,0 +1,31 @@
+module Dbviewer
+  module Storage
+    # BaseStorage is an abstract base class that defines the interface for query storage backends
+    class Base
+      # Initialize the storage backend
+      def initialize
+        raise NotImplementedError, "#{self.class} is an abstract class and cannot be instantiated directly"
+      end
+
+      # Get all stored queries
+      def all
+        raise NotImplementedError, "#{self.class}#all must be implemented by a subclass"
+      end
+
+      # Add a new query to the storage
+      def add(query)
+        raise NotImplementedError, "#{self.class}#add must be implemented by a subclass"
+      end
+
+      # Clear all stored queries
+      def clear
+        raise NotImplementedError, "#{self.class}#clear must be implemented by a subclass"
+      end
+
+      # Filter the queries based on provided criteria
+      def filter(limit:, table_filter:, request_id:, min_duration:)
+        raise NotImplementedError, "#{self.class}#filter must be implemented by a subclass"
+      end
+    end
+  end
+end

data/lib/dbviewer/storage/file_storage.rb

@@ -0,0 +1,96 @@
+require "json"
+require "time"
+
+module Dbviewer
+  module Storage
+    # FileStorage implements QueryStorage for storing queries in a log file
+    class FileStorage < Base
+      def initialize
+        @mutex = Mutex.new
+        @log_path = Dbviewer.configuration.query_log_path || "log/dbviewer.log"
+
+        # Ensure directory exists
+        FileUtils.mkdir_p(File.dirname(@log_path))
+
+        # Touch the file if it doesn't exist
+        FileUtils.touch(@log_path) unless File.exist?(@log_path)
+      end
+
+      # Get all stored queries
+      # Note: This reads the entire log file - could be inefficient for large files
+      def all
+        @mutex.synchronize do
+          read_queries_from_file
+        end
+      end
+
+      # Add a new query to the storage
+      def add(query)
+        @mutex.synchronize do
+          # Convert query to JSON and append to file
+          query_json = query.to_json
+          File.open(@log_path, "a") do |file|
+            file.puts(query_json)
+          end
+        end
+      end
+
+      # Clear all stored queries
+      def clear
+        @mutex.synchronize do
+          # Simply truncate the file
+          File.open(@log_path, "w") { }
+        end
+      end
+
+      # Filter the queries based on provided criteria
+      def filter(limit: 100, table_filter: nil, request_id: nil, min_duration: nil)
+        result = all
+
+        # Apply filters if provided
+        result = filter_by_table(result, table_filter) if table_filter.present?
+        result = filter_by_request_id(result, request_id) if request_id.present?
+        result = filter_by_duration(result, min_duration) if min_duration.present?
+
+        # Return most recent queries first, limited to requested amount
+        result.reverse.first(limit)
+      end
+
+      private
+
+      def read_queries_from_file
+        queries = []
+
+        # Read the file line by line and parse each line as JSON
+        File.foreach(@log_path) do |line|
+          begin
+            query = JSON.parse(line.strip, symbolize_names: true)
+
+            # Convert timestamp strings back to Time objects
+            query[:timestamp] = Time.parse(query[:timestamp]) if query[:timestamp].is_a?(String)
+
+            queries << query
+          rescue JSON::ParserError => e
+            # Skip malformed lines
+            Rails.logger.warn("Skipping malformed query log entry: #{e.message}")
+          end
+        end
+
+        queries
+      end
+
+      def filter_by_table(queries, table_filter)
+        queries.select { |q| q[:sql].downcase.include?(table_filter.downcase) }
+      end
+
+      def filter_by_request_id(queries, request_id)
+        queries.select { |q| q[:request_id].to_s.include?(request_id) }
+      end
+
+      def filter_by_duration(queries, min_duration)
+        min_ms = min_duration.to_f
+        queries.select { |q| q[:duration_ms] >= min_ms }
+      end
+    end
+  end
+end

