dbviewer 0.6.2 → 0.6.3

data/lib/dbviewer/datatable/query_operations.rb

@@ -90,104 +90,7 @@ module Dbviewer
         0
       end
 
-      # Get column histogram/value distribution data for a specific column
-      # @param table_name [String] Name of the table
-      # @param column_name [String] Name of the column
-      # @param limit [Integer] Maximum number of distinct values to return
-      # @return [Array<Hash>] Array of value distribution data with labels and counts
-      def fetch_column_distribution(table_name, column_name, limit = 20)
-        return [] unless column_exists?(table_name, column_name)
-
-        query = "SELECT #{column_name} as label, COUNT(*) as count FROM #{table_name}
-                 WHERE #{column_name} IS NOT NULL
-                 GROUP BY #{column_name}
-                 ORDER BY count DESC LIMIT #{limit}"
-
-        begin
-          result = @connection.execute(query)
-          adapter = @connection.adapter_name.downcase
-
-          # Format depends on adapter
-          if adapter =~ /mysql/
-            result.to_a.map { |row| { label: row[0], value: row[1] } }
-          elsif adapter =~ /sqlite/
-            result.map { |row| { label: row["label"], value: row["count"] } }
-          else # postgresql
-            result.map { |row| { label: row["label"], value: row["count"] } }
-          end
-        rescue => e
-          Rails.logger.error("Error fetching column distribution: #{e.message}")
-          []
-        end
-      end
-
-      # Get timestamp aggregation data for charts
-      # @param table_name [String] Name of the table
-      # @param grouping [String] Grouping type (hourly, daily, weekly, monthly)
-      # @param column [String] Timestamp column name (defaults to created_at)
-      # @return [Array<Hash>] Array of timestamp data with labels and counts
-      def fetch_timestamp_data(table_name, grouping = "daily", column = "created_at")
-        return [] unless column_exists?(table_name, column)
-
-        adapter = @connection.adapter_name.downcase
-
-        date_format = case grouping
-        when "hourly"
-          if adapter =~ /mysql/
-            "DATE_FORMAT(#{column}, '%Y-%m-%d %H:00')"
-          elsif adapter =~ /sqlite/
-            "strftime('%Y-%m-%d %H:00', #{column})"
-          else # postgresql
-            "TO_CHAR(#{column}, 'YYYY-MM-DD HH24:00')"
-          end
-        when "weekly"
-          if adapter =~ /mysql/
-            "DATE_FORMAT(#{column}, '%Y-%v')"
-          elsif adapter =~ /sqlite/
-            "strftime('%Y-%W', #{column})"
-          else # postgresql
-            "TO_CHAR(#{column}, 'YYYY-IW')"
-          end
-        when "monthly"
-          if adapter =~ /mysql/
-            "DATE_FORMAT(#{column}, '%Y-%m')"
-          elsif adapter =~ /sqlite/
-            "strftime('%Y-%m', #{column})"
-          else # postgresql
-            "TO_CHAR(#{column}, 'YYYY-MM')"
-          end
-        else # daily is default
-          if adapter =~ /mysql/
-            "DATE(#{column})"
-          elsif adapter =~ /sqlite/
-            "date(#{column})"
-          else # postgresql
-            "DATE(#{column})"
-          end
-        end
-
-        # Query works the same for all database adapters
-        query = "SELECT #{date_format} as label, COUNT(*) as count FROM #{table_name}
-                 WHERE #{column} IS NOT NULL
-                 GROUP BY label
-                 ORDER BY MIN(#{column}) DESC LIMIT 30"
-
-        begin
-          result = @connection.execute(query)
-
-          # Format depends on adapter
-          if adapter =~ /mysql/
-            result.to_a.map { |row| { label: row[0], value: row[1] } }
-          elsif adapter =~ /sqlite/
-            result.map { |row| { label: row["label"], value: row["count"] } }
-          else # postgresql
-            result.map { |row| { label: row["label"], value: row["count"] } }
-          end
-        rescue => e
-          Rails.logger.error("Error fetching timestamp data: #{e.message}")
-          []
-        end
-      end
+      ## -- Delegator
 
       # Execute a raw SQL query after validating for safety
       # @param sql [String] SQL query to execute
@@ -223,112 +126,64 @@ module Dbviewer
       def apply_column_filters(query, table_name, column_filters)
         return query unless column_filters.present?
 