data/lib/dbviewer/storage/in_memory_storage.rb

@@ -0,0 +1,59 @@
+module Dbviewer
+  module Storage
+    # InMemoryStorage implements QueryStorage for storing queries in memory
+    class InMemoryStorage < Base
+      def initialize
+        @queries = []
+        @mutex = Mutex.new
+      end
+
+      # Get all queries
+      def all
+        @mutex.synchronize { @queries.dup }
+      end
+
+      # Add a new query to the collection
+      def add(query)
+        @mutex.synchronize do
+          @queries << query
+          # Trim if we have too many queries
+          max_queries = Dbviewer.configuration.max_memory_queries || 1000
+          @queries.shift if @queries.size > max_queries
+        end
+      end
+
+      # Clear all stored queries
+      def clear
+        @mutex.synchronize { @queries.clear }
+      end
+
+      # Get recent queries, optionally filtered
+      def filter(limit: 100, table_filter: nil, request_id: nil, min_duration: nil)
+        result = all
+
+        # Apply filters if provided
+        result = filter_by_table(result, table_filter) if table_filter.present?
+        result = filter_by_request_id(result, request_id) if request_id.present?
+        result = filter_by_duration(result, min_duration) if min_duration.present?
+
+        # Return most recent queries first, limited to requested amount
+        result.reverse.first(limit)
+      end
+
+      private
+
+      def filter_by_table(queries, table_filter)
+        queries.select { |q| q[:sql].downcase.include?(table_filter.downcase) }
+      end
+
+      def filter_by_request_id(queries, request_id)
+        queries.select { |q| q[:request_id].to_s.include?(request_id) }
+      end
+
+      def filter_by_duration(queries, min_duration)
+        min_ms = min_duration.to_f
+        queries.select { |q| q[:duration_ms] >= min_ms }
+      end
+    end
+  end
+end

data/lib/dbviewer/version.rb

@@ -0,0 +1,3 @@
+module Dbviewer
+  VERSION = "0.3.1"
+end

data/lib/dbviewer.rb

@@ -0,0 +1,65 @@
+require "dbviewer/version"
+require "dbviewer/configuration"
+require "dbviewer/engine"
+require "dbviewer/initializer"
+require "dbviewer/database_manager"
+require "dbviewer/sql_validator"
+
+module Dbviewer
+  # Main module for the database viewer
+
+  class << self
+    # Module accessor for configuration
+    attr_writer :configuration
+
+    # Get configuration settings
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    # Alias for backward compatibility
+    def config
+      configuration
+    end
+
+    # Configure the engine with a block
+    #
+    # @example
+    #   Dbviewer.configure do |config|
+    #     config.per_page_options = [10, 25, 50]
+    #     config.default_per_page = 25
+    #   end
+    def configure
+      yield(config) if block_given?
+    end
+
+    # Reset configuration to defaults
+    def reset_configuration
+      @configuration = Configuration.new
+    end
+
+    # This class method will be called by the engine when it's appropriate
+    def setup
+      Dbviewer::Initializer.setup
+    end
+
+    # Initialize engine with default values or user-provided configuration
+    def init
+      Dbviewer::DatabaseManager.singleton_class.class_eval do
+        define_method(:configuration) { Dbviewer.configuration }
+        define_method(:default_per_page) { Dbviewer.configuration.default_per_page }
+        define_method(:max_records) { Dbviewer.configuration.max_records }
+        define_method(:cache_expiry) { Dbviewer.configuration.cache_expiry }
+      end
+
+      # Define class methods to access configuration
+      Dbviewer::SqlValidator.singleton_class.class_eval do
+        define_method(:configuration) { Dbviewer.configuration }
+        define_method(:max_query_length) { Dbviewer.configuration.max_query_length }
+      end
+
+      # Log initialization
+      Rails.logger.info("[DBViewer] Initialized with configuration: #{configuration.inspect}")
+    end
+  end
+end

data/lib/tasks/dbviewer_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :dbviewer do
+#   # Task goes here
+# end