-        # Create a copy of column_filters to modify without affecting the original
-        filters = column_filters.dup
-
-        # First check if we have a datetime range filter for created_at
-        if filters["created_at"].present? &&
-           filters["created_at_end"].present? &&
-           column_exists?(table_name, "created_at")
-
-          # Handle datetime range for created_at
-          begin
-            start_datetime = Time.parse(filters["created_at"].to_s)
-            end_datetime = Time.parse(filters["created_at_end"].to_s)
-
-            # Make sure end_datetime is at the end of the day/minute if it doesn't have time component
-            if end_datetime.to_s.match(/00:00:00/)
-              end_datetime = end_datetime.end_of_day
-            end
-
-            Rails.logger.info("[DBViewer] Applying date range filter on #{table_name}.created_at: #{start_datetime} to #{end_datetime}")
-
-            # Use qualified column name for tables with schema
-            column_name = "#{table_name}.created_at"
-
-            # Different databases may require different SQL for datetime comparison
-            adapter_name = connection.adapter_name.downcase
-
-            if adapter_name =~ /mysql/
-              query = query.where("#{column_name} BETWEEN ? AND ?", start_datetime, end_datetime)
-            elsif adapter_name =~ /sqlite/
-              # SQLite needs special handling for datetime format
-              query = query.where("datetime(#{column_name}) BETWEEN datetime(?) AND datetime(?)", start_datetime, end_datetime)
-            else # postgresql
-              query = query.where("#{column_name} >= ? AND #{column_name} <= ?", start_datetime, end_datetime)
-            end
-
-            # Remove these from filters as they're handled above
-            filters.delete("created_at")
-            filters.delete("created_at_end")
-
-          rescue => e
-            Rails.logger.error("[DBViewer] Error parsing date range: #{e.message}")
-            # Remove the problematic filters and continue
-            filters.delete("created_at")
-            filters.delete("created_at_end")
-          end
+        column_filters.each do |column, value|
+          query = apply_single_column_filter(query, table_name, column, value, column_filters)
+        end
+
+        query
+      end
+
+      # Apply a single column filter to a query
+      # @param query [ActiveRecord::Relation] The query to apply the filter to
+      # @param table_name [String] Name of the table
+      # @param column [String] The column name
+      # @param value [String] The filter value
+      # @param column_filters [Hash] All column filters for accessing operator
+      # @return [ActiveRecord::Relation] The filtered query
+      def apply_single_column_filter(query, table_name, column, value, column_filters)
+        return query unless column_exists?(table_name, column)
+        return query if column.end_with?("_operator")
+
+        operator = column_filters["#{column}_operator"]
+
+        if special_operators(query)[operator]
+          return special_operators(query)[operator].call(column)
         end
+        return query if value.blank?
 
-        # Apply remaining simple column filters
-        filters.each do |column, value|
-          next unless column_exists?(table_name, column)
-
-          # Check if this is a column operator field
-          if column.end_with?("_operator")
-            next  # Skip operator fields - they're processed with their column
-          end
-
-          column_sym = column.to_sym
-          operator = filters["#{column}_operator"]
-
-          # Special handling for is_null and is_not_null operators that don't need a value
-          if operator == "is_null" || value == "is_null"
-            Rails.logger.debug("[DBViewer] Applying null filter: #{column} IS NULL")
-            query = query.where("#{column} IS NULL")
-            next
-          elsif operator == "is_not_null" || value == "is_not_null"
-            Rails.logger.debug("[DBViewer] Applying not null filter: #{column} IS NOT NULL")
-            query = query.where("#{column} IS NOT NULL")
-            next
-          end
-
-          # Skip if no value and we're not using a special operator
-          next if value.blank? || value == "is_null" || value == "is_not_null"
-
-          Rails.logger.debug("[DBViewer] Applying filter: #{column} = #{value}")
-
-          # Handle different types of filtering
-          if value.to_s.include?("%") || value.to_s.include?("*")
-            # Pattern matching (LIKE operation)
-            pattern = value.to_s.gsub("*", "%")
-            query = query.where("#{column} LIKE ?", pattern)
-          elsif value.to_s.start_with?(">=", "<=", ">", "<", "!=")
-            # Comparison operators
-            operator = value.to_s.match(/^(>=|<=|>|<|!=)/)[1]
-            comparison_value = value.to_s.gsub(/^(>=|<=|>|<|!=)\s*/, "")
-
-            case operator
-            when ">="
-              query = query.where("#{column} >= ?", comparison_value)
-            when "<="
-              query = query.where("#{column} <= ?", comparison_value)
-            when ">"
-              query = query.where("#{column} > ?", comparison_value)
-            when "<"
-              query = query.where("#{column} < ?", comparison_value)
-            when "!="
-              query = query.where("#{column} != ?", comparison_value)
-            end
-          else
-            # Exact match
-            query = query.where(column_sym => value)
-          end
+        if operator && operator_handlers(query)[operator]
+          return operator_handlers(query)[operator].call(column, value)
+        else
+          # Default to eq no specific operator is provided
+          return query.where("#{column} = ?", value)
         end
 
         query
       end
 
+      def special_operators(query)
+        {
+          "is_null" => ->(column) {  query.where("#{column} IS NULL") },
+          "is_not_null" => ->(column) { query.where("#{column} IS NOT NULL") }
+        }
+      end
+
+      def operator_handlers(query)
+        {
+          "contains" => ->(column, value) { query.where("#{column} LIKE ?", "%#{value}%") },
+          "not_contain" => ->(column, value) { query.where("#{column} NOT LIKE ?", "%#{value}%") },
+          "starts_with" => ->(column, value) { query.where("#{column} LIKE ?", "#{value}%") },
+          "ends_with" => ->(column, value) { query.where("#{column} LIKE ?", "%#{value}") },
+          "equals" => ->(column, value) { query.where(column.to_sym => value) },
+          "eq" => ->(column, value) { query.where("#{column} = ?", value) },
+          "gte" => ->(column, value) { query.where("#{column} >= ?", value) },
+          "lte" => ->(column, value) { query.where("#{column} <= ?", value) },
+          "gt" => ->(column, value) { query.where("#{column} > ?", value) },
+          "lt" => ->(column, value) { query.where("#{column} < ?", value) },
+          "neq" => ->(column, value) { query.where("#{column} != ?", value) }
+        }
+      end
+
       # Helper methods delegated to managers
       def get_model_for(table_name)
         @dynamic_model_factory.get_model_for(table_name)

data/lib/dbviewer/engine.rb

@@ -14,32 +14,11 @@ module Dbviewer
 
     # Initialize the engine safely
     initializer "dbviewer.setup", after: :load_config_initializers do |app|
-      Dbviewer.init
       Dbviewer.setup
     end
 
     initializer "dbviewer.notifications" do
-      next unless Rails.env.development?
-
-      ActiveSupport::Notifications.subscribe("sql.active_record") do |*args|
-        event = ActiveSupport::Notifications::Event.new(*args)
-
-        next if skip_internal_query?(event)
-
-        Dbviewer::Query::Logger.instance.add(event)
-      end
-    end
-
-    private
-
-    def skip_internal_query?(event)
-      caller_locations = caller_locations(1)
-      return false unless caller_locations
-
-      excluded_caller_locations = caller_locations.filter do |caller_location|
-        !caller_location.path.include?("lib/dbviewer/engine.rb")
-      end
-      excluded_caller_locations.any? { |l| l.path.include?("dbviewer") }
+      Dbviewer::Query::NotificationSubscriber.subscribe
     end
   end
 end

data/lib/dbviewer/query/executor.rb

@@ -16,7 +16,7 @@ module Dbviewer
       # @raise [StandardError] If the query is invalid or unsafe
       def execute_query(sql)
         # Validate and normalize the SQL
-        normalized_sql = ::Dbviewer::SqlValidator.validate!(sql.to_s)
+        normalized_sql = ::Dbviewer::Validator::Sql.validate!(sql.to_s)
 
         # Get max records from configuration
         max_records = @config.max_records || 10000

data/lib/dbviewer/query/notification_subscriber.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Dbviewer
+  module Query
+    # Handles ActiveSupport::Notifications subscription for SQL query monitoring
+    # Only active in development environment to capture and log SQL queries
+    class NotificationSubscriber
+      class << self
+        # Subscribe to SQL notifications if in development environment
+        def subscribe
+          return unless Rails.env.development?
+
+          ActiveSupport::Notifications.subscribe("sql.active_record") do |*args|
+            process_notification(*args)
+          end
+        end
+
+        private
+
+        # Process a single SQL notification event
+        # @param args [Array] Notification arguments from ActiveSupport::Notifications
+        def process_notification(*args)
+          event = ActiveSupport::Notifications::Event.new(*args)
+
+          return if skip_internal_query?(event)
+
+          Dbviewer::Query::Logger.instance.add(event)
+        end
+
+        # Determine if this query should be skipped (internal DBViewer queries)
+        # @param event [ActiveSupport::Notifications::Event] The notification event
+        # @return [Boolean] True if the query should be skipped
+        def skip_internal_query?(event)
+          caller_locations = caller_locations(1)
+          return false unless caller_locations
+
+          excluded_caller_locations = caller_locations.filter do |caller_location|
+            !caller_location.path.include?("lib/dbviewer/engine.rb")
+          end
+
+          excluded_caller_locations.any? { |location| location.path.include?("dbviewer") }
+        end
+      end
+    end
+  end
+end

data/lib/dbviewer/validator/sql.rb

@@ -0,0 +1,198 @@
+# frozen_string_literal: true
+
+module Dbviewer
+  module Validator
+    # Sql class handles SQL query validation and normalization
+    # to ensure queries are safe (read-only) and properly formatted.
+    # This helps prevent potentially destructive SQL operations.
+    class Sql
+      # List of SQL keywords that could modify data or schema
+      FORBIDDEN_KEYWORDS = %w[
+        UPDATE INSERT DELETE DROP ALTER CREATE TRUNCATE REPLACE
+        RENAME GRANT REVOKE LOCK UNLOCK COMMIT ROLLBACK
+        SAVEPOINT INTO CALL EXECUTE EXEC
+      ]
+
+      # List of SQL keywords that should only be allowed in specific contexts
+      CONDITIONAL_KEYWORDS = {
+        # JOIN is allowed, but we should check for suspicious patterns
+        "JOIN" => /\bJOIN\b/i,
+        # UNION is allowed, but potential for injection
+        "UNION" => /\bUNION\b/i,
+        # WITH is allowed for CTEs, but need to ensure it's not a data modification
+        "WITH" => /\bWITH\b/i
+      }
+
+      # Maximum allowed query length
+      MAX_QUERY_LENGTH = 10000
+
+      # Determines if a query is safe (read-only)
+      # @param sql [String] The SQL query to validate
+      # @return [Boolean] true if the query is safe, false otherwise
+      def self.safe_query?(sql)
+        return false if sql.blank?
+
+        # Get max query length from configuration
+        max_length = Dbviewer.configuration.max_query_length || MAX_QUERY_LENGTH
+        return false if sql.length > max_length
+
+        normalized_sql = normalize(sql)
+
+        # Case-insensitive check for SELECT at the beginning
+        return false unless normalized_sql =~ /\A\s*SELECT\s+/i
+
+        # Check for forbidden keywords that might be used in subqueries or other SQL constructs
+        FORBIDDEN_KEYWORDS.each do |keyword|
+          # Look for the keyword with word boundaries to avoid false positives
+          return false if normalized_sql =~ /\b#{keyword}\b/i
+        end
+
+        # Check for suspicious patterns that might indicate SQL injection attempts
+        return false if has_suspicious_patterns?(normalized_sql)
+
+        # Check for multiple statements (;) which could allow executing multiple commands
+        statements = normalized_sql.split(";").reject(&:blank?)
+        return false if statements.size > 1
+
+        # Additional specific checks for common SQL injection patterns
+        return false if has_injection_patterns?(normalized_sql)
+
+        true
+      end
+
+      # Check for suspicious patterns in SQL that might indicate an attack
+      # @param sql [String] Normalized SQL query
+      # @return [Boolean] true if suspicious patterns found, false otherwise
+      def self.has_suspicious_patterns?(sql)
+        # Check for SQL comment sequences that might be used to hide malicious code
+        return true if sql =~ /\s+--/ || sql =~ /\/\*/
+
+        # Check for string concatenation which might be used for injection
+        return true if sql =~ /\|\|/ || sql =~ /CONCAT\s*\(/i
+
+        # Check for excessive number of quotes which might indicate injection
+        single_quotes = sql.count("'")
+        double_quotes = sql.count('"')
+        return true if single_quotes > 20 || double_quotes > 20
+
+        # Check for hex/binary data which might hide malicious code
+        return true if sql =~ /0x[0-9a-f]{16,}/i
+
+        false
+      end
+
+      # Check for specific SQL injection patterns
+      # @param sql [String] Normalized SQL query
+      # @return [Boolean] true if injection patterns found, false otherwise
+      def self.has_injection_patterns?(sql)
+        # Check for typical SQL injection test patterns
+        return true if sql =~ /'\s*OR\s*'.*'\s*=\s*'/i
+        return true if sql =~ /'\s*OR\s*1\s*=\s*1/i
+        return true if sql =~ /'\s*;\s*--/i
+
+        # Check for attempts to determine database type
+        return true if sql =~ /@@version/i
+        return true if sql =~ /version\(\)/i
+
+        false
+      end
+
+      # Normalize SQL by removing comments and extra whitespace
+      # @param sql [String] The SQL query to normalize
+      # @return [String] The normalized SQL query
+      def self.normalize(sql)
+        return "" if sql.nil?
+
+        begin
+          # Remove SQL comments (both -- and /* */ styles)
+          normalized = sql.gsub(/--.*$/, "")             # Remove -- style comments
+                  .gsub(/\/\*.*?\*\//m, "")       # Remove /* */ style comments
+                  .gsub(/\s+/, " ")               # Normalize whitespace
+                  .strip                          # Remove leading/trailing whitespace
+
+          # Replace multiple spaces with a single space
+          normalized.gsub(/\s{2,}/, " ")
+        rescue => e
+          Rails.logger.error("[DBViewer] SQL normalization error: #{e.message}")
+          ""
+        end
+      end
+
+      # Validates a query and raises an exception if it's unsafe
+      # @param sql [String] The SQL query to validate
+      # @raise [SecurityError] if the query is unsafe
+      # @return [String] The normalized SQL query if it's safe
+      def self.validate!(sql)
+        if sql.blank?
+          raise SecurityError, "Empty query is not allowed"
+        end
+
+        # Get max query length from configuration
+        max_length = Dbviewer.configuration.max_query_length || MAX_QUERY_LENGTH
+        if sql.length > max_length
+          raise SecurityError, "Query exceeds maximum allowed length (#{max_length} chars)"
+        end
+
+        normalized_sql = normalize(sql)
+
+        # Special case for SQLite PRAGMA statements which are safe read-only commands
+        if normalized_sql =~ /\A\s*PRAGMA\s+[a-z0-9_]+\s*\z/i
+          return normalized_sql
+        end
+
+        unless normalized_sql =~ /\A\s*SELECT\s+/i
+          raise SecurityError, "Query must begin with SELECT for security reasons"
+        end
+
+        FORBIDDEN_KEYWORDS.each do |keyword|
+          if normalized_sql =~ /\b#{keyword}\b/i
+            raise SecurityError, "Forbidden keyword '#{keyword}' detected in query"
+          end
+        end
+
+        if has_suspicious_patterns?(normalized_sql)
+          raise SecurityError, "Query contains suspicious patterns that may indicate SQL injection"
+        end
+
+        # Check for multiple statements
+        statements = normalized_sql.split(";").reject(&:blank?)
+        if statements.size > 1
+          raise SecurityError, "Multiple SQL statements are not allowed"
+        end
+
+        if has_injection_patterns?(normalized_sql)
+          raise SecurityError, "Query contains patterns commonly associated with SQL injection attempts"
+        end
+
+        normalized_sql
+      end
+
+      # Check if a query is using a specific database feature that might need special handling
+      # @param sql [String] The SQL query
+      # @param feature [Symbol] The feature to check for (:join, :subquery, :order_by, etc.)
+      # @return [Boolean] true if the feature is used in the query
+      def self.uses_feature?(sql, feature)
+        normalized = normalize(sql)
+        case feature
+        when :join
+          normalized =~ /\b(INNER|LEFT|RIGHT|FULL|CROSS)?\s*JOIN\b/i
+        when :subquery
+          # Check if there are parentheses that likely contain a subquery
+          normalized.count("(") > normalized.count(")")
+        when :order_by
+          normalized =~ /\bORDER\s+BY\b/i
+        when :group_by
+          normalized =~ /\bGROUP\s+BY\b/i
+        when :having
+          normalized =~ /\bHAVING\b/i
+        when :union
+          normalized =~ /\bUNION\b/i
+        when :window_function
+          normalized =~ /\bOVER\s*\(/i
+        else
+          false
+        end
+      end
+    end
+  end
+end

data/lib/dbviewer/validator.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Dbviewer
+  # Validator namespace contains validation classes for different types of content
+  # such as SQL queries, configuration parameters, etc.
+  module Validator
+    # This module serves as a namespace for various validator classes
+  end
+end

data/lib/dbviewer/version.rb

@@ -1,3 +1,3 @@
 module Dbviewer
-  VERSION = "0.6.2"
+  VERSION = "0.6.3"
 